CVE-2024-9486
CRITICALkubernetes-sigs/image_builder <= 0.1.37 - Use of Hard-coded Credentials in Proxmox Provider
Title source: llmDescription
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.
References (3)
Core 3
Core References
Issue Tracking vendor-advisory
issue-tracking
https://github.com/kubernetes/kubernetes/issues/128006
Vendor Advisory mailing-list
https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ
Scores
CVSS v3
9.8
EPSS
0.0222
EPSS Percentile
80.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-798
Status
published
Products (2)
kubernetes-sigs/image-builder
0 - 0.1.38Go
kubernetes-sigs/image_builder
< 0.1.38
Published
Oct 15, 2024
Tracked Since
Feb 18, 2026