Platform
kubernetes
Component
azure-kubernetes-service-confidential-container
Fixed in
0.3.3
CVE-2024-21400 is a critical elevation of privilege vulnerability affecting Microsoft Azure Kubernetes Service Confidential Containers. This flaw allows an attacker to potentially escalate their privileges within the Kubernetes cluster. The vulnerability impacts versions 1.0.0 through 0.3.3, and a fix is available in version 0.3.3.
Successful exploitation of CVE-2024-21400 could allow an attacker to gain unauthorized access to sensitive data and resources within the Azure Kubernetes Service environment. An attacker could potentially compromise confidential containers, bypassing security measures designed to protect sensitive workloads. This could lead to data breaches, disruption of services, and further lateral movement within the cluster. The impact is particularly severe given the intended purpose of Confidential Containers – to isolate workloads and protect data in use.
This vulnerability was publicly disclosed on March 12, 2024. The CVSS score of 9.0 (CRITICAL) indicates a high probability of exploitation. Currently, there are no publicly available proof-of-concept exploits, but the severity warrants immediate attention and remediation. It is not listed on the CISA KEV catalog as of this writing.
Exploit Status
EPSS
1.20% (79% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-21400 is to upgrade Azure Kubernetes Service Confidential Containers to version 0.3.3 or later. If immediate upgrade is not possible, consider implementing stricter network policies and access controls within your Kubernetes cluster to limit the potential blast radius of a successful attack. Regularly review and audit your Kubernetes configurations to identify and address any potential misconfigurations that could be exploited. After upgrade, confirm by verifying the version of the Confidential Container runtime.
Update your Azure Kubernetes Service to version 0.3.3 or later. This will resolve the privilege escalation vulnerability. See the Microsoft advisory for detailed update instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-21400 is a critical vulnerability in Azure Kubernetes Service Confidential Containers allowing attackers to escalate privileges. It affects versions 1.0.0–0.3.3 and has a CVSS score of 9.0.
If you are using Azure Kubernetes Service Confidential Containers with versions between 1.0.0 and 0.3.3, you are potentially affected by this vulnerability. Check your version immediately.
Upgrade Azure Kubernetes Service Confidential Containers to version 0.3.3 or later to resolve this vulnerability. If immediate upgrade is not possible, implement stricter network policies.
While no public exploits are currently available, the high CVSS score suggests a potential for exploitation, requiring immediate remediation.
Refer to the Microsoft Security Update Guide for CVE-2024-21400: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21400
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.