gsd-2023-2727
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-2727",
"id": "GSD-2023-2727"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-2727"
],
"details": "Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.\n\n",
"id": "GSD-2023-2727",
"modified": "2023-12-13T01:20:32.098881Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"ID": "CVE-2023-2727",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kubernetes",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "v1.24.14",
"version_value": "\u003c="
},
{
"version_affected": "=",
"version_value": "v1.25.0 - v1.25.10"
},
{
"version_affected": "=",
"version_value": "v1.26.0 - v1.26.5"
},
{
"version_affected": "=",
"version_value": "v1.27.0 - v1.27.2"
}
]
}
}
]
},
"vendor_name": "Kubernetes"
}
]
}
},
"credits": [
{
"lang": "en",
"value": "Stanislav L\u00e1zni\u010dka"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.\n\n"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-20",
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8",
"refsource": "MISC",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8"
},
{
"name": "https://github.com/kubernetes/kubernetes/issues/118640",
"refsource": "MISC",
"url": "https://github.com/kubernetes/kubernetes/issues/118640"
},
{
"name": "http://www.openwall.com/lists/oss-security/2023/07/06/2",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/2"
},
{
"name": "https://security.netapp.com/advisory/ntap-20230803-0004/",
"refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20230803-0004/"
}
]
},
"solution": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003eTo mitigate this vulnerability, upgrade Kubernetes: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster\"\u003ehttps://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster\u003c/a\u003e\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "To mitigate this vulnerability, upgrade Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster \n\n\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePrior to upgrading, this vulnerability can be mitigated by running v\u003cspan style=\"background-color: var(--wht);\"\u003ealidation webhooks (such as Gatekeeper and Kyverno) to enforce the same restrictions for ephemeral containers.\u003c/span\u003e\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Prior to upgrading, this vulnerability can be mitigated by running validation webhooks (such as Gatekeeper and Kyverno) to enforce the same restrictions for ephemeral containers.\n\n\n\n"
}
]
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.24.15||\u003e=1.25.0 \u003c1.25.11||\u003e=1.26.0 \u003c1.26.6||\u003e=1.27.0 \u003c1.27.3",
"affected_versions": "All versions before 1.24.15, all versions starting from 1.25.0 before 1.25.11, all versions starting from 1.26.0 before 1.26.6, all versions starting from 1.27.0 before 1.27.3",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2023-07-07",
"description": "Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.\n\n",
"fixed_versions": [
"1.26.6",
"1.27.3",
"1.24.15",
"1.25.11"
],
"identifier": "CVE-2023-2727",
"identifiers": [
"GHSA-qc2g-gmh6-95p4",
"CVE-2023-2727"
],
"not_impacted": "All versions starting from 1.24.15 before 1.25.0, all versions starting from 1.25.11 before 1.26.0, all versions starting from 1.26.6 before 1.27.0, all versions starting from 1.27.3",
"package_slug": "go/k8s.io/kubernetes",
"pubdate": "2023-07-03",
"solution": "Upgrade to versions 1.26.6, 1.27.3, 1.24.15, 1.25.11 or above.",
"title": "kube-apiserver vulnerable to policy bypass",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2023-2727",
"https://github.com/kubernetes/kubernetes/issues/118640",
"https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8",
"https://github.com/kubernetes/kubernetes/pull/118356",
"https://github.com/kubernetes/kubernetes/pull/118471",
"https://github.com/kubernetes/kubernetes/pull/118473",
"https://github.com/kubernetes/kubernetes/pull/118474",
"https://github.com/kubernetes/kubernetes/pull/118512",
"http://www.openwall.com/lists/oss-security/2023/07/06/2",
"https://github.com/advisories/GHSA-qc2g-gmh6-95p4"
],
"uuid": "68483abd-ca20-4249-80a7-e6f95df520fc"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.27.2",
"versionStartIncluding": "1.27.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.26.5",
"versionStartIncluding": "1.26.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.25.10",
"versionStartIncluding": "1.25.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.24.14",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"ID": "CVE-2023-2727"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.\n\n"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/kubernetes/kubernetes/issues/118640",
"refsource": "MISC",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/kubernetes/kubernetes/issues/118640"
},
{
"name": "https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8",
"refsource": "MISC",
"tags": [
"Mailing List"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8"
},
{
"name": "http://www.openwall.com/lists/oss-security/2023/07/06/2",
"refsource": "MISC",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/2"
},
{
"name": "https://security.netapp.com/advisory/ntap-20230803-0004/",
"refsource": "MISC",
"tags": [],
"url": "https://security.netapp.com/advisory/ntap-20230803-0004/"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2
}
},
"lastModifiedDate": "2023-08-03T15:15Z",
"publishedDate": "2023-07-03T21:15Z"
}
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.