CVE-2024-3177: 
Red Hat Enterprise Linux CoreOS (RHCOS) vulnerability analysis and mitigation

A security vulnerability (CVE-2024-3177) was discovered in Kubernetes that allows users to bypass the mountable secrets policy enforced by the ServiceAccount admission plugin. The vulnerability affects containers, init containers, and ephemeral containers using the envFrom field. This issue was discovered in April 2024 and affects Kubernetes versions kube-apiserver v1.29.0-v1.29.3, v1.28.0-v1.28.8, and versions <= v1.27.12. The vulnerability has been rated as Low severity with a CVSS score of 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) (Kubernetes Issue, OSS Security).

The vulnerability exists in the ServiceAccount admission plugin's policy enforcement mechanism. The issue specifically occurs when containers use the envFrom field populated while running with a service account that has the kubernetes.io/enforce-mountable-secrets annotation. The policy is designed to ensure pods running with a service account may only reference secrets specified in the service account's secrets field, but this restriction could be bypassed through the envFrom field configuration (Kubernetes Issue).

The vulnerability allows authenticated users to access secrets that should be restricted by the ServiceAccount admission plugin's mountable secrets policy. This could lead to unauthorized access to sensitive information stored in Kubernetes secrets, though the impact is limited due to the high privileges required for exploitation (Kubernetes Issue).

The vulnerability has been patched in the following versions: kube-apiserver v1.29.4, v1.28.9, and v1.27.13. Users should upgrade to these fixed versions to mitigate the vulnerability. The patch prevents containers with envFrom field populated from bypassing the mountable secrets policy. Detection of potential exploitation can be performed using API audit logs and by identifying active pods using the kubernetes.io/enforce-mountable-secrets annotation (Kubernetes Issue, OSS Security).