CVE-2024-3177— Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin

Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

输入验证不恰当

Kubernetes 输入验证错误漏洞

Kubernetes（K8s）是云原生计算基金会（Cloud Native Computing Foundation）的一个开源系统，用于自动部署、扩展和管理容器化应用程序。 Kubernetes存在安全漏洞，该漏洞源于允许攻击者绕过ServiceAccount准入插件强制执行的可挂载机密策略。受影响的产品和版本：Kubernetes v1.29.0至v1.29.3版本，v1.28.0至v1.28.8版本，v1.27.12及之前版本。

N/A

N/A