Vulnerability Description
An authentication bypass vulnerability was discovered in kube-apiserver. This issue could allow a remote, authenticated attacker who has been given permissions "update, patch" the "pods/ephemeralcontainers" subresource beyond what the default is. They would then need to create a new pod or patch one that they already have access to. This might allow evasion of SCC admission restrictions, thereby gaining control of a privileged pod.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kubernetes | Kube-Apiserver | - |
| Redhat | Openshift Container Platform | 4.10 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2023:3976Third Party Advisory
- https://access.redhat.com/errata/RHSA-2023:4093Third Party Advisory
- https://access.redhat.com/errata/RHSA-2023:4312Third Party Advisory
- https://access.redhat.com/errata/RHSA-2023:4898Third Party Advisory
- https://access.redhat.com/errata/RHSA-2023:5008
- https://access.redhat.com/security/cve/CVE-2023-1260Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2176267Issue TrackingThird Party Advisory
- https://github.com/advisories/GHSA-92hx-3mh6-hc49
- https://security.netapp.com/advisory/ntap-20231020-0010/Third Party Advisory
- https://access.redhat.com/errata/RHSA-2023:3976Third Party Advisory
- https://access.redhat.com/errata/RHSA-2023:4093Third Party Advisory
- https://access.redhat.com/errata/RHSA-2023:4312Third Party Advisory
- https://access.redhat.com/errata/RHSA-2023:4898Third Party Advisory
- https://access.redhat.com/errata/RHSA-2023:5008
- https://access.redhat.com/security/cve/CVE-2023-1260Third Party Advisory
FAQ
What is CVE-2023-1260?
CVE-2023-1260 is a vulnerability with a CVSS score of 8.0 (HIGH). An authentication bypass vulnerability was discovered in kube-apiserver. This issue could allow a remote, authenticated attacker who has been given permissions "update, patch" the "pods/ephemeralconta...
How severe is CVE-2023-1260?
CVE-2023-1260 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-1260?
Check the references section above for vendor advisories and patch information. Affected products include: Kubernetes Kube-Apiserver, Redhat Openshift Container Platform.