CVE-2024-9042: Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API
A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node’s ‘/logs’ endpoint to execute arbitrary commands on the host. This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
References
- github.com/advisories/GHSA-vv39-3w5q-974q
- github.com/kubernetes/kubernetes
- github.com/kubernetes/kubernetes/commit/45f4ccc2153bbb782253704cbe24c05e22b5d60c
- github.com/kubernetes/kubernetes/commit/5fe148234f8ab1184f26069c4f7bef6c37efe347
- github.com/kubernetes/kubernetes/commit/75c83a6871dc030675288c6d63c275a43c2f0d55
- github.com/kubernetes/kubernetes/commit/fb0187c2bf7061258bb89891edb1237261eb7abc
- github.com/kubernetes/kubernetes/issues/129654
- groups.google.com/g/kubernetes-security-announce/c/9C3vn6aCSVg
- nvd.nist.gov/vuln/detail/CVE-2024-9042
Detect and mitigate CVE-2024-9042 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →