2274118 – (CVE-2024-3177) CVE-2024-3177 kubernetes: kube-apiserver: bypassing mountable secrets policy imposed by the ServiceAccount admission plugin

Bug 2274118 (CVE-2024-3177) - CVE-2024-3177 kubernetes: kube-apiserver: bypassing mountable secrets policy imposed by the ServiceAccount admission plugin

Summary: CVE-2024-3177 kubernetes: kube-apiserver: bypassing mountable secrets policy ...

Keywords:
Status:	NEW
Alias:	CVE-2024-3177
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2275405
Blocks:	2274120
TreeView+	depends on / blocked

Reported:	2024-04-09 08:15 UTC by TEJ RATHI
Modified:	2024-05-09 07:01 UTC (History)
CC List:	6 users (show)
Fixed In Version:	Kubernetes 1.27.13, Kubernetes 1.28.9, Kubernetes 1.29.4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Kubernetes' kube-apiserver. This flaw allows authenticated users to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2024-04-09 08:15:37 UTC

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.

Affected Versions

Kubernetes < 1.27.12 
Kubernetes < 1.28.8 
Kubernetes < 1.29.3

Comment 7 TEJ RATHI 2024-04-17 05:26:27 UTC

Created golang-k8s-kubernetes tracking bugs for this issue:

Affects: fedora-38 [bug 2275405]

Note You need to log in before you can comment on or make changes to this bug.