First published: Thu Mar 20 2025(Updated: )
A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a brief period in which the pods are running, but network policies that should apply to connections to and from the pods are not enforced.
Credit: jordan@liggitt.net
Affected Software | Affected Version | How to fix |
---|---|---|
Kubernetes Dashboard | ||
go/k8s.io/kubernetes/cmd/kube-apiserver | >=1.3.0<=1.32.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2024-7598 is considered to be high due to the potential for network policy bypass during namespace deletion.
To fix CVE-2024-7598, you should update Kubernetes to the latest version where this vulnerability has been addressed.
CVE-2024-7598 affects the network policy enforcement component in Kubernetes.
CVE-2024-7598 allows a malicious pod to bypass network restrictions set by network policies during the deletion of namespaces.
While there is no official workaround, you can limit the privileges of pods in namespaces to mitigate the impact of CVE-2024-7598.