Bug 2274118 (CVE-2024-3177) - CVE-2024-3177 kubernetes: kube-apiserver: bypassing mountable secrets policy imposed by the ServiceAccount admission plugin
Summary: CVE-2024-3177 kubernetes: kube-apiserver: bypassing mountable secrets policy ...
Keywords:
Status: NEW
Alias: CVE-2024-3177
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2275405
Blocks: 2274120
TreeView+ depends on / blocked
 
Reported: 2024-04-09 08:15 UTC by TEJ RATHI
Modified: 2024-08-05 12:07 UTC (History)
5 users (show)

Fixed In Version: Kubernetes 1.27.13, Kubernetes 1.28.9, Kubernetes 1.29.4
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:0043 0 None None None 2024-06-27 13:15:53 UTC

Description TEJ RATHI 2024-04-09 08:15:37 UTC 
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.

Affected Versions

Kubernetes < 1.27.12 
Kubernetes < 1.28.8 
Kubernetes < 1.29.3
Comment 7 TEJ RATHI 2024-04-17 05:26:27 UTC 
Created golang-k8s-kubernetes tracking bugs for this issue:

Affects: fedora-38 [bug 2275405]
Comment 10 errata-xmlrpc 2024-06-27 13:15:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0043 https://access.redhat.com/errata/RHSA-2024:0043
Note You need to log in before you can comment on or make changes to this bug.