CVE-2023-2727
published 2023-07-03CVE-2023-2727: Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only…
PriorityP335medium6.5CVSS 3.1
AVNACLPRHUINSUCHIHAN
EPSS
1.13%
62.5th percentile
Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.20.5+really1.20.2-1 (bookworm) | kubernetes 1.20.5+really1.20.2-1 (bookworm) |
| k8s.io | kubernetes | >= 0 < 1.24.15 | 1.24.15 |
| k8s.io | kubernetes | >= 1.25.0 < 1.25.11 | 1.25.11 |
| k8s.io | kubernetes | >= 1.26.0 < 1.26.6 | 1.26.6 |
| k8s.io | kubernetes | >= 1.27.0 < 1.27.3 | 1.27.3 |
| kubernetes | kubernetes | <= 1.24.14 | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | 1.25.0 – 1.25.10 | — |
| kubernetes | kubernetes | 1.26.0 – 1.26.5 | — |
| kubernetes | kubernetes | 1.27.0 – 1.27.2 | — |
| kubernetes | kubernetes | v1.24.14 – <= | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kube-apiserver: Bypassing policies imposed by the ImagePolicyWebhook admission plugin
vendor_redhat·2023-06-15·CVSS 6.5
CVE-2023-2727 [MEDIUM] kube-apiserver: Bypassing policies imposed by the ImagePolicyWebhook admission plugin
kube-apiserver: Bypassing policies imposed by the ImagePolicyWebhook admission plugin
Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
A flaw was found in Kubernetes, where users may be able to launch containers using images restricted by the ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
Mitigation: This issue can be mitigated by applying the patch provided for the kube-apiserver component. This patch prevents ephemeral containers from using an image that is
Debian
CVE-2023-2727: kubernetes - Users may be able to launch containers using images that are restricted by Image...
vendor_debian·2023·CVSS 6.5
CVE-2023-2727 [MEDIUM] CVE-2023-2727: kubernetes - Users may be able to launch containers using images that are restricted by Image...
Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
Scope: local
bookworm: resolved (fixed in 1.20.5+really1.20.2-1)
bullseye: resolved (fixed in 1.20.5+really1.20.2-1)
forky: resolved (fixed in 1.20.5+really1.20.2-1)
sid: resolved (fixed in 1.20.5+really1.20.2-1)
trixie: resolved (fixed in 1.20.5+really1.20.2-1)
OSV
Vulnerable to policy bypass in kube-apiserver in k8s.io/kubernetes
osv·2024-08-20
CVE-2023-2727 Vulnerable to policy bypass in kube-apiserver in k8s.io/kubernetes
Vulnerable to policy bypass in kube-apiserver in k8s.io/kubernetes
Vulnerable to policy bypass in kube-apiserver in k8s.io/kubernetes
GHSA
kube-apiserver vulnerable to policy bypass
ghsa·2023-07-03
CVE-2023-2727 [MEDIUM] CWE-20 kube-apiserver vulnerable to policy bypass
kube-apiserver vulnerable to policy bypass
Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
OSV
kube-apiserver vulnerable to policy bypass
osv·2023-07-03
CVE-2023-2727 [MEDIUM] kube-apiserver vulnerable to policy bypass
kube-apiserver vulnerable to policy bypass
Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
OSV
CVE-2023-2727: Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers
osv·2023-07-03·CVSS 6.5
CVE-2023-2727 [MEDIUM] CVE-2023-2727: Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers
Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2023/07/06/2https://github.com/kubernetes/kubernetes/issues/118640https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8https://security.netapp.com/advisory/ntap-20230803-0004/http://www.openwall.com/lists/oss-security/2023/07/06/2https://github.com/kubernetes/kubernetes/issues/118640https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8https://security.netapp.com/advisory/ntap-20230803-0004/
2023-07-03
Published