Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice of Kubernetes Security Vulnerability (CVE-2024-10220)
Updated on 2025-07-23 GMT+08:00

Notice of Kubernetes Security Vulnerability (CVE-2024-10220)

The Kubernetes community recently discovered a security vulnerability (CVE-2024-10220). This vulnerability allows an attacker who has the necessary permissions to create pods associated with gitRepo volumes to run arbitrary commands outside the containers. The attacker can exploit the hooks directory in the target Git repository to escape the containers and execute malicious commands.

Description

Table 1 Vulnerability details

Type

CVE-ID

Severity

Discovered

Container escape

CVE-2024-10220

High

2024-11-22

Impact

The affected cluster versions are as follows:

  • < v1.25
  • v1.25.0-r0 to v1.25.16-r2
  • v1.27.0-r0 to v1.27.16-r2
  • v1.28.0-r0 to v1.28.8-r2
  • v1.29.0-r0 to v1.29.4-r2
  • v1.30.0-r0 to v1.30.1-r2

Identification Method

Log in to the CCE console, click the name of the target cluster to access the cluster console, and check the cluster version on the Overview page.

  • If a cluster version is not one of the versions mentioned earlier, then the vulnerability does not affect the cluster.
  • If a cluster version falls within the affected range, you can use the following command to check if the vulnerability has been exploited in the cluster:

    (This command will display a list of all storage volumes that are mounted and use the gitRepo type. It will also clone the repository to the pod in the .git subdirectory.)

     kubectl get pods --all-namespaces -o yaml | grep gitRepo -A 2

    If the command output does not show any gitRepo configuration, it means that the system is not affected by the vulnerability.

Solution

  • We have fixed this vulnerability. Pay attention to update in Patch Versions and upgrade your clusters to the fixed version. For clusters that have reached EOS, upgrade them to versions under maintenance.

    Versions of clusters with the vulnerability fixed include v1.25.16-r4, v1.27.16-r4, v1.28.13-r0, v1.29.8-r0, v1.30.4-r0, and later.

  • The gitRepo storage volumes are no longer supported. As a solution, the community recommends using the init containers to perform Git clone operations and then mount the directories to the pods. For details, see the example in GitHub.