CVE-2023-2431
published 2023-06-16CVE-2023-2431: A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but…
PriorityP425medium5.5CVSS 3.1
AVLACLPRLUINSUCNIHAN
EPSS
0.26%
16.9th percentile
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.20.5+really1.20.2-1 (bookworm) | kubernetes 1.20.5+really1.20.2-1 (bookworm) |
| fedoraproject | fedora | — | — |
| k8s.io | kubernetes | >= 0 < 1.24.14 | 1.24.14 |
| k8s.io | kubernetes | >= 1.25.0 < 1.25.10 | 1.25.10 |
| k8s.io | kubernetes | >= 1.26.0 < 1.26.5 | 1.26.5 |
| k8s.io | kubernetes | >= 1.27.0 < 1.27.2 | 1.27.2 |
| kubernetes | kubernetes | < v1.24.14 | v1.24.14 |
| kubernetes | kubernetes | < 1.24.14 | 1.24.14 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 1.25.0 < 1.25.10 | 1.25.10 |
| kubernetes | kubernetes | >= 1.26.0 < 1.26.5 | 1.26.5 |
| kubernetes | kubernetes | >= 1.27.0 < 1.27.2 | 1.27.2 |
| kubernetes | kubernetes | >= v1.25.0 < v1.25.9 | v1.25.9 |
| kubernetes | kubernetes | >= v1.26.0 < v1.26.4 | v1.26.4 |
| kubernetes | kubernetes | >= v1.27.0 < v1.27.1 | v1.27.1 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
osv5.5MEDIUM
vendor_debian3.4LOW
vendor_redhat3.4LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Kubelet vulnerable to bypass of seccomp profile enforcement in k8s.io/kubernetes
osv·2024-08-20
CVE-2023-2431 Kubelet vulnerable to bypass of seccomp profile enforcement in k8s.io/kubernetes
Kubelet vulnerable to bypass of seccomp profile enforcement in k8s.io/kubernetes
Kubelet vulnerable to bypass of seccomp profile enforcement in k8s.io/kubernetes
GHSA
Kubelet vulnerable to bypass of seccomp profile enforcement
ghsa·2023-06-16
CVE-2023-2431 [MEDIUM] CWE-1287 Kubelet vulnerable to bypass of seccomp profile enforcement
Kubelet vulnerable to bypass of seccomp profile enforcement
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.
OSV
CVE-2023-2431: A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement
osv·2023-06-16·CVSS 5.5
CVE-2023-2431 [MEDIUM] CVE-2023-2431: A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.
OSV
Kubelet vulnerable to bypass of seccomp profile enforcement
osv·2023-06-16
CVE-2023-2431 [MEDIUM] Kubelet vulnerable to bypass of seccomp profile enforcement
Kubelet vulnerable to bypass of seccomp profile enforcement
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.
Red Hat
kubernetes: Bypass of seccomp profile enforcement
vendor_redhat·2023-06-16·CVSS 3.4
CVE-2023-2431 [LOW] CWE-1287 kubernetes: Bypass of seccomp profile enforcement
kubernetes: Bypass of seccomp profile enforcement
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.
A flaw was found in Kubernetes. This issue occurs when Kubernetes allows a local authenticated attacker to bypass security restrictions, caused by a flaw when using the localhost type for a seccomp profile but specifying an empty profile field. An attacker can bypass the seccomp profile enforcement by sending a specially crafted request.
Package: kubernetes (CloudForms Management Engine 5) - Not affected
Debian
CVE-2023-2431: kubernetes - A security issue was discovered in Kubelet that allows pods to bypass the seccom...
vendor_debian·2023·CVSS 3.4
CVE-2023-2431 [LOW] CVE-2023-2431: kubernetes - A security issue was discovered in Kubelet that allows pods to bypass the seccom...
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.
Scope: local
bookworm: resolved (fixed in 1.20.5+really1.20.2-1)
bullseye: resolved (fixed in 1.20.5+really1.20.2-1)
forky: resolved (fixed in 1.20.5+really1.20.2-1)
sid: resolved (fixed in 1.20.5+really1.20.2-1)
trixie: resolved (fixed in 1.20.5+really1.20.2-1)
No detection rules found.
No public exploits indexed.
arXiv
KubeFence: Security Hardening of the Kubernetes Attack Surface
arxiv_fulltext·2025-04-15
KubeFence: Security Hardening of the Kubernetes Attack Surface
: Security Hardening of the
Kubernetes Attack Surface
Carmine Cesarano, Roberto Natella
Universit\`a degli Studi di Napoli Federico II, Italy
\carmine.cesarano2, roberto.natella\@unina.it
## Abstract
Kubernetes (K8s) is widely used to orchestrate containerized applications, including critical services in domains such as finance, healthcare, and government. However, its extensive and feature-rich API interface exposes a broad attack surface, making K8s vulnerable to exploits of software vulnerabilities and misconfigurations. Even if K8s adopts role-based access control (RBAC) to manage access to K8s APIs, this approach lacks the granularity needed to protect specification attributes within API requests.
This paper proposes a novel solution, , which implements finer-grain API filtering t
Bugzilla
CVE-2023-2431 kubernetes: Bypass of seccomp profile enforcement
bugzilla·2023-06-16·CVSS 5.5
CVE-2023-2431 [MEDIUM] CVE-2023-2431 kubernetes: Bypass of seccomp profile enforcement
CVE-2023-2431 kubernetes: Bypass of seccomp profile enforcement
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.
References:
https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10
https://github.com/kubernetes/kubernetes/issues/118690
Discussion:
Created kubernetes tracking bugs for this issue:
Affects: fedora-all [bug 2215556]
---
FEDORA-2023-c7f63322b5 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
---
T
https://github.com/kubernetes/kubernetes/issues/118690https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10https://lists.fedoraproject.org/archives/list/[email protected]/message/43HDSKBKPSW53OW647B5ETHRWFFNHSRQ/https://lists.fedoraproject.org/archives/list/[email protected]/message/XBX4RL4UOC7JHWWYB2AJCKSUM7EG5Y5G/https://github.com/kubernetes/kubernetes/issues/118690https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10https://lists.fedoraproject.org/archives/list/[email protected]/message/43HDSKBKPSW53OW647B5ETHRWFFNHSRQ/https://lists.fedoraproject.org/archives/list/[email protected]/message/XBX4RL4UOC7JHWWYB2AJCKSUM7EG5Y5G/https://github.com/kubernetes/kubernetes/issues/118690
2023-06-16
Published