CVE-2024-3177
Published: 22 April 2024
Summary
CVE-2024-3177 is a low-severity Improper Input Validation (CWE-20) vulnerability in Fedoraproject (inferred from references). Its CVSS base score is 2.7 (Low).
Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A security vulnerability tracked as CVE-2024-3177 exists in Kubernetes when the ServiceAccount admission plugin is combined with the kubernetes.io/enforce-mountable-secrets annotation. The flaw permits containers, init containers, and ephemeral containers that populate the envFrom field to bypass the mountable secrets policy, which is intended to ensure pods may reference only secrets listed in the associated service account. Clusters are affected solely under this specific combination of the admission plugin, annotation, and envFrom usage.
An attacker with high privileges can exploit the issue over a network to achieve limited unauthorized access to secrets, as reflected in the CVSS 2.7 rating that requires elevated permissions and yields only partial confidentiality impact. The bypass directly undermines the intended restriction enforced by the service account configuration.
The associated EPSS score remains flat at a low 0.0842 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1273
Vulnerability details
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.…
more
The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.