Closed
Description
In GitHub Security Advisory GHSA-cgcv-5272-97pr, there is a vulnerability in the following Go packages or modules:
| Unit | Fixed | Vulnerable Ranges |
|---|---|---|
| k8s.io/kubernetes | 1.24.15 | < 1.24.15 |
Cross references:
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-qh36-44jv-c8xj #617 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/apiserver: GHSA-pmqp-h87c-mr78 #703 EFFECTIVELY_PRIVATE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/util/mount: GHSA-wqwf-x5cj-rg56 #886 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8561, GHSA-74j8-88mm-7496 #904 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25735, GHSA-g42g-737j-qx6j #907 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25737, GHSA-mfv7-gq43-w965 #908 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25740, GHSA-vw47-mr44-3jf9 #909 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25741, GHSA-f5f7-6478-qm6p #910 NOT_IMPORTABLE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8554, GHSA-j9wf-vvm6-4r9w #940 EFFECTIVELY_PRIVATE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/kubectl: CVE-2021-25743, GHSA-f9jg-8p32-2f55 #983 EFFECTIVELY_PRIVATE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2jx2-76rc-2v7v #1492 EFFECTIVELY_PRIVATE
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-xc8m-28vv-4pjc #1864 EFFECTIVELY_PRIVATE
- Module k8s.io/kubernetes appears in issue dummy issue #64
- Module k8s.io/kubernetes appears in issue dummy issue #65
- Module k8s.io/kubernetes appears in issue dummy issue #66
- Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-jp32-vmm6-3vf5 #701
See doc/triage.md for instructions on how to triage this report.
modules:
- module: k8s.io/kubernetes
versions:
- fixed: 1.24.15
vulnerable_at: 1.24.14
packages:
- package: k8s.io/kubernetes
- module: k8s.io/kubernetes
versions:
- introduced: 1.25.0
fixed: 1.25.11
vulnerable_at: 1.25.10
packages:
- package: k8s.io/kubernetes
- module: k8s.io/kubernetes
versions:
- introduced: 1.26.0
fixed: 1.26.6
vulnerable_at: 1.26.5
packages:
- package: k8s.io/kubernetes
- module: k8s.io/kubernetes
versions:
- introduced: 1.27.0
fixed: 1.27.3
vulnerable_at: 1.27.2
packages:
- package: k8s.io/kubernetes
summary: Kubernetes mountable secrets policy bypass
description: |-
Users may be able to launch containers that bypass the mountable secrets policy
enforced by the ServiceAccount admission plugin when using ephemeral containers.
The policy ensures pods running with a service account may only reference
secrets specified in the service account’s secrets field. Kubernetes clusters
are only affected if the ServiceAccount admission plugin and the
`kubernetes.io/enforce-mountable-secrets` annotation are used together with
ephemeral containers.
cves:
- CVE-2023-2728
ghsas:
- GHSA-cgcv-5272-97pr
references:
- web: https://nvd.nist.gov/vuln/detail/CVE-2023-2728
- report: https://github.com/kubernetes/kubernetes/issues/118640
- web: https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8
- fix: https://github.com/kubernetes/kubernetes/pull/118356
- fix: https://github.com/kubernetes/kubernetes/pull/118471
- fix: https://github.com/kubernetes/kubernetes/pull/118473
- fix: https://github.com/kubernetes/kubernetes/pull/118474
- fix: https://github.com/kubernetes/kubernetes/pull/118512
- advisory: https://github.com/advisories/GHSA-cgcv-5272-97pr