x/vulndb: potential Go vuln in k8s.io/kubernetes/cmd/kube-apiserver: GHSA-r56h-j38w-hrqq

[GoVulnBot]

Advisory GHSA-r56h-j38w-hrqq references a vulnerability in the following Go modules:

Module
k8s.io/kubernetes

Description:
A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a brief period in which the pods are running, but network policies that should apply to connections to and from the pods are not enforced.

References:

• ADVISORY: GHSA-r56h-j38w-hrqq
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-7598
• REPORT: CVE-2024-7598: Network restriction bypass via race condition during namespace termination kubernetes/kubernetes#126587
• WEB: http://www.openwall.com/lists/oss-security/2025/03/20/2
• WEB: https://groups.google.com/g/kubernetes-security-announce/c/67D7UFqiPRc

Cross references:

• k8s.io/kubernetes appears in 42 other report(s):
  • data/excluded/GO-2022-0904.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8561, GHSA-74j8-88mm-7496 #904) NOT_IMPORTABLE
  • data/excluded/GO-2022-0909.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25740, GHSA-vw47-mr44-3jf9 #909) NOT_IMPORTABLE
  • data/excluded/GO-2022-0940.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8554, GHSA-j9wf-vvm6-4r9w #940) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1943.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-f4w6-3rh6-6q4q #1943) EFFECTIVELY_PRIVATE
  • data/reports/GO-2021-0066.yaml (dummy issue #66)
  • data/reports/GO-2022-0617.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-qh36-44jv-c8xj #617)
  • data/reports/GO-2022-0701.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-jp32-vmm6-3vf5 #701)
  • data/reports/GO-2022-0703.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/apiserver: GHSA-pmqp-h87c-mr78 #703)
  • data/reports/GO-2022-0782.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp: GHSA-34jx-wx69-9x8v #782)
  • data/reports/GO-2022-0802.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubectl/cmd/cp: GHSA-6qfg-8799-r575 #802)
  • data/reports/GO-2022-0867.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/kubelet/server: GHSA-qhm4-jxv7-j9pq #867)
  • data/reports/GO-2022-0885.yaml (x/vulndb: potential Go vuln in k8s.io/kube-proxy: GHSA-wqv3-8cm6-h6wg #885)
  • data/reports/GO-2022-0886.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/util/mount: GHSA-wqwf-x5cj-rg56 #886)
  • data/reports/GO-2022-0890.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes/pkg/volume/storageos: GHSA-x6mj-w4jf-jmgw #890)
  • data/reports/GO-2022-0907.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25735, GHSA-g42g-737j-qx6j #907)
  • data/reports/GO-2022-0908.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25737, GHSA-mfv7-gq43-w965 #908)
  • data/reports/GO-2022-0910.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25741, GHSA-f5f7-6478-qm6p #910)
  • data/reports/GO-2022-0983.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/kubectl: CVE-2021-25743, GHSA-f9jg-8p32-2f55 #983)
  • data/reports/GO-2023-1492.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2jx2-76rc-2v7v #1492)
  • data/reports/GO-2023-1628.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-2394-5535-8j88 #1628)
  • data/reports/GO-2023-1629.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-jh36-q97c-9928 #1629)
  • data/reports/GO-2023-1864.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-xc8m-28vv-4pjc #1864)
  • data/reports/GO-2023-1891.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-qc2g-gmh6-95p4 #1891)
  • data/reports/GO-2023-1892.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-cgcv-5272-97pr #1892)
  • data/reports/GO-2023-1946.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-q4rr-64r9-fwgf #1946)
  • data/reports/GO-2023-1959.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2jq6-ffph-p4h8 #1959)
  • data/reports/GO-2023-1977.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-mm7g-f2gg-cw8g #1977)
  • data/reports/GO-2023-1985.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2h9c-34v6-3qmr #1985)
  • data/reports/GO-2023-2159.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: CVE-2021-25736 #2159)
  • data/reports/GO-2023-2170.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-q78c-gwqw-jcmc #2170)
  • data/reports/GO-2023-2330.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-7fxm-f474-hf8w #2330)
  • data/reports/GO-2023-2341.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-hq6q-c2x6-hmch #2341)
  • data/reports/GO-2024-2746.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-pxhw-596r-rwq5 #2746)
  • data/reports/GO-2024-2748.yaml (x/vulndb: potential Go vuln in k8s.io/apimachinery: GHSA-33c5-9fx5-fvjm #2748)
  • data/reports/GO-2024-2753.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/kubelet: GHSA-55qj-gj3x-jq9r #2753)
  • data/reports/GO-2024-2754.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-5x96-j797-5qqw #2754)
  • data/reports/GO-2024-2755.yaml (x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-5xfg-wv98-264m #2755)
  • data/reports/GO-2024-2780.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes/cmd/kubelet: GHSA-r76g-g87f-vw8f #2780)
  • data/reports/GO-2024-2994.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-82m2-cv7p-4m75 #2994)
  • data/reports/GO-2024-3277.yaml (x/vulndb: potential Go vuln in github.com/openshift/kubernetes: CVE-2024-0793 #3277)
  • data/reports/GO-2024-3286.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-27wf-5967-98gx #3286)
  • data/reports/GO-2025-3465.yaml (x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-jgfp-53c3-624w #3465)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: k8s.io/kubernetes
      non_go_versions:
        - introduced: TODO (earliest fixed "", vuln range ">= 1.3.0, <= 1.32.3")
      vulnerable_at: 1.32.3
summary: Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes
cves:
    - CVE-2024-7598
ghsas:
    - GHSA-r56h-j38w-hrqq
references:
    - advisory: https://github.com/advisories/GHSA-r56h-j38w-hrqq
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-7598
    - report: https://github.com/kubernetes/kubernetes/issues/126587
    - web: http://www.openwall.com/lists/oss-security/2025/03/20/2
    - web: https://groups.google.com/g/kubernetes-security-announce/c/67D7UFqiPRc
source:
    id: GHSA-r56h-j38w-hrqq
    created: 2025-03-21T18:01:41.689446158Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/660559 mentions this issue: data/reports: add 28 reports