Help Center/ Cloud Container Engine_Autopilot/ Product Bulletin/ Vulnerability Notices/ Notice of Kubernetes Security Vulnerability (CVE-2024-10220)
Updated on 2025-03-27 GMT+08:00

Notice of Kubernetes Security Vulnerability (CVE-2024-10220)

The Kubernetes community recently discovered a security vulnerability (CVE-2024-10220). This vulnerability allows an attacker who has the necessary permissions to create pods associated with gitRepo volumes to run arbitrary commands outside the containers. The attacker can exploit the hooks directory in the target Git repository to escape the containers and execute malicious commands.

Vulnerability Details

Table 1 Vulnerability details

Type

CVE-ID

Severity

Discovered

Container escape

CVE-2024-10220

High

2024-11-22

Impact

The following cluster versions are affected:

  • v1.27.0-r0 to v1.27.8-r0
  • v1.28.0-r0 to v1.28.6-r0

Identification Method

Log in to the CCE console, click the name of the target cluster to access the cluster console, and check the cluster version on the Overview page.

Figure 1 Cluster Version

  • If the cluster version is not one of the versions mentioned above, then the vulnerability does not affect the cluster.
  • If the cluster version falls within the affected range, you can use the following command to check if the vulnerability has been exploited in the cluster:

    (This command will display a list of all gitRepo storage volumes that are mounted to pods. It will also clone the repository to the pod in the .git subdirectory.)

     kubectl get pods --all-namespaces -o yaml | grep gitRepo -A 2

    If the command output does not show any gitRepo configuration, it means that the cluster is not affected by the vulnerability.

Solution

  • This vulnerability has been fixed for CCE Autopilot clusters. Upgrade the cluster to the version where the vulnerability has been fixed promptly. For clusters that have reached EOS, upgrade them to versions under maintenance.

    Fixed cluster versions: v1.27.9-r0, v1.28.7-r0, and later

  • The gitRepo storage volumes are no longer supported. As a solution, the community recommends using the init containers to perform Git clone operations and then mount the directories to the pods. For details, see the example in GitHub.