Acknowledged
Created: Mar 14, 2025
Updated: Apr 13, 2026
Resolved Date: Apr 13, 2026
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Userspace
This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable.
========Wind River Notice========
Refer to 1] the upstream Kubernetes project considers this a won't-fix at the code level. The recommended mitigation is to stop using the gitRepo volume type.
The gitRepo volume plugin is deprecated and is disabled by default since 1.33 [2].
Primary mitigation:
To provision a Pod that has a Git repository mounted, you can mount an emptyDir volume into an init container that clones the repo using Git, then mount the EmptyDir into the Pod's container.
You can restrict the use of gitRepo volumes in your cluster using policies, such as ValidatingAdmissionPolicy. You can use the following Common Expression Language (CEL) expression as part of a policy to reject use of gitRepo volumes:
!has(object.spec.volumes) (| !object.spec.volumes.exists(v, has(v.gitRepo))
[1) [https://github.com/kubernetes/kubernetes/issues/130786]
[2] [https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/]
