Vulnerability Description
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kubernetes-Sigs | Image Builder | < 0.1.38 |
Related Weaknesses (CWE)
References
- https://github.com/kubernetes-sigs/image-builder/pull/1595Patch
- https://github.com/kubernetes/kubernetes/issues/128006Issue Tracking
- https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHVendor Advisory
FAQ
What is CVE-2024-9486?
CVE-2024-9486 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox...
How severe is CVE-2024-9486?
CVE-2024-9486 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-9486?
Check the references section above for vendor advisories and patch information. Affected products include: Kubernetes-Sigs Image Builder.