Notice of Kubernetes Security Vulnerability (CVE-2024-10220)
The Kubernetes community recently discovered a security vulnerability (CVE-2024-10220). This vulnerability allows an attacker who has the necessary permissions to create pods associated with gitRepo volumes to run arbitrary commands outside the containers. The attacker can exploit the hooks directory in the target Git repository to escape the containers and execute malicious commands.
Vulnerability Details
Type |
CVE-ID |
Severity |
Discovered |
---|---|---|---|
Container escape |
High |
2024-11-22 |
Impact
The following cluster versions are affected:
- v1.27.0-r0 to v1.27.8-r0
- v1.28.0-r0 to v1.28.6-r0
Identification Method
Log in to the CCE console, click the name of the target cluster to access the cluster console, and check the cluster version on the Overview page.

- If the cluster version is not one of the versions mentioned above, then the vulnerability does not affect the cluster.
- If the cluster version falls within the affected range, you can use the following command to check if the vulnerability has been exploited in the cluster:
(This command will display a list of all gitRepo storage volumes that are mounted to pods. It will also clone the repository to the pod in the .git subdirectory.)
kubectl get pods --all-namespaces -o yaml | grep gitRepo -A 2
If the command output does not show any gitRepo configuration, it means that the cluster is not affected by the vulnerability.
Solution
- This vulnerability has been fixed for CCE Autopilot clusters. Upgrade the cluster to the version where the vulnerability has been fixed promptly. For clusters that have reached EOS, upgrade them to versions under maintenance.
- The gitRepo storage volumes are no longer supported. As a solution, the community recommends using the init containers to perform Git clone operations and then mount the directories to the pods. For details, see the example in GitHub.
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot