#VU88934 Permissions, Privileges, and Access Controls in apiserver - CVE-2024-3177
Published: April 23, 2024
Vulnerability identifier: #VU88934
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-3177
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
apiserver
apiserver
Software vendor:
Kubernetes
Kubernetes
Description
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote user can launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.
Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.
Remediation
Install updates from vendor's website.