Default Credentials Vulnerability in Kubernetes Image Builder by Nutanix
CVE-2024-9594

8.1HIGH

Key Information:

Vendor
Kubernetes
Status
Image Builder
Vendor
CVE Published:
15 October 2024

Badges

📰 News Worthy

Summary

A security flaw exists in Kubernetes Image Builder versions up to v0.1.37 where default credentials can be leveraged during the image building process. When using providers such as Nutanix, OVA, QEMU, or raw, these credentials may allow unauthorized users to obtain root access. The vulnerability poses a risk only if an attacker gains access to the VM during the image creation. Importantly, the default credentials are disabled once the image building process is completed, highlighting the need for securing the environment during the build.

News Articles

favicon imageThe Register

Critical Kubernetes Image Builder bug allows SSH root access

A critical bug in Kubernetes Image Builder could allow unauthorized SSH access to virtual machines (VMs) thanks to default credentials being enabled during the image build process. Image Builder is a tool...

favicon imageBleepingComputer

Critical Kubernetes Image Builder flaw gives SSH root access to VMs

A critical vulnerability in Kubernetes could allow unauthorized SSH access to a virtual machine running an image created with the Kubernetes Image Builder project.

References

https://github.com/kubernetes/kubernetes/issues/128007
https://github.com/kubernetes-sigs/image-builder/pull/1596
https://groups.google.com/g/kubernetes-security-announce/...

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability published

.