CVE-2024-33394
Description
An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
KubeVirt v1.2.0 and earlier grants a ClusterRole excessive list secrets permission, allowing an attacker with a stolen token to enumerate all cluster secrets and potentially take over the cluster.
In KubeVirt v1.2.0 and earlier, a ClusterRole is granted the ability to list secrets across the cluster, violating the principle of least privilege. This design flaw allows an attacker who obtains a token bound to that ClusterRole to list all secrets in the Kubernetes cluster [2].
An attacker must first steal a token from a service account that has this ClusterRole bound. The gist reference provides an example of stealing a token from a DaemonSet (e.g., hwameistor-loc...). Once the token is obtained, the attacker can use it to list secrets without further authentication [2].
With access to all secrets, the attacker can extract credentials, service account tokens, and other sensitive data. This can lead to privilege escalation and potentially full compromise of the Kubernetes cluster [2].
As of the publication date, the vulnerability affects KubeVirt versions up to and including v1.2.0. Users should upgrade to a patched version or restrict the ClusterRole permissions to mitigate the risk. No official patch is mentioned in the references, but the issue is acknowledged [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kubevirt.io/kubevirtGo | <= 1.2.0 | — |
Affected products
8- kubevirt/kubevirtdescription
- ghsa-coords7 versionspkg:golang/kubevirt.io/kubevirtpkg:rpm/opensuse/kubevirt&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kubevirt&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kubevirt&distro=openSUSE%20Tumbleweedpkg:rpm/suse/kubevirt&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/kubevirt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP5pkg:rpm/suse/kubevirt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP6
<= 1.2.0+ 6 more
- (no CPE)range: <= 1.2.0
- (no CPE)range: < 1.1.1-150500.8.18.1
- (no CPE)range: < 1.1.1-150600.5.3.2
- (no CPE)range: < 1.2.2-2.1
- (no CPE)range: < 1.1.1-150500.8.18.1
- (no CPE)range: < 1.1.1-150500.8.18.1
- (no CPE)range: < 1.1.1-150600.5.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.