CVE-2024-9594
MEDIUMkubernetes-sigs/image_builder <= v0.1.37 - Use of Hard-coded Credentials in Nutanix, OVA, QEMU, and Raw Providers
Title source: llmDescription
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are disabled at the conclusion of the image build process. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project. Because these images were vulnerable during the image build process, they are affected only if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring.
References (3)
Core 3
Core References
Issue Tracking vendor-advisory
issue-tracking
https://github.com/kubernetes/kubernetes/issues/128007
Vendor Advisory mailing-list
https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ
Scores
CVSS v3
6.3
EPSS
0.0164
EPSS Percentile
73.3%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-798
Status
published
Products (2)
kubernetes-sigs/image-builder
0 - 0.1.38Go
kubernetes-sigs/image_builder
< 0.1.38
Published
Oct 15, 2024
Tracked Since
Feb 18, 2026