vulnerability
Kubernetes: CVE-2023-2728: Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:M/C:C/I:C/A:N) | 2023-07-03 | 2023-07-14 | 2025-02-20 |
Severity
8
CVSS
(AV:N/AC:L/Au:M/C:C/I:C/A:N)
Published
2023-07-03
Added
2023-07-14
Modified
2025-02-20
Description
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
Solution(s)
kubernetes-upgrade-1_24_15kubernetes-upgrade-1_25_11kubernetes-upgrade-1_26_6kubernetes-upgrade-1_27_3
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.