Security Issue in Kubernetes: Bypassing Mountable Secrets Policy with envFrom Field
CVE-2024-3177

2.7LOW

Key Information:

Vendor: Kubernetes
Status: Kubernetes
Vendor: CVE Published:; 22 April 2024

Summary

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.

Affected Version(s)

Kubernetes v1.27.12

Kubernetes v1.28.0 - v1.28.8

Kubernetes v1.29.0 - v1.29.3

References

https://groups.google.com/g/kubernetes-security-announce/...

mailing-list

https://github.com/kubernetes/kubernetes/issues/124336

issue-tracking

https://lists.fedoraproject.org/archives/list/package-ann...

EPSS Score

16% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 22, 2024

Credit

tha3e1vl