CVE-2024-42363

Name of the Vulnerable Software and Affected Versions Kubernetes versions prior to 3385

Description The issue arises from the user-controlled role parameter entering the application in the Kubernetes::RoleVerificationsController. This parameter flows into the RoleConfigFile initializer and then into the Kubernetes::Util.parse file method, where it is unsafely deserialized using the YAML.load stream method. This may lead to Remote Code Execution (RCE).

Recommendations For versions prior to 3385, update to version 3385 or later to resolve the issue. As a temporary workaround, consider restricting access to the Kubernetes::RoleVerificationsController to minimize the risk of exploitation. Avoid using the role parameter in the affected API endpoint until the issue is resolved.