// For flags

CVE-2023-2728

Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.

A flaw was found in Kubernetes, where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures that pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers.

This update for kubernetes1.23 fixes the following issues. Escape, meta and control sequences in raw data output to terminal not neutralized. Bypass of policies imposed by the ImagePolicyWebhook admission plugin. Bypass of the mountable secrets policy enforced by the ServiceAccount admission plugin. Go1.20: excessive resource consumption when dealing with rapid stream resets. Google.golang.org/grpc, kube-apiserver: HTTP/2 rapid reset vulnerability. Golang.org/x/net: excessive CPU consumption when processing unlimited sets of headers. Kube-controller-manager pod crash when processing malformed HPA v1 manifests. Bypass of the mountable secrets policy enforced by the ServiceAccount admission plugin. Github.com/golang/protobuf: infinite loop when unmarshaling invalid JSON. Bug fixes. Use -trimpath in non-DBG mode for reproducible builds. Fixed multiple issues for successful 'kubeadm init' run. Update go to version 1.22.5 in build requirements.

*Credits: Rita Zhang
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Multiple
Confidentiality
Complete
Integrity
Complete
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2023-05-16 CVE Reserved
  • 2023-07-03 CVE Published
  • 2024-09-05 First Exploit
  • 2025-02-13 CVE Updated
  • 2025-08-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-20: Improper Input Validation
CAPEC
  • CAPEC-554: Functionality Bypass
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Kubernetes
Search vendor "Kubernetes"
 Kubernetes
Search vendor "Kubernetes" for product "Kubernetes"
 <= 1.24.14
Search vendor "Kubernetes" for product "Kubernetes" and version " <= 1.24.14"
-
Affected
Kubernetes
Search vendor "Kubernetes"
 Kubernetes
Search vendor "Kubernetes" for product "Kubernetes"
 >= 1.25.0 <= 1.25.10
Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.25.0 <= 1.25.10"
-
Affected
Kubernetes
Search vendor "Kubernetes"
 Kubernetes
Search vendor "Kubernetes" for product "Kubernetes"
 >= 1.26.0 <= 1.26.5
Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.26.0 <= 1.26.5"
-
Affected
Kubernetes
Search vendor "Kubernetes"
 Kubernetes
Search vendor "Kubernetes" for product "Kubernetes"
 >= 1.27.0 <= 1.27.2
Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.27.0 <= 1.27.2"
-
Affected