Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-vv39-3w5q-974q #3522

Open
GoVulnBot opened this issue Mar 13, 2025 · 0 comments
Open

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-vv39-3w5q-974q #3522

GoVulnBot opened this issue Mar 13, 2025 · 0 comments
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-vv39-3w5q-974q references a vulnerability in the following Go modules:

Module
k8s.io/kubernetes

Description:
A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host. This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: k8s.io/kubernetes
      versions:
        - fixed: 1.29.13
        - introduced: 1.30.0-alpha.0
        - fixed: 1.30.9
        - introduced: 1.31.0-alpha.0
        - fixed: 1.31.5
        - introduced: 1.32.0-alpha.0
        - fixed: 1.32.1
      vulnerable_at: 1.32.0
summary: |-
    Kubernetes allows Command Injection affecting Windows nodes via
    nodes/*/logs/query API in k8s.io/kubernetes
cves:
    - CVE-2024-9042
ghsas:
    - GHSA-vv39-3w5q-974q
references:
    - advisory: https://github.com/advisories/GHSA-vv39-3w5q-974q
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9042
    - fix: https://github.com/kubernetes/kubernetes/commit/45f4ccc2153bbb782253704cbe24c05e22b5d60c
    - fix: https://github.com/kubernetes/kubernetes/commit/5fe148234f8ab1184f26069c4f7bef6c37efe347
    - fix: https://github.com/kubernetes/kubernetes/commit/75c83a6871dc030675288c6d63c275a43c2f0d55
    - fix: https://github.com/kubernetes/kubernetes/commit/fb0187c2bf7061258bb89891edb1237261eb7abc
    - report: https://github.com/kubernetes/kubernetes/issues/129654
    - web: http://www.openwall.com/lists/oss-security/2025/01/16/1
    - web: https://groups.google.com/g/kubernetes-security-announce/c/9C3vn6aCSVg
source:
    id: GHSA-vv39-3w5q-974q
    created: 2025-03-13T22:01:23.446102339Z
review_status: UNREVIEWED
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thatnealpatel @GoVulnBot