CVE-2023-2728
published 2023-07-03CVE-2023-2728: Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral…
PriorityP340medium6.5CVSS 3.1
AVNACLPRHUINSUCHIHAN
EPSS
2.16%
79.9th percentile
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.20.5+really1.20.2-1 (bookworm) | kubernetes 1.20.5+really1.20.2-1 (bookworm) |
| k8s.io | kubernetes | >= 0 < 1.24.15 | 1.24.15 |
| k8s.io | kubernetes | >= 1.25.0 < 1.25.11 | 1.25.11 |
| k8s.io | kubernetes | >= 1.26.0 < 1.26.6 | 1.26.6 |
| k8s.io | kubernetes | >= 1.27.0 < 1.27.3 | 1.27.3 |
| kubernetes | kubernetes | <= 1.24.14 | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | >= 0 < 1.20.5+really1.20.2-1 | 1.20.5+really1.20.2-1 |
| kubernetes | kubernetes | 1.25.0 – 1.25.10 | — |
| kubernetes | kubernetes | 1.26.0 – 1.26.5 | — |
| kubernetes | kubernetes | 1.27.0 – 1.27.2 | — |
| kubernetes | kubernetes | v1.24.14 – <= | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
osv6.5MEDIUM
vendor_redhat7.8HIGH
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Kubernetes mountable secrets policy bypass in k8s.io/kubernetes
osv·2024-08-20
CVE-2023-2728 Kubernetes mountable secrets policy bypass in k8s.io/kubernetes
Kubernetes mountable secrets policy bypass in k8s.io/kubernetes
Kubernetes mountable secrets policy bypass in k8s.io/kubernetes
GHSA
Kubernetes mountable secrets policy bypass
ghsa·2023-07-03
CVE-2023-2728 [MEDIUM] CWE-20 Kubernetes mountable secrets policy bypass
Kubernetes mountable secrets policy bypass
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
OSV
Kubernetes mountable secrets policy bypass
osv·2023-07-03
CVE-2023-2728 [MEDIUM] Kubernetes mountable secrets policy bypass
Kubernetes mountable secrets policy bypass
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
OSV
CVE-2023-2728: Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral c
osv·2023-07-03·CVSS 6.5
CVE-2023-2728 [MEDIUM] CVE-2023-2728: Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral c
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
Red Hat
kernel: block: ublk: extending queue_size to fix overflow
vendor_redhat·2025-03-27·CVSS 7.8
CVE-2023-52980 [HIGH] kernel: block: ublk: extending queue_size to fix overflow
kernel: block: ublk: extending queue_size to fix overflow
In the Linux kernel, the following vulnerability has been resolved:
block: ublk: extending queue_size to fix overflow
When validating drafted SPDK ublk target, in a case that
assigning large queue depth to multiqueue ublk device,
ublk target would run into a weird incorrect state. During
rounds of review and debug, An overflow bug was found
in ublk driver.
In ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means
each ublk queue depth can be set as large as 4096. But
when setting qd for a ublk device,
sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io)
will be larger than 65535 if qd is larger than 2728.
Then queue_size is overflowed, and ublk_get_queue()
references a wrong pointer position. The wrong content of
ublk_queue ele
Red Hat
kube-apiserver: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin
vendor_redhat·2023-06-15·CVSS 6.5
CVE-2023-2728 [MEDIUM] kube-apiserver: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin
kube-apiserver: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
A flaw was found in Kubernetes, where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensure
Debian
CVE-2023-2728: kubernetes - Users may be able to launch containers that bypass the mountable secrets policy ...
vendor_debian·2023·CVSS 6.5
CVE-2023-2728 [MEDIUM] CVE-2023-2728: kubernetes - Users may be able to launch containers that bypass the mountable secrets policy ...
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
Scope: local
bookworm: resolved (fixed in 1.20.5+really1.20.2-1)
bullseye: resolved (fixed in 1.20.5+really1.20.2-1)
forky: resolved (fixed in 1.20.5+really1.20.2-1)
sid: resolved (fixed in 1.20.5+really1.20.2-1)
trixie: resolved (fixed in 1.20.5+really1.20.2-1)
No detection rules found.
No public exploits indexed.
http://www.openwall.com/lists/oss-security/2023/07/06/3https://github.com/kubernetes/kubernetes/issues/118640https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8https://security.netapp.com/advisory/ntap-20230803-0004/http://www.openwall.com/lists/oss-security/2023/07/06/3https://github.com/kubernetes/kubernetes/issues/118640https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8https://security.netapp.com/advisory/ntap-20230803-0004/
2023-07-03
Published