#VU77526 Permissions, Privileges, and Access Controls in apiserver - CVE-2023-2728


| Updated: 2024-09-06

Vulnerability identifier: #VU77526

Vulnerability risk: Medium

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2023-2728

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
apiserver
Web applications / Other software

Vendor: Kubernetes

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to improperly imposed security restrictions. A remote user can launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers.

Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

apiserver: 1.18.0 - 1.27.2

External links
http://groups.google.com/a/kubernetes.io/g/dev/c/_Xx3ZrNeZYg/m/cjBUC0IxAAAJ

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Pak for AIOps
SUSE update for kubernetes1.24
SUSE update for kubernetes1.23
Multiple vulnerabilities in IBM Cloud Pak for Data
Multiple vulnerabilities in Red Hat build of MicroShift
SUSE update for kubernetes1.24
openEuler 22.03 LTS SP2 update for kubernetes
openEuler 22.03 LTS SP1 update for kubernetes
openEuler 22.03 LTS update for kubernetes
openEuler 20.03 LTS SP3 update for kubernetes