Main Vulnerability Database Vulnerabilities #VU98764

#VU98764 Use of default credentials in image-builder - CVE-2024-9594

Published: October 17, 2024

Vulnerability identifier: #VU98764

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-9594

CWE-ID: CWE-1392

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
image-builder

Software vendor:
Kubernetes SIGs

Description

The vulnerability allows a remote attacker to compromise the image build process.

The vulnerability exists due to default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. A remote attacker with ability to reach the VM where the image build was happening can compromise the image during its build.

Remediation

Install updates from vendor's website.

External links

https://github.com/kubernetes/kubernetes/issues/128007
https://github.com/kubernetes-sigs/image-builder/pull/1596
https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ

#VU98764 Use of default credentials in image-builder - CVE-2024-9594

Description

Remediation

External links

Please verify you're human