vulnerability
Red Hat OpenShift: CVE-2023-2728: kube-apiserver: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:M/C:C/I:C/A:N) | 2023-07-03 | 2023-11-01 | 2025-04-11 |
Severity
8
CVSS
(AV:N/AC:L/Au:M/C:C/I:C/A:N)
Published
2023-07-03
Added
2023-11-01
Modified
2025-04-11
Description
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
Solution(s)
linuxrpm-upgrade-buildahlinuxrpm-upgrade-butanelinuxrpm-upgrade-catchlinuxrpm-upgrade-conmonlinuxrpm-upgrade-container-selinuxlinuxrpm-upgrade-containernetworking-pluginslinuxrpm-upgrade-containers-commonlinuxrpm-upgrade-coreos-installerlinuxrpm-upgrade-cri-olinuxrpm-upgrade-cri-toolslinuxrpm-upgrade-crunlinuxrpm-upgrade-crun-wasmlinuxrpm-upgrade-fmtlinuxrpm-upgrade-golang-github-prometheus-promulinuxrpm-upgrade-google-benchmarklinuxrpm-upgrade-gtestlinuxrpm-upgrade-haproxylinuxrpm-upgrade-ignitionlinuxrpm-upgrade-kata-containerslinuxrpm-upgrade-kernellinuxrpm-upgrade-kernel-rtlinuxrpm-upgrade-microshiftlinuxrpm-upgrade-nmstatelinuxrpm-upgrade-openshiftlinuxrpm-upgrade-openshift-ansiblelinuxrpm-upgrade-openshift-clientslinuxrpm-upgrade-openshift-kuryrlinuxrpm-upgrade-openshift4-aws-isolinuxrpm-upgrade-openstack-ironiclinuxrpm-upgrade-openstack-ironic-inspectorlinuxrpm-upgrade-openstack-ironic-python-agentlinuxrpm-upgrade-ovn23-09linuxrpm-upgrade-podmanlinuxrpm-upgrade-python-automatonlinuxrpm-upgrade-python-cinderclientlinuxrpm-upgrade-python-clifflinuxrpm-upgrade-python-debtcollectorlinuxrpm-upgrade-python-decoratorlinuxrpm-upgrade-python-dracclientlinuxrpm-upgrade-python-fixtureslinuxrpm-upgrade-python-futuristlinuxrpm-upgrade-python-glanceclientlinuxrpm-upgrade-python-hardwarelinuxrpm-upgrade-python-ironic-liblinuxrpm-upgrade-python-ironic-prometheus-exporterlinuxrpm-upgrade-python-keystoneauth1linuxrpm-upgrade-python-keystoneclientlinuxrpm-upgrade-python-keystonemiddlewarelinuxrpm-upgrade-python-openstacksdklinuxrpm-upgrade-python-os-service-typeslinuxrpm-upgrade-python-os-traitslinuxrpm-upgrade-python-osc-liblinuxrpm-upgrade-python-oslo-cachelinuxrpm-upgrade-python-oslo-concurrencylinuxrpm-upgrade-python-oslo-configlinuxrpm-upgrade-python-oslo-contextlinuxrpm-upgrade-python-oslo-dblinuxrpm-upgrade-python-oslo-i18nlinuxrpm-upgrade-python-oslo-loglinuxrpm-upgrade-python-oslo-messaginglinuxrpm-upgrade-python-oslo-middlewarelinuxrpm-upgrade-python-oslo-policylinuxrpm-upgrade-python-oslo-rootwraplinuxrpm-upgrade-python-oslo-serializationlinuxrpm-upgrade-python-oslo-servicelinuxrpm-upgrade-python-oslo-upgradechecklinuxrpm-upgrade-python-oslo-utilslinuxrpm-upgrade-python-oslo-versionedobjectslinuxrpm-upgrade-python-osprofilerlinuxrpm-upgrade-python-pbrlinuxrpm-upgrade-python-proliantutilslinuxrpm-upgrade-python-pycadflinuxrpm-upgrade-python-requestsexceptionslinuxrpm-upgrade-python-scciclientlinuxrpm-upgrade-python-stevedorelinuxrpm-upgrade-python-sushylinuxrpm-upgrade-python-sushy-oem-idraclinuxrpm-upgrade-python-swiftclientlinuxrpm-upgrade-python-tenacitylinuxrpm-upgrade-python-toozlinuxrpm-upgrade-python-wraptlinuxrpm-upgrade-runclinuxrpm-upgrade-rust-afterburnlinuxrpm-upgrade-skopeolinuxrpm-upgrade-spdloglinuxrpm-upgrade-toolboxlinuxrpm-upgrade-wasmedge
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.