CVE-2023-2728Improper Input Validation in Kubernetes

CWE-20Improper Input Validation9 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
4.9%
top 10.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
KubernetesK8s.io Kubernetes
Timeline
PublishedJul 3
Latest updateMar 27

Description

Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 1.2 | Impact: 5.2

Affected Packages4 packages

Gok8s.io/kubernetes1.27.01.27.3+3
Debiankubernetes/kubernetes< 1.20.5+really1.20.2-1+3
CVEListV5kubernetes/kubernetesv1.24.14<=+3
NVDkubernetes/kubernetes1.25.01.25.10+3

🔴Vulnerability Details

5
OSV
Kubernetes mountable secrets policy bypass in k8s.io/kubernetes2024-08-20
GHSA
Kubernetes mountable secrets policy bypass2023-07-03
OSV
Kubernetes mountable secrets policy bypass2023-07-03
CVEList
Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin2023-07-03
OSV
CVE-2023-2728: Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral c2023-07-03

📋Vendor Advisories

3
Red Hat
kernel: block: ublk: extending queue_size to fix overflow2025-03-27
Red Hat
kube-apiserver: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin2023-06-15
Debian
CVE-2023-2728: kubernetes - Users may be able to launch containers that bypass the mountable secrets policy ...2023
CVE-2023-2728 — Improper Input Validation in Kubernetes | cvebase