9.8

CVE-2024-9486

EPSS 0.58%
Veröffentlicht 15.10.2024 21:15:11
Zuletzt bearbeitet 08.11.2024 20:56:54
Quelle jordan@liggitt.net
Teams Watchlist Login
Unerledigt Login

A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Kubernetes ≫ Image Builder Version < 0.1.38

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.58%	0.68

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
jordan@liggitt.net	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://github.com/kubernetes-sigs/image-builder/pull/1595

Patch

https://github.com/kubernetes/kubernetes/issues/128006

Issue Tracking

https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-9486

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-9486

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-9486

EUVD