Vulnerability Description
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kubernetes | Kubernetes | <= 1.24.14 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/07/06/3Mailing List
- https://github.com/kubernetes/kubernetes/issues/118640Issue Tracking
- https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8Mailing List
- https://security.netapp.com/advisory/ntap-20230803-0004/
- http://www.openwall.com/lists/oss-security/2023/07/06/3Mailing List
- https://github.com/kubernetes/kubernetes/issues/118640Issue Tracking
- https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8Mailing List
- https://security.netapp.com/advisory/ntap-20230803-0004/
FAQ
What is CVE-2023-2728?
CVE-2023-2728 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a ...
How severe is CVE-2023-2728?
CVE-2023-2728 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-2728?
Check the references section above for vendor advisories and patch information. Affected products include: Kubernetes Kubernetes.