{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3177", "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "state": "PUBLISHED", "assignerShortName": "kubernetes", "dateReserved": "2024-04-01T23:49:13.716Z", "datePublished": "2024-04-22T23:00:39.702Z", "dateUpdated": "2024-09-10T20:48:09.780Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kubernetes", "vendor": "Kubernetes", "versions": [{"lessThanOrEqual": "1.27.12", "status": "affected", "version": "0", "versionType": "semver"}, {"status": "affected", "version": "v1.28.0 - v1.28.8"}, {"status": "affected", "version": "v1.29.0 - v1.29.3"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "tha3e1vl"}], "datePublic": "2024-04-16T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account\u2019s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.</div>"}], "value": "A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account\u2019s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated."}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2024-09-10T20:48:09.780Z"}, "references": [{"tags": ["mailing-list"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ"}, {"tags": ["issue-tracking"], "url": "https://github.com/kubernetes/kubernetes/issues/124336"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div>To mitigate this vulnerability, upgrade Kubernetes: <a target=\"_blank\" rel=\"nofollow\" href=\"https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/\">https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/</a></div></div>"}], "value": "To mitigate this vulnerability, upgrade Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/"}], "source": {"discovery": "INTERNAL"}, "title": "Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3177", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-23T00:12:31.706727Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:kubernetes:kubernetes:-:*:*:*:*:*:*:*"], "vendor": "kubernetes", "product": "kubernetes", "versions": [{"status": "affected", "version": "1.29.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:33:03.250Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:05:07.568Z"}, "title": "CVE Program Container", "references": [{"tags": ["mailing-list", "x_transferred"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ"}, {"tags": ["issue-tracking", "x_transferred"], "url": "https://github.com/kubernetes/kubernetes/issues/124336"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WL54MTLGMTBZZO5PYGEGEBERTMADC4WC/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/16/4", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://github.com/kubernetes/kubernetes/issues/124336", "tags": ["issue-tracking", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WL54MTLGMTBZZO5PYGEGEBERTMADC4WC/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/16/4", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:05:07.568Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3177", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-23T00:12:31.706727Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:kubernetes:kubernetes:-:*:*:*:*:*:*:*"], "vendor": "kubernetes", "product": "kubernetes", "versions": [{"status": "affected", "version": "1.29.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-23T00:10:53.094Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "tha3e1vl"}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Kubernetes", "product": "Kubernetes", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.27.12"}, {"status": "affected", "version": "v1.28.0 - v1.28.8"}, {"status": "affected", "version": "v1.29.0 - v1.29.3"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "To mitigate this vulnerability, upgrade Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/", "supportingMedia": [{"type": "text/html", "value": "<div><div>To mitigate this vulnerability, upgrade Kubernetes: <a target=\"_blank\" rel=\"nofollow\" href=\"https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/\">https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/</a></div></div>", "base64": false}]}], "datePublic": "2024-04-16T10:00:00.000Z", "references": [{"url": "https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ", "tags": ["mailing-list"]}, {"url": "https://github.com/kubernetes/kubernetes/issues/124336", "tags": ["issue-tracking"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account\u2019s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.", "supportingMedia": [{"type": "text/html", "value": "<div>A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account\u2019s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.</div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes", "dateUpdated": "2024-09-10T20:48:09.780Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3177", "state": "PUBLISHED", "dateUpdated": "2024-09-10T20:48:09.780Z", "dateReserved": "2024-04-01T23:49:13.716Z", "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "datePublished": "2024-04-22T23:00:39.702Z", "assignerShortName": "kubernetes"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account\u2019s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated."}, {"lang": "es", "value": "Se descubri\u00f3 un problema de seguridad en Kubernetes donde los usuarios pueden lanzar contenedores que omiten la pol\u00edtica de secretos montables aplicada por el complemento de admisi\u00f3n ServiceAccount cuando usan contenedores, contenedores init y contenedores ef\u00edmeros con el campo envFrom completo. La pol\u00edtica garantiza que los pods que se ejecutan con una cuenta de servicio solo puedan hacer referencia a secretos especificados en el campo de secretos de la cuenta de servicio. Los cl\u00fasteres de Kubernetes solo se ven afectados si el complemento de admisi\u00f3n ServiceAccount y la anotaci\u00f3n kubernetes.io/enforce-mountable-secrets se usan junto con contenedores, contenedores init y contenedores ef\u00edmeros con el campo envFrom completo."}], "id": "CVE-2024-3177", "lastModified": "2024-09-10T21:15:13.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "jordan@liggitt.net", "type": "Secondary"}]}, "published": "2024-04-22T23:15:51.180", "references": [{"source": "jordan@liggitt.net", "url": "https://github.com/kubernetes/kubernetes/issues/124336"}, {"source": "jordan@liggitt.net", "url": "https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "jordan@liggitt.net", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:0043", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "microshift-0:4.16.0-202406260523.p0.gc5a37df.assembly.4.16.0.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2024-06-27T00:00:00Z"}], "bugzilla": {"description": "kubernetes: kube-apiserver: bypassing mountable secrets policy imposed by the ServiceAccount admission plugin", "id": "2274118", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274118"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-213", "details": ["A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account\u2019s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.", "A flaw was found in Kubernetes' kube-apiserver. This flaw allows authenticated users to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated."], "name": "CVE-2024-3177", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-cluster-kube-apiserver-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-hyperkube-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-tests-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "ose-installer-kube-apiserver-artifacts-container", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2024-04-16T16:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-3177\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-3177\nhttps://discuss.kubernetes.io/t/security-advisory-cve-2024-3177-bypassing-mountable-secrets-policy-imposed-by-the-serviceaccount-admission-plugin/27905"], "statement": "Kubernetes clusters are only affected if the ServiceAccount admission plugin and the *kubernetes.io/enforce-mountable-secrets* annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.", "threat_severity": "Low", "upstream_fix": "Kubernetes 1.27.13, Kubernetes 1.28.9, Kubernetes 1.29.4"}