CVE-2024-9042 – k8s.io/kubernetes

Package

Manager: go
Name: k8s.io/kubernetes
Vulnerable Version: >=0 <1.29.13 || >=1.30.0-alpha.0 <1.30.9 || >=1.31.0-alpha.0 <1.31.5 || >=1.32.0-alpha.0 <1.32.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0004 pctl0.11058

Details

Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host. This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.

Metadata

Created: 2025-03-13T18:32:22Z
Modified: 2025-03-13T21:24:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-vv39-3w5q-974q/GHSA-vv39-3w5q-974q.json
CWE IDs: ["CWE-20", "CWE-77"]
Alternative ID: GHSA-vv39-3w5q-974q
Finding: F422
Auto approve: 1