CVE-2023-2727 - Vulnerability Details

Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00174.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Kubernetes	Kubernetes
Redhat	Openshift Openshift Ironic

Configuration 1 [-]

OR	cpe:2.3:a:kubernetes:kubernetes::::::::
	cpe:2.3:a:kubernetes:kubernetes::::::::
	cpe:2.3:a:kubernetes:kubernetes::::::::
	cpe:2.3:a:kubernetes:kubernetes::::::::

Package	CPE	Advisory	Released Date
Red Hat OpenShift Container Platform 4.14
buildah-1:1.29.1-10.1.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
butane-0:0.19.0-1.1.rhaos4.14.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
catch-0:3.3.2-1.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
conmon-3:2.1.7-3.1.rhaos4.14.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
containernetworking-plugins-0:1.0.1-11.1.rhaos4.14.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
containers-common-2:1-51.rhaos4.14.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
container-selinux-3:2.221.0-2.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
coreos-installer-0:0.17.0-1.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
cri-o-0:1.27.1-8.1.rhaos4.14.git3fecb83.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
cri-tools-0:1.27.0-2.1.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
crun-0:1.9.2-1.rhaos4.14.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
crun-wasm-0:1.8.5-3.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
fmt-0:9.1.0-1.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
golang-github-prometheus-promu-0:0.15.0-15.1.gitd5383c5.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
google-benchmark-0:1.8.2-1.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
gtest-0:1.13.0-1.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
haproxy-0:2.6.13-1.rhaos4.14.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
ignition-0:2.16.2-1.1.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
kata-containers-0:3.1.3-4.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
kernel-0:5.14.0-284.36.1.el9_2	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
kernel-rt-0:5.14.0-284.36.1.rt14.321.el9_2	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
nmstate-0:2.2.12-1.rhaos4.14.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift-0:4.14.0-202310210404.p0.gf67aeb3.assembly.stream.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift4-aws-iso-0:4.14.0-202309272140.p0.gd2acdd5.assembly.stream.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift-ansible-0:4.14.0-202310062327.p0.gf781421.assembly.stream.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift-clients-0:4.14.0-202310191146.p0.g0c63f9d.assembly.stream.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift-kuryr-0:4.14.0-202309272140.p0.g8926a29.assembly.stream.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
openstack-ironic-1:21.5.0-0.20231002130534.0df5961.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
openstack-ironic-inspector-0:11.5.0-0.20230706175125.193aa0d.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
openstack-ironic-python-agent-0:9.5.0-0.20230728140546.fce0b8c.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
ovn23.09-0:23.09.0-37.el9fdp	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
podman-3:4.4.1-10.1.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-automaton-0:3.1.0-0.20230608140652.a4f7631.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-cinderclient-0:9.3.0-0.20230608143053.f7a612e.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-cliff-0:4.3.0-0.20230608150702.72e81d7.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-debtcollector-0:2.5.0-0.20230308172820.a6b46c5.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-decorator-0:4.4.2-6.0.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-dracclient-0:8.0.0-0.20230308200614.9c7499c.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-fixtures-0:4.0.1-1.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-futurist-0:2.4.1-0.20230308173923.159d752.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-glanceclient-1:4.3.0-0.20230608143056.52fb6b2.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-hardware-0:0.30.0-0.20230308190813.f6ff0ed.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-ironic-lib-0:5.4.1-0.20230706172632.25d8671.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-ironic-prometheus-exporter-0:4.1.1-0.20230614150617.7b35627.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-keystoneauth1-0:5.2.0-0.20230608152518.2e40bbf.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-keystoneclient-1:5.1.0-0.20230608141554.4763cd8.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-keystonemiddleware-0:10.3.0-0.20230608151410.92cdf8a.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-openstacksdk-0:1.2.0-0.20230608155226.b7ff031.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-osc-lib-0:2.8.0-0.20230608151456.db9cdc9.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-cache-0:3.4.0-0.20230608153448.a720016.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-concurrency-0:5.1.1-0.20230706190204.0af5942.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-config-2:9.1.1-0.20230608145954.515daab.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-context-0:5.1.1-0.20230608143931.7696282.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-db-0:12.3.1-0.20230608142355.b689b63.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-i18n-0:6.0.0-0.20230608140652.03605c2.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-log-0:5.2.0-0.20230608150750.16a8a42.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-messaging-0:14.3.1-0.20230608152013.0602d1a.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-middleware-0:5.1.1-0.20230608145931.7725ac9.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-policy-0:4.2.0-0.20230608153320.93129eb.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-rootwrap-0:7.0.1-0.20230608144658.b72372b.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-serialization-0:5.1.1-0.20230608144505.b4be3a4.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-service-0:3.1.1-0.20230608145222.b3ba591.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-upgradecheck-0:2.1.1-0.20230608143829.eeedfc9.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-utils-0:6.1.0-0.20230608142355.d49d594.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-versionedobjects-0:3.1.0-0.20230608141554.b4ea834.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-osprofiler-0:3.4.3-0.20230308173821.3286301.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-os-service-types-0:1.7.0-0.20230308170555.0b2f473.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-os-traits-0:3.0.0-0.20230608152745.cff125c.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-pbr-0:5.11.1-0.1.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-proliantutils-0:2.14.1-0.20230608154738.3de2844.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-pycadf-0:3.1.1-0.20230308171749.4179996.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-requestsexceptions-0:1.4.0-0.20230308170555.d7ac0ff.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-scciclient-0:0.12.3-0.20230308201513.0940a71.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-stevedore-0:5.1.0-0.20230608154210.2d99ccc.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-sushy-0:4.5.0-0.20230719180619.146ed33.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-sushy-oem-idrac-0:5.0.0-0.20230308202122.da9a0e4.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-swiftclient-0:4.3.0-0.20230608151934.236c277.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-tenacity-0:6.3.1-1.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-tooz-0:4.1.0-0.20230608154038.d5bf20c.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-wrapt-0:1.14.1-1.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
runc-4:1.1.9-2.1.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
rust-afterburn-0:5.4.3-1.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
skopeo-2:1.11.2-10.1.rhaos4.14.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
spdlog-0:1.12.0-1.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
toolbox-0:0.1.2-1.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
wasmedge-0:0.12.1-2.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
microshift-0:4.14.0-202310261440.p0.g1586504.assembly.4.14.0.el9	cpe:/a:redhat:openshift:4.14::el9	RHSA-2023:5008	2023-10-31T00:00:00Z
buildah-1:1.29.1-10.1.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
butane-0:0.19.0-1.1.rhaos4.14.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
catch-0:3.3.2-1.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
conmon-3:2.1.7-3.1.rhaos4.14.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
containernetworking-plugins-0:1.0.1-11.1.rhaos4.14.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
containers-common-2:1-51.rhaos4.14.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
container-selinux-3:2.221.0-2.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
coreos-installer-0:0.17.0-1.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
cri-o-0:1.27.1-8.1.rhaos4.14.git3fecb83.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
cri-tools-0:1.27.0-2.1.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
crun-0:1.9.2-1.rhaos4.14.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
crun-wasm-0:1.8.5-3.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
fmt-0:9.1.0-1.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
golang-github-prometheus-promu-0:0.15.0-15.1.gitd5383c5.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
google-benchmark-0:1.8.2-1.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
gtest-0:1.13.0-1.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
haproxy-0:2.6.13-1.rhaos4.14.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
ignition-0:2.16.2-1.1.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
kata-containers-0:3.1.3-4.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
kernel-0:5.14.0-284.36.1.el9_2	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
kernel-rt-0:5.14.0-284.36.1.rt14.321.el9_2	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
nmstate-0:2.2.12-1.rhaos4.14.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift-0:4.14.0-202310210404.p0.gf67aeb3.assembly.stream.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift4-aws-iso-0:4.14.0-202309272140.p0.gd2acdd5.assembly.stream.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift-ansible-0:4.14.0-202310062327.p0.gf781421.assembly.stream.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift-clients-0:4.14.0-202310191146.p0.g0c63f9d.assembly.stream.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift-kuryr-0:4.14.0-202309272140.p0.g8926a29.assembly.stream.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
openstack-ironic-1:21.5.0-0.20231002130534.0df5961.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
openstack-ironic-inspector-0:11.5.0-0.20230706175125.193aa0d.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
openstack-ironic-python-agent-0:9.5.0-0.20230728140546.fce0b8c.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
ovn23.09-0:23.09.0-37.el9fdp	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
podman-3:4.4.1-10.1.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-automaton-0:3.1.0-0.20230608140652.a4f7631.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-cinderclient-0:9.3.0-0.20230608143053.f7a612e.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-cliff-0:4.3.0-0.20230608150702.72e81d7.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-debtcollector-0:2.5.0-0.20230308172820.a6b46c5.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-decorator-0:4.4.2-6.0.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-dracclient-0:8.0.0-0.20230308200614.9c7499c.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-fixtures-0:4.0.1-1.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-futurist-0:2.4.1-0.20230308173923.159d752.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-glanceclient-1:4.3.0-0.20230608143056.52fb6b2.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-hardware-0:0.30.0-0.20230308190813.f6ff0ed.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-ironic-lib-0:5.4.1-0.20230706172632.25d8671.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-ironic-prometheus-exporter-0:4.1.1-0.20230614150617.7b35627.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-keystoneauth1-0:5.2.0-0.20230608152518.2e40bbf.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-keystoneclient-1:5.1.0-0.20230608141554.4763cd8.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-keystonemiddleware-0:10.3.0-0.20230608151410.92cdf8a.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-openstacksdk-0:1.2.0-0.20230608155226.b7ff031.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-osc-lib-0:2.8.0-0.20230608151456.db9cdc9.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-cache-0:3.4.0-0.20230608153448.a720016.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-concurrency-0:5.1.1-0.20230706190204.0af5942.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-config-2:9.1.1-0.20230608145954.515daab.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-context-0:5.1.1-0.20230608143931.7696282.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-db-0:12.3.1-0.20230608142355.b689b63.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-i18n-0:6.0.0-0.20230608140652.03605c2.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-log-0:5.2.0-0.20230608150750.16a8a42.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-messaging-0:14.3.1-0.20230608152013.0602d1a.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-middleware-0:5.1.1-0.20230608145931.7725ac9.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-policy-0:4.2.0-0.20230608153320.93129eb.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-rootwrap-0:7.0.1-0.20230608144658.b72372b.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-serialization-0:5.1.1-0.20230608144505.b4be3a4.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-service-0:3.1.1-0.20230608145222.b3ba591.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-upgradecheck-0:2.1.1-0.20230608143829.eeedfc9.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-utils-0:6.1.0-0.20230608142355.d49d594.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-versionedobjects-0:3.1.0-0.20230608141554.b4ea834.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-osprofiler-0:3.4.3-0.20230308173821.3286301.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-os-service-types-0:1.7.0-0.20230308170555.0b2f473.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-os-traits-0:3.0.0-0.20230608152745.cff125c.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-pbr-0:5.11.1-0.1.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-proliantutils-0:2.14.1-0.20230608154738.3de2844.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-pycadf-0:3.1.1-0.20230308171749.4179996.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-requestsexceptions-0:1.4.0-0.20230308170555.d7ac0ff.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-scciclient-0:0.12.3-0.20230308201513.0940a71.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-stevedore-0:5.1.0-0.20230608154210.2d99ccc.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-sushy-0:4.5.0-0.20230719180619.146ed33.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-sushy-oem-idrac-0:5.0.0-0.20230308202122.da9a0e4.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-swiftclient-0:4.3.0-0.20230608151934.236c277.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-tenacity-0:6.3.1-1.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-tooz-0:4.1.0-0.20230608154038.d5bf20c.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-wrapt-0:1.14.1-1.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
runc-4:1.1.9-2.1.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
rust-afterburn-0:5.4.3-1.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
skopeo-2:1.11.2-10.1.rhaos4.14.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
spdlog-0:1.12.0-1.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
toolbox-0:0.1.2-1.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
wasmedge-0:0.12.1-2.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-2130	Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
Github GHSA	GHSA-qc2g-gmh6-95p4	kube-apiserver vulnerable to policy bypass

Fixes

Solution

To mitigate this vulnerability, upgrade Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Workaround

Prior to upgrading, this vulnerability can be mitigated by running validation webhooks (such as Gatekeeper and Kyverno) to enforce the same restrictions for ephemeral containers.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2023/07/06/2
https://github.com/kubernetes/kubernetes/issues/118640
https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8
https://nvd.nist.gov/vuln/detail/CVE-2023-2727
https://security.netapp.com/advisory/ntap-20230803-0004/
https://www.cve.org/CVERecord?id=CVE-2023-2727

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00174}`	epss `{'score': 0.00179}`

Thu, 13 Feb 2025 17:00:00 +0000

Type	Values Removed	Values Added
Description	Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.	Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.

Mon, 25 Nov 2024 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: kubernetes

Published: 2023-07-03T20:05:04.329Z

Updated: 2025-02-13T16:45:04.559Z

Reserved: 2023-05-16T00:31:53.873Z

Link: CVE-2023-2727

Vulnrichment

Updated: 2024-08-02T06:33:05.475Z

NVD

Status : Modified

Published: 2023-07-03T21:15:09.480

Modified: 2025-02-13T17:16:22.307

Link: CVE-2023-2727

Redhat

Severity : Moderate

Publid Date: 2023-06-15T04:00:00Z

Links: CVE-2023-2727 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object