High severity8.1NVD Advisory· Published Nov 22, 2024· Updated Apr 15, 2026
CVE-2024-10220
CVE-2024-10220
Description
The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/kubernetesGo | < 1.28.12 | 1.28.12 |
k8s.io/kubernetesGo | >= 1.29.0, < 1.29.7 | 1.29.7 |
k8s.io/kubernetesGo | >= 1.30.0, < 1.30.3 | 1.30.3 |
Patches
11ab06efe92d8Merge pull request #124531 from irsl/master
2 files changed · +20 −0
pkg/volume/git_repo/git_repo.go+6 −0 modified@@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error { if err := validateNonFlagArgument(src.Directory, "directory"); err != nil { return err } + if (src.Revision != "") && (src.Directory != "") { + cleanedDir := filepath.Clean(src.Directory) + if strings.Contains(cleanedDir, "/") || (strings.Contains(cleanedDir, "\\")) { + return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory) + } + } return nil }
pkg/volume/git_repo/git_repo_test.go+14 −0 modified@@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) { }, isExpectedFailure: true, }, + { + name: "invalid-revision-directory-combo", + vol: &v1.Volume{ + Name: "vol1", + VolumeSource: v1.VolumeSource{ + GitRepo: &v1.GitRepoVolumeSource{ + Repository: gitURL, + Revision: "main", + Directory: "foo/bar", + }, + }, + }, + isExpectedFailure: true, + }, } for _, scenario := range scenarios {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-27wf-5967-98gxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-10220ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/11/20/1nvdWEB
- github.com/kubernetes/kubernetes/commit/1ab06efe92d8e898ca1931471c9533ce94aba29bghsaWEB
- github.com/kubernetes/kubernetes/issues/128885nvdWEB
- groups.google.com/g/kubernetes-security-announce/c/ptNgV5NeckonvdWEB
- pkg.go.dev/vuln/GO-2024-3286ghsaWEB
News mentions
0No linked articles in our index yet.