CVE-2024-9042
MEDIUM5.9EPSS 0.40%Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API
發布日:2025/3/13修改日:2026/2/4
描述
A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host. This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
受影響套件(2)
- Go/k8s.io/kubernetesfrom 0, < 1.29.13
- Go/k8s.io/kubernetesfrom 0, < 1.29.13, >= 1.30.0-alpha.0, < 1.30.9, >= 1.31.0-alpha.0, < 1.31.5, >= 1.32.0-alpha.0, < 1.32.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N |
參考連結(10)
- ADVISORYhttps://github.com/advisories/GHSA-vv39-3w5q-974q
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-9042
- PATCHhttps://github.com/kubernetes/kubernetes
- WEBhttps://github.com/kubernetes/kubernetes/commit/45f4ccc2153bbb782253704cbe24c05e22b5d60c
- WEBhttps://github.com/kubernetes/kubernetes/commit/5fe148234f8ab1184f26069c4f7bef6c37efe347
- WEBhttps://github.com/kubernetes/kubernetes/commit/75c83a6871dc030675288c6d63c275a43c2f0d55
- WEBhttps://github.com/kubernetes/kubernetes/commit/fb0187c2bf7061258bb89891edb1237261eb7abc
- WEBhttps://github.com/kubernetes/kubernetes/issues/129654
- WEBhttps://groups.google.com/g/kubernetes-security-announce/c/9C3vn6aCSVg
- WEBhttp://www.openwall.com/lists/oss-security/2025/01/16/1