Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-2728

Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.

Published

2023-07-03T21:15:09.557

Last Modified

2025-02-13T17:16:22.447

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-20
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	kubernetes	kubernetes	≤ 1.24.14	Yes
Application	kubernetes	kubernetes	≤ 1.25.10	Yes
Application	kubernetes	kubernetes	≤ 1.26.5	Yes
Application	kubernetes	kubernetes	≤ 1.27.2	Yes

References

http://www.openwall.com/lists/oss-security/2023/07/06/3 Mailing List ([email protected])
https://github.com/kubernetes/kubernetes/issues/118640 Issue Tracking ([email protected])
https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8 Mailing List ([email protected])
https://security.netapp.com/advisory/ntap-20230803-0004/ ([email protected])
http://www.openwall.com/lists/oss-security/2023/07/06/3 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/kubernetes/kubernetes/issues/118640 Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)
https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20230803-0004/ (af854a3a-2127-422b-91ae-364da2661108)