Closed
Description
In GitHub Security Advisory GHSA-qc2g-gmh6-95p4, there is a vulnerability in the following Go packages or modules:
| Unit | Fixed | Vulnerable Ranges |
|---|---|---|
| k8s.io/kubernetes | 1.24.15 | < 1.24.15 |
Cross references:
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-qh36-44jv-c8xj #617 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/apiserver: GHSA-pmqp-h87c-mr78 #703 EFFECTIVELY_PRIVATE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/util/mount: GHSA-wqwf-x5cj-rg56 #886 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8561, GHSA-74j8-88mm-7496 #904 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25735, GHSA-g42g-737j-qx6j #907 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25737, GHSA-mfv7-gq43-w965 #908 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25740, GHSA-vw47-mr44-3jf9 #909 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25741, GHSA-f5f7-6478-qm6p #910 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8554, GHSA-j9wf-vvm6-4r9w #940 EFFECTIVELY_PRIVATE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/kubectl: CVE-2021-25743, GHSA-f9jg-8p32-2f55 #983 EFFECTIVELY_PRIVATE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2jx2-76rc-2v7v #1492 EFFECTIVELY_PRIVATE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-xc8m-28vv-4pjc #1864 EFFECTIVELY_PRIVATE
- Module k8s.io/kubernetes appears in issue dummy issue #64
- Module k8s.io/kubernetes appears in issue dummy issue #65
- Module k8s.io/kubernetes appears in issue dummy issue #66
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-jp32-vmm6-3vf5 #701
See doc/triage.md for instructions on how to triage this report.
modules:
- module: k8s.io/kubernetes
versions:
- fixed: 1.24.15
vulnerable_at: 1.24.14
packages:
- package: k8s.io/kubernetes
- module: k8s.io/kubernetes
versions:
- introduced: 1.25.0
fixed: 1.25.11
vulnerable_at: 1.25.10
packages:
- package: k8s.io/kubernetes
- module: k8s.io/kubernetes
versions:
- introduced: 1.26.0
fixed: 1.26.6
vulnerable_at: 1.26.5
packages:
- package: k8s.io/kubernetes
- module: k8s.io/kubernetes
versions:
- introduced: 1.27.0
fixed: 1.27.3
vulnerable_at: 1.27.2
packages:
- package: k8s.io/kubernetes
summary: kube-apiserver vulnerable to policy bypass
description: |-
Users may be able to launch containers using images that are restricted by
ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only
affected if the ImagePolicyWebhook admission plugin is used together with
ephemeral containers.
cves:
- CVE-2023-2727
ghsas:
- GHSA-qc2g-gmh6-95p4
references:
- web: https://nvd.nist.gov/vuln/detail/CVE-2023-2727
- report: https://github.com/kubernetes/kubernetes/issues/118640
- web: https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8
- fix: https://github.com/kubernetes/kubernetes/pull/118356
- fix: https://github.com/kubernetes/kubernetes/pull/118471
- fix: https://github.com/kubernetes/kubernetes/pull/118473
- fix: https://github.com/kubernetes/kubernetes/pull/118474
- fix: https://github.com/kubernetes/kubernetes/pull/118512
- advisory: https://github.com/advisories/GHSA-qc2g-gmh6-95p4