CVE-2023-2728
Kubernetes mountable secrets policy bypass in k8s.io/kubernetes
6.5
MEDIUM
CVSS 3.1
EPSS 4.9%
Description
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
How to fix CVE-2023-2728
To remediate CVE-2023-2728, upgrade the affected package to a fixed version below.
- —upgrade to 1.20.5+really1.20.2-1 or later
- —upgrade to 1.27.3 or later
- —upgrade to 1.24.15 or later
Is CVE-2023-2728 being exploited?
Low — EPSS is 4.9%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.20.5+really1.20.2-1
- >= 1.27.0, < 1.27.3
- from 0, < 1.24.15, >= 1.25.0, < 1.25.11, >= 1.26.0, < 1.26.6, >= 1.27.0, < 1.27.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |