GHSA-cgcv-5272-97pr

Suggest an improvement
Source
https://github.com/advisories/GHSA-cgcv-5272-97pr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cgcv-5272-97pr/GHSA-cgcv-5272-97pr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cgcv-5272-97pr
Aliases
Related
Published
2023-07-03T21:30:57Z
Modified
2024-09-11T06:12:37.921511Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Kubernetes mountable secrets policy bypass
Details

Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers.

References

Affected packages

Go / k8s.io/kubernetes

Package

Name
k8s.io/kubernetes
View open source insights on deps.dev
Purl
pkg:golang/k8s.io/kubernetes

Affected ranges

Type
SEMVER
Events
Introduced
1.27.0
Fixed
1.27.3

Go / k8s.io/kubernetes

Package

Name
k8s.io/kubernetes
View open source insights on deps.dev
Purl
pkg:golang/k8s.io/kubernetes

Affected ranges

Type
SEMVER
Events
Introduced
1.26.0
Fixed
1.26.6

Go / k8s.io/kubernetes

Package

Name
k8s.io/kubernetes
View open source insights on deps.dev
Purl
pkg:golang/k8s.io/kubernetes

Affected ranges

Type
SEMVER
Events
Introduced
1.25.0
Fixed
1.25.11

Go / k8s.io/kubernetes

Package

Name
k8s.io/kubernetes
View open source insights on deps.dev
Purl
pkg:golang/k8s.io/kubernetes

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.24.15