x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-pxhw-596r-rwq5 #2746

GoVulnBot · 2024-04-23T17:01:58Z

In GitHub Security Advisory GHSA-pxhw-596r-rwq5, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
k8s.io/kubernetes	1.28.9	>= 1.28.0, <= 1.28.8

Cross references:

Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-qh36-44jv-c8xj #617 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/apiserver: GHSA-pmqp-h87c-mr78 #703 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/util/mount: GHSA-wqwf-x5cj-rg56 #886 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8561, GHSA-74j8-88mm-7496 #904 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25735, GHSA-g42g-737j-qx6j #907 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25737, GHSA-mfv7-gq43-w965 #908 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25740, GHSA-vw47-mr44-3jf9 #909 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25741, GHSA-f5f7-6478-qm6p #910 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8554, GHSA-j9wf-vvm6-4r9w #940 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/kubectl: CVE-2021-25743, GHSA-f9jg-8p32-2f55 #983 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2jx2-76rc-2v7v #1492 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-xc8m-28vv-4pjc #1864 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-qc2g-gmh6-95p4 #1891 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-cgcv-5272-97pr #1892 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-f4w6-3rh6-6q4q #1943 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-q4rr-64r9-fwgf #1946 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2jq6-ffph-p4h8 #1959 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-mm7g-f2gg-cw8g #1977 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2h9c-34v6-3qmr #1985 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-q78c-gwqw-jcmc #2170 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-7fxm-f474-hf8w #2330 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-hq6q-c2x6-hmch #2341 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue dummy issue #64
Module k8s.io/kubernetes appears in issue dummy issue #65
Module k8s.io/kubernetes appears in issue dummy issue #66
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-jp32-vmm6-3vf5 #701

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: k8s.io/kubernetes
      versions:
        - introduced: TODO (earliest fixed "1.28.9", vuln range ">= 1.28.0, <= 1.28.8")
      packages:
        - package: k8s.io/kubernetes
    - module: k8s.io/kubernetes
      versions:
        - introduced: TODO (earliest fixed "1.29.4", vuln range ">= 1.29.0, <= 1.29.3")
      packages:
        - package: k8s.io/kubernetes
    - module: k8s.io/kubernetes
      versions:
        - fixed: 1.27.13
      vulnerable_at: 1.27.12
      packages:
        - package: k8s.io/kubernetes
summary: |-
    Kubernetes allows bypassing mountable secrets policy imposed by the
    ServiceAccount admission plugin in k8s.io/kubernetes
cves:
    - CVE-2024-3177
ghsas:
    - GHSA-pxhw-596r-rwq5
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2024-3177
    - report: https://github.com/kubernetes/kubernetes/issues/124336
    - web: https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ
    - fix: https://github.com/kubernetes/kubernetes/commit/7c861b1ecad97e1ab9332c970c9294a72065111a
    - fix: https://github.com/kubernetes/kubernetes/commit/a619ca3fd3ee3c222d9df784622020de398076d2
    - fix: https://github.com/kubernetes/kubernetes/commit/f9fb6cf52a769a599a45e700375115c2ecc86e9b
    - advisory: https://github.com/advisories/GHSA-pxhw-596r-rwq5
source:
    id: GHSA-pxhw-596r-rwq5

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-05-17T20:42:33Z

Change https://go.dev/cl/586484 mentions this issue: data/reports: add 73 unreviewed reports

gopherbot · 2024-06-03T19:21:02Z

Change https://go.dev/cl/590039 mentions this issue: data/reports: add 51 reports

gopherbot · 2024-07-01T14:47:27Z

Change https://go.dev/cl/595975 mentions this issue: data/reports: update GO-2024-2746

- data/reports/GO-2024-2746.yaml Updates #2746 Change-Id: Ib156e8b36cf9c768a58ead781bdabccfc4c0b2fb Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/595975 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Zvonimir Pavlinovic <zpavlinovic@google.com>

maceonthompson self-assigned this Apr 29, 2024

tatianab added the triaged label May 23, 2024

gopherbot closed this as completed in 96f0f48 Jun 4, 2024

GoVulnBot mentioned this issue Jul 18, 2024

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-82m2-cv7p-4m75 #2994

Closed

GoVulnBot mentioned this issue Nov 22, 2024

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-27wf-5967-98gx #3286

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-pxhw-596r-rwq5 #2746

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-pxhw-596r-rwq5 #2746

GoVulnBot commented Apr 23, 2024

gopherbot commented May 17, 2024

gopherbot commented Jun 3, 2024

gopherbot commented Jul 1, 2024

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-pxhw-596r-rwq5 #2746

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-pxhw-596r-rwq5 #2746

Comments

GoVulnBot commented Apr 23, 2024

gopherbot commented May 17, 2024

gopherbot commented Jun 3, 2024

gopherbot commented Jul 1, 2024