Path Traversal in Kubernetes Kubelet
CVE-2024-10220
The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.
Vulnerability class: Path Traversal (Directory Traversal)
EPSS: 0.030 (85.7th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N.
Affected products
- Kubernetes Kubelet — versions 0, 1.29.0, 1.30.0
Weakness classification (CWE)
Public proof-of-concept exploits
- mrk336/CVE-2024-10220-Kubernetes-gitRepo-Volume-Vulnerability
- mochizuki875/CVE-2024-10220-githooks
- imohammed28/cve-2024-10220-test
- saleha-muzammil/cve-2024-10220-git-on-git
- orgC/CVE-2024-10220-demo
- candranapits/poc-CVE-2024-10220
- filipzag/CVE-2024-10220
- any2sec/cve-2024-10220
- XiaomingX/cve-2024-10220-githooks
- XiaomingX/nice-juejin-article
References
- jordan@liggitt.net (issue-tracking)
- jordan@liggitt.net (mailing-list)
- af854a3a-2127-422b-91ae-364da2661108
Frequently asked questions
- What is CVE-2024-10220?
- CVE-2024-10220 is a high-severity vulnerability in Kubernetes Kubelet, classified under Path Traversal. CVSS score: 8.1/10. Published 2024-11-22.
- How severe is CVE-2024-10220?
- High severity. CVSS v3 base score is 8.1 out of 10.
- Is CVE-2024-10220 known to be exploited?
- 14 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.