CVE-2024-10220: 
CBL Mariner vulnerability analysis and mitigation

A high-severity security vulnerability (CVE-2024-10220) was discovered in the Kubernetes kubelet component that could allow arbitrary command execution via specially crafted gitRepo volumes. The vulnerability affects kubelet versions through 1.28.11, from 1.29.0 through 1.29.6, and from 1.30.0 through 1.30.2. This issue has been rated High with a CVSS score of 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). The vulnerability was originally disclosed with a fix in July and later assigned a CVE for tracking purposes (Kubernetes Issues, Kubernetes Security).

The vulnerability leverages the hooks folder in the target repository to execute arbitrary commands outside of the container's boundary. It specifically affects Kubernetes clusters where pods use the in-tree gitRepo volume to clone a repository to a subdirectory. The issue allows users with the ability to create a pod and associate a gitRepo volume to execute commands beyond the container boundary (Openwall, Security Online).

The vulnerability enables attackers to execute arbitrary commands outside of container boundaries, potentially leading to unauthorized access to sensitive data and privilege escalation across the Kubernetes cluster. The high CVSS score of 8.1 reflects the significant potential impact on confidentiality and integrity of the affected systems (Security Online).

To mitigate this vulnerability, users must upgrade their Kubernetes clusters to one of the fixed versions: v1.31.0, v1.30.3, v1.29.7, or v1.28.12. Since the gitRepo volume has been deprecated, the recommended long-term solution is to perform Git clone operations using an init container and then mount the directory into the Pod's container (ASEC, Kubernetes Security).