Use of default credentials in image-builder - CVE-2024-9594

 

Use of default credentials in image-builder - CVE-2024-9594

Published: October 17, 2024


Vulnerability identifier: #VU98764
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-9594
CWE-ID: CWE-1392
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Kubernetes SIGs
Affected software:
image-builder

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the image build process.

The vulnerability exists due to default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. A remote attacker with ability to reach the VM where the image build was happening can compromise the image during its build.


How to mitigate CVE-2024-9594

Install updates from vendor's website.

Sources