Closed
Description
In GitHub Security Advisory GHSA-xc8m-28vv-4pjc, there is a vulnerability in the following Go packages or modules:
| Unit | Fixed | Vulnerable Ranges |
|---|---|---|
| k8s.io/kubernetes | 1.27.2 | >= 1.27.0, < 1.27.2 |
Cross references:
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-qh36-44jv-c8xj #617 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/apiserver: GHSA-pmqp-h87c-mr78 #703 EFFECTIVELY_PRIVATE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/util/mount: GHSA-wqwf-x5cj-rg56 #886 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8561, GHSA-74j8-88mm-7496 #904 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25735, GHSA-g42g-737j-qx6j #907 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25737, GHSA-mfv7-gq43-w965 #908 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25740, GHSA-vw47-mr44-3jf9 #909 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25741, GHSA-f5f7-6478-qm6p #910 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8554, GHSA-j9wf-vvm6-4r9w #940 EFFECTIVELY_PRIVATE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/kubectl: CVE-2021-25743, GHSA-f9jg-8p32-2f55 #983 EFFECTIVELY_PRIVATE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2jx2-76rc-2v7v #1492 EFFECTIVELY_PRIVATE
- Module k8s.io/kubernetes appears in issue dummy issue #64
- Module k8s.io/kubernetes appears in issue dummy issue #65
- Module k8s.io/kubernetes appears in issue dummy issue #66
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-jp32-vmm6-3vf5 #701
See doc/triage.md for instructions on how to triage this report.
modules:
- module: k8s.io/kubernetes
versions:
- introduced: 1.27.0
fixed: 1.27.2
packages:
- package: k8s.io/kubernetes
- module: k8s.io/kubernetes
versions:
- introduced: 1.26.0
fixed: 1.26.5
packages:
- package: k8s.io/kubernetes
- module: k8s.io/kubernetes
versions:
- introduced: 1.25.0
fixed: 1.25.10
packages:
- package: k8s.io/kubernetes
- module: k8s.io/kubernetes
versions:
- fixed: 1.24.14
packages:
- package: k8s.io/kubernetes
summary: Kubelet vulnerable to bypass of seccomp profile enforcement
description: A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.
cves:
- CVE-2023-2431
ghsas:
- GHSA-xc8m-28vv-4pjc
references:
- web: https://nvd.nist.gov/vuln/detail/CVE-2023-2431
- report: https://github.com/kubernetes/kubernetes/issues/118690
- web: https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10
- fix: https://github.com/kubernetes/kubernetes/pull/117020
- fix: https://github.com/kubernetes/kubernetes/pull/117116
- fix: https://github.com/kubernetes/kubernetes/pull/117117
- fix: https://github.com/kubernetes/kubernetes/pull/117118
- fix: https://github.com/kubernetes/kubernetes/pull/117147
- advisory: https://github.com/advisories/GHSA-xc8m-28vv-4pjc