GHSA-pxhw-596r-rwq5

Suggest an improvement
Source
https://github.com/advisories/GHSA-pxhw-596r-rwq5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-pxhw-596r-rwq5/GHSA-pxhw-596r-rwq5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pxhw-596r-rwq5
Aliases
Related
Published
2024-04-23T00:30:45Z
Modified
2024-10-15T05:57:08.256441Z
Severity
  • 2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Kubernetes allows bypassing mountable secrets policy imposed by the ServiceAccount admission plugin
Details

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.

References

Affected packages

Go / k8s.io/kubernetes

Package

Name
k8s.io/kubernetes
View open source insights on deps.dev
Purl
pkg:golang/k8s.io/kubernetes

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.27.13

Go / k8s.io/kubernetes

Package

Name
k8s.io/kubernetes
View open source insights on deps.dev
Purl
pkg:golang/k8s.io/kubernetes

Affected ranges

Type
SEMVER
Events
Introduced
1.29.0
Fixed
1.29.4

Database specific

{
    "last_known_affected_version_range": "<= 1.29.3"
}

Go / k8s.io/kubernetes

Package

Name
k8s.io/kubernetes
View open source insights on deps.dev
Purl
pkg:golang/k8s.io/kubernetes

Affected ranges

Type
SEMVER
Events
Introduced
1.28.0
Fixed
1.28.9

Database specific

{
    "last_known_affected_version_range": "<= 1.28.8"
}