CVE-2023-2728

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-2728
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-2728.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-2728
Aliases
Downstream
Related
Published
2023-07-03T20:06:11.796Z
Modified
2026-05-13T04:23:18.243776672Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin
Details

Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers.

Database specific 
{
    "cna_assigner": "kubernetes",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/2xxx/CVE-2023-2728.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "v1.24.14"
                },
                {
                    "last_affected": "<="
                },
                {
                    "last_affected": "v1.25.0 - v1.25.10"
                },
                {
                    "last_affected": "v1.26.0 - v1.26.5"
                },
                {
                    "last_affected": "v1.27.0 - v1.27.2"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cwe_ids": [
        "CWE-20"
    ]
}
References

Affected packages

Git / github.com/kubernetes/kubernetes

Affected ranges

Type
GIT
Repo
https://github.com/kubernetes/kubernetes
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
0018fa8af8ffaff22f36d3bd86289753ca61da81
Introduced
a866cbe2e5bbaa01cfd5e969aa3e033f3282a8a2
Last affected
e770bdbb87cccdc2daa790ecd69f40cf4df3cc9d
Introduced
b46a3f887ca979b1a5d14fd39cb1af43e7e5d12d
Last affected
890a139214b4de1f01543d15003b5bda71aae9c7
Introduced
1b4df30b3cdfeaba6024e81e559a6cd09a089d65
Last affected
7f6f68fdabc4df88cfea2dcf9a19b2b830f1e647
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.24.14"
        },
        {
            "introduced": "1.25.0"
        },
        {
            "last_affected": "1.25.10"
        },
        {
            "introduced": "1.26.0"
        },
        {
            "last_affected": "1.26.5"
        },
        {
            "introduced": "1.27.0"
        },
        {
            "last_affected": "1.27.2"
        }
    ],
    "cpe": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD"
}

Affected versions

v0.*
v0.13.1-dev
v0.17.0
v1.*
v1.1.0-alpha.0
v1.1.0-alpha.1
v1.10.0-alpha.0
v1.10.0-alpha.1
v1.10.0-alpha.2
v1.10.0-alpha.3
v1.11.0-alpha.0
v1.11.0-alpha.1
v1.11.0-alpha.2
v1.12.0-alpha.0
v1.12.0-alpha.1
v1.13.0-alpha.0
v1.13.0-alpha.1
v1.13.0-alpha.2
v1.13.0-alpha.3
v1.14.0-alpha.0
v1.14.0-alpha.1
v1.14.0-alpha.2
v1.14.0-alpha.3
v1.15.0-alpha.0
v1.15.0-alpha.1
v1.15.0-alpha.2
v1.15.0-alpha.3
v1.16.0-alpha.0
v1.16.0-alpha.1
v1.16.0-alpha.2
v1.16.0-alpha.3
v1.17.0-alpha.0
v1.17.0-alpha.1
v1.17.0-alpha.2
v1.17.0-alpha.3
v1.18.0-alpha.0
v1.18.0-alpha.1
v1.18.0-alpha.2
v1.18.0-alpha.4
v1.18.0-alpha.5
v1.19.0-alpha.0
v1.19.0-alpha.1
v1.19.0-alpha.2
v1.19.0-alpha.3
v1.19.0-beta.0
v1.19.0-beta.1
v1.19.0-beta.2
v1.2.0-alpha.1
v1.2.0-alpha.2
v1.2.0-alpha.3
v1.2.0-alpha.4
v1.2.0-alpha.5
v1.2.0-alpha.6
v1.2.0-alpha.7
v1.2.0-alpha.8
v1.20.0-alpha.0
v1.20.0-alpha.1
v1.20.0-alpha.2
v1.20.0-alpha.3
v1.20.0-beta.0
v1.20.0-beta.1
v1.20.0-beta.2
v1.21.0-alpha.0
v1.21.0-alpha.1
v1.21.0-alpha.2
v1.21.0-alpha.3
v1.21.0-beta.0
v1.21.0-beta.1
v1.22.0-alpha.0
v1.22.0-alpha.1
v1.22.0-alpha.2
v1.22.0-alpha.3
v1.22.0-beta.0
v1.22.0-beta.1
v1.22.0-beta.2
v1.23.0-alpha.0
v1.23.0-alpha.1
v1.23.0-alpha.2
v1.23.0-alpha.3
v1.23.0-alpha.4
v1.24.0
v1.24.0-alpha.0
v1.24.0-alpha.1
v1.24.0-alpha.2
v1.24.0-alpha.3
v1.24.0-alpha.4
v1.24.0-beta.0
v1.24.0-rc.0
v1.24.0-rc.1
v1.24.1
v1.24.1-rc.0
v1.24.10
v1.24.10-rc.0
v1.24.11
v1.24.11-rc.0
v1.24.12
v1.24.12-rc.0
v1.24.13
v1.24.14
v1.24.2
v1.24.2-rc.0
v1.24.3
v1.24.3-rc.0
v1.24.4
v1.24.4-rc.0
v1.24.5
v1.24.5-rc.0
v1.24.6
v1.24.6-rc.0
v1.24.7
v1.24.7-rc.0
v1.24.8
v1.24.8-rc.0
v1.24.9
v1.24.9-rc.0
v1.25.0
v1.25.0-alpha.0
v1.25.1
v1.25.1-rc.0
v1.25.10
v1.25.2
v1.25.2-rc.0
v1.25.3
v1.25.3-rc.0
v1.25.4
v1.25.4-rc.0
v1.25.5
v1.25.5-rc.0
v1.25.6
v1.25.6-rc.0
v1.25.7
v1.25.7-rc.0
v1.25.8
v1.25.8-rc.0
v1.25.9
v1.26.0
v1.26.1
v1.26.1-rc.0
v1.26.2
v1.26.2-rc.0
v1.26.3
v1.26.3-rc.0
v1.26.4
v1.26.5
v1.27.0
v1.27.1
v1.27.2
v1.3.0-alpha.0
v1.3.0-alpha.1
v1.3.0-alpha.2
v1.3.0-alpha.3
v1.3.0-alpha.4
v1.3.0-alpha.5
v1.4.0-alpha.1
v1.4.0-alpha.2
v1.4.0-alpha.3
v1.5.0-alpha.0
v1.5.0-alpha.1
v1.5.0-alpha.2
v1.6.0-alpha.0
v1.6.0-alpha.1
v1.6.0-alpha.2
v1.6.0-alpha.3
v1.7.0-alpha.0
v1.7.0-alpha.1
v1.7.0-alpha.2
v1.7.0-alpha.3
v1.7.0-alpha.4
v1.8.0-alpha.0
v1.8.0-alpha.1
v1.8.0-alpha.2
v1.8.0-alpha.3
v1.9.0-alpha.0
v1.9.0-alpha.1
v1.9.0-alpha.2
v1.9.0-alpha.3

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-2728.json"