Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

A critical vulnerability just received a fix with the latest Kubernetes Image Builder release. The vulnerability existed due to hard-coded credentials allowing unauthorized access to an adversary

According to its latest advisory, two security issues received patches with the latest Kubernetes Image Builder. One of these, identified as CVE-2024-9486 (CVSS score of 9.8), existed due to hard-coded credentials enabled during the image-building process. These credentials would remain enabled even with the virtual machines (VMs) built with the Proxmox provider, exposing any nodes using the images to root access from an unauthorized adversary.

In addition, the same Image Builder release also addressed another security flaw, identified as CVE-2024-9594. This medium-severity vulnerability (CVSS 6.3) is the same issue explained above; however, the severity is less for images built with Nutanix, OVA, QEMU, or raw providers. Hence, it’s identified separately and explained here on GitHub.

Users must ensure updating to the Kubernetes Image Builder version 0.1.38 or later to receive all the patches.

See more: https://latesthackingnews.com/2024/10/28/hard-coded-credentials-vulnerability-found-in-kubernetes-image-builder/

#cybersecurity #security #kubernetes