CVE-2023-2728 - Vulnerability Details

Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.03684.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Kubernetes	Kubernetes
Redhat	Openshift Openshift Ironic

Configuration 1 [-]

OR	cpe:2.3:a:kubernetes:kubernetes::::::::
	cpe:2.3:a:kubernetes:kubernetes::::::::
	cpe:2.3:a:kubernetes:kubernetes::::::::
	cpe:2.3:a:kubernetes:kubernetes::::::::

Package	CPE	Advisory	Released Date
Red Hat OpenShift Container Platform 4.14
buildah-1:1.29.1-10.1.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
butane-0:0.19.0-1.1.rhaos4.14.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
catch-0:3.3.2-1.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
conmon-3:2.1.7-3.1.rhaos4.14.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
containernetworking-plugins-0:1.0.1-11.1.rhaos4.14.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
containers-common-2:1-51.rhaos4.14.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
container-selinux-3:2.221.0-2.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
coreos-installer-0:0.17.0-1.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
cri-o-0:1.27.1-8.1.rhaos4.14.git3fecb83.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
cri-tools-0:1.27.0-2.1.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
crun-0:1.9.2-1.rhaos4.14.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
crun-wasm-0:1.8.5-3.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
fmt-0:9.1.0-1.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
golang-github-prometheus-promu-0:0.15.0-15.1.gitd5383c5.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
google-benchmark-0:1.8.2-1.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
gtest-0:1.13.0-1.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
haproxy-0:2.6.13-1.rhaos4.14.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
ignition-0:2.16.2-1.1.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
kata-containers-0:3.1.3-4.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
kernel-0:5.14.0-284.36.1.el9_2	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
kernel-rt-0:5.14.0-284.36.1.rt14.321.el9_2	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
nmstate-0:2.2.12-1.rhaos4.14.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift-0:4.14.0-202310210404.p0.gf67aeb3.assembly.stream.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift4-aws-iso-0:4.14.0-202309272140.p0.gd2acdd5.assembly.stream.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift-ansible-0:4.14.0-202310062327.p0.gf781421.assembly.stream.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift-clients-0:4.14.0-202310191146.p0.g0c63f9d.assembly.stream.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift-kuryr-0:4.14.0-202309272140.p0.g8926a29.assembly.stream.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
openstack-ironic-1:21.5.0-0.20231002130534.0df5961.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
openstack-ironic-inspector-0:11.5.0-0.20230706175125.193aa0d.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
openstack-ironic-python-agent-0:9.5.0-0.20230728140546.fce0b8c.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
ovn23.09-0:23.09.0-37.el9fdp	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
podman-3:4.4.1-10.1.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-automaton-0:3.1.0-0.20230608140652.a4f7631.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-cinderclient-0:9.3.0-0.20230608143053.f7a612e.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-cliff-0:4.3.0-0.20230608150702.72e81d7.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-debtcollector-0:2.5.0-0.20230308172820.a6b46c5.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-decorator-0:4.4.2-6.0.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-dracclient-0:8.0.0-0.20230308200614.9c7499c.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-fixtures-0:4.0.1-1.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-futurist-0:2.4.1-0.20230308173923.159d752.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-glanceclient-1:4.3.0-0.20230608143056.52fb6b2.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-hardware-0:0.30.0-0.20230308190813.f6ff0ed.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-ironic-lib-0:5.4.1-0.20230706172632.25d8671.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-ironic-prometheus-exporter-0:4.1.1-0.20230614150617.7b35627.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-keystoneauth1-0:5.2.0-0.20230608152518.2e40bbf.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-keystoneclient-1:5.1.0-0.20230608141554.4763cd8.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-keystonemiddleware-0:10.3.0-0.20230608151410.92cdf8a.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-openstacksdk-0:1.2.0-0.20230608155226.b7ff031.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-osc-lib-0:2.8.0-0.20230608151456.db9cdc9.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-cache-0:3.4.0-0.20230608153448.a720016.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-concurrency-0:5.1.1-0.20230706190204.0af5942.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-config-2:9.1.1-0.20230608145954.515daab.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-context-0:5.1.1-0.20230608143931.7696282.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-db-0:12.3.1-0.20230608142355.b689b63.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-i18n-0:6.0.0-0.20230608140652.03605c2.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-log-0:5.2.0-0.20230608150750.16a8a42.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-messaging-0:14.3.1-0.20230608152013.0602d1a.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-middleware-0:5.1.1-0.20230608145931.7725ac9.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-policy-0:4.2.0-0.20230608153320.93129eb.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-rootwrap-0:7.0.1-0.20230608144658.b72372b.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-serialization-0:5.1.1-0.20230608144505.b4be3a4.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-service-0:3.1.1-0.20230608145222.b3ba591.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-upgradecheck-0:2.1.1-0.20230608143829.eeedfc9.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-utils-0:6.1.0-0.20230608142355.d49d594.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-versionedobjects-0:3.1.0-0.20230608141554.b4ea834.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-osprofiler-0:3.4.3-0.20230308173821.3286301.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-os-service-types-0:1.7.0-0.20230308170555.0b2f473.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-os-traits-0:3.0.0-0.20230608152745.cff125c.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-pbr-0:5.11.1-0.1.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-proliantutils-0:2.14.1-0.20230608154738.3de2844.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-pycadf-0:3.1.1-0.20230308171749.4179996.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-requestsexceptions-0:1.4.0-0.20230308170555.d7ac0ff.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-scciclient-0:0.12.3-0.20230308201513.0940a71.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-stevedore-0:5.1.0-0.20230608154210.2d99ccc.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-sushy-0:4.5.0-0.20230719180619.146ed33.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-sushy-oem-idrac-0:5.0.0-0.20230308202122.da9a0e4.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-swiftclient-0:4.3.0-0.20230608151934.236c277.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-tenacity-0:6.3.1-1.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-tooz-0:4.1.0-0.20230608154038.d5bf20c.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
python-wrapt-0:1.14.1-1.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
runc-4:1.1.9-2.1.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
rust-afterburn-0:5.4.3-1.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
skopeo-2:1.11.2-10.1.rhaos4.14.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
spdlog-0:1.12.0-1.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
toolbox-0:0.1.2-1.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
wasmedge-0:0.12.1-2.rhaos4.14.el9	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5009	2023-10-31T00:00:00Z
microshift-0:4.14.0-202310261440.p0.g1586504.assembly.4.14.0.el9	cpe:/a:redhat:openshift:4.14::el9	RHSA-2023:5008	2023-10-31T00:00:00Z
buildah-1:1.29.1-10.1.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
butane-0:0.19.0-1.1.rhaos4.14.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
catch-0:3.3.2-1.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
conmon-3:2.1.7-3.1.rhaos4.14.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
containernetworking-plugins-0:1.0.1-11.1.rhaos4.14.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
containers-common-2:1-51.rhaos4.14.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
container-selinux-3:2.221.0-2.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
coreos-installer-0:0.17.0-1.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
cri-o-0:1.27.1-8.1.rhaos4.14.git3fecb83.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
cri-tools-0:1.27.0-2.1.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
crun-0:1.9.2-1.rhaos4.14.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
crun-wasm-0:1.8.5-3.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
fmt-0:9.1.0-1.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
golang-github-prometheus-promu-0:0.15.0-15.1.gitd5383c5.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
google-benchmark-0:1.8.2-1.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
gtest-0:1.13.0-1.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
haproxy-0:2.6.13-1.rhaos4.14.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
ignition-0:2.16.2-1.1.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
kata-containers-0:3.1.3-4.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
kernel-0:5.14.0-284.36.1.el9_2	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
kernel-rt-0:5.14.0-284.36.1.rt14.321.el9_2	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
nmstate-0:2.2.12-1.rhaos4.14.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift-0:4.14.0-202310210404.p0.gf67aeb3.assembly.stream.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift4-aws-iso-0:4.14.0-202309272140.p0.gd2acdd5.assembly.stream.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift-ansible-0:4.14.0-202310062327.p0.gf781421.assembly.stream.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift-clients-0:4.14.0-202310191146.p0.g0c63f9d.assembly.stream.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
openshift-kuryr-0:4.14.0-202309272140.p0.g8926a29.assembly.stream.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
openstack-ironic-1:21.5.0-0.20231002130534.0df5961.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
openstack-ironic-inspector-0:11.5.0-0.20230706175125.193aa0d.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
openstack-ironic-python-agent-0:9.5.0-0.20230728140546.fce0b8c.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
ovn23.09-0:23.09.0-37.el9fdp	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
podman-3:4.4.1-10.1.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-automaton-0:3.1.0-0.20230608140652.a4f7631.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-cinderclient-0:9.3.0-0.20230608143053.f7a612e.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-cliff-0:4.3.0-0.20230608150702.72e81d7.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-debtcollector-0:2.5.0-0.20230308172820.a6b46c5.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-decorator-0:4.4.2-6.0.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-dracclient-0:8.0.0-0.20230308200614.9c7499c.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-fixtures-0:4.0.1-1.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-futurist-0:2.4.1-0.20230308173923.159d752.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-glanceclient-1:4.3.0-0.20230608143056.52fb6b2.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-hardware-0:0.30.0-0.20230308190813.f6ff0ed.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-ironic-lib-0:5.4.1-0.20230706172632.25d8671.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-ironic-prometheus-exporter-0:4.1.1-0.20230614150617.7b35627.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-keystoneauth1-0:5.2.0-0.20230608152518.2e40bbf.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-keystoneclient-1:5.1.0-0.20230608141554.4763cd8.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-keystonemiddleware-0:10.3.0-0.20230608151410.92cdf8a.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-openstacksdk-0:1.2.0-0.20230608155226.b7ff031.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-osc-lib-0:2.8.0-0.20230608151456.db9cdc9.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-cache-0:3.4.0-0.20230608153448.a720016.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-concurrency-0:5.1.1-0.20230706190204.0af5942.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-config-2:9.1.1-0.20230608145954.515daab.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-context-0:5.1.1-0.20230608143931.7696282.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-db-0:12.3.1-0.20230608142355.b689b63.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-i18n-0:6.0.0-0.20230608140652.03605c2.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-log-0:5.2.0-0.20230608150750.16a8a42.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-messaging-0:14.3.1-0.20230608152013.0602d1a.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-middleware-0:5.1.1-0.20230608145931.7725ac9.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-policy-0:4.2.0-0.20230608153320.93129eb.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-rootwrap-0:7.0.1-0.20230608144658.b72372b.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-serialization-0:5.1.1-0.20230608144505.b4be3a4.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-service-0:3.1.1-0.20230608145222.b3ba591.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-upgradecheck-0:2.1.1-0.20230608143829.eeedfc9.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-utils-0:6.1.0-0.20230608142355.d49d594.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-oslo-versionedobjects-0:3.1.0-0.20230608141554.b4ea834.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-osprofiler-0:3.4.3-0.20230308173821.3286301.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-os-service-types-0:1.7.0-0.20230308170555.0b2f473.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-os-traits-0:3.0.0-0.20230608152745.cff125c.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-pbr-0:5.11.1-0.1.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-proliantutils-0:2.14.1-0.20230608154738.3de2844.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-pycadf-0:3.1.1-0.20230308171749.4179996.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-requestsexceptions-0:1.4.0-0.20230308170555.d7ac0ff.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-scciclient-0:0.12.3-0.20230308201513.0940a71.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-stevedore-0:5.1.0-0.20230608154210.2d99ccc.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-sushy-0:4.5.0-0.20230719180619.146ed33.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-sushy-oem-idrac-0:5.0.0-0.20230308202122.da9a0e4.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-swiftclient-0:4.3.0-0.20230608151934.236c277.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-tenacity-0:6.3.1-1.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-tooz-0:4.1.0-0.20230608154038.d5bf20c.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
python-wrapt-0:1.14.1-1.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
runc-4:1.1.9-2.1.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
rust-afterburn-0:5.4.3-1.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
skopeo-2:1.11.2-10.1.rhaos4.14.el8	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
spdlog-0:1.12.0-1.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
toolbox-0:0.1.2-1.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z
wasmedge-0:0.12.1-2.rhaos4.14.el9	cpe:/a:redhat:openshift_ironic:4.14::el9	RHSA-2023:5009	2023-10-31T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-2032	Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
Github GHSA	GHSA-cgcv-5272-97pr	Kubernetes mountable secrets policy bypass

Fixes

Solution

To mitigate this vulnerability, upgrade Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2023/07/06/3
https://github.com/kubernetes/kubernetes/issues/118640
https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8
https://nvd.nist.gov/vuln/detail/CVE-2023-2728
https://security.netapp.com/advisory/ntap-20230803-0004/
https://www.cve.org/CVERecord?id=CVE-2023-2728

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.03256}`	epss `{'score': 0.03248}`

Thu, 13 Feb 2025 17:00:00 +0000

Type	Values Removed	Values Added
Description	Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.	Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.

Mon, 25 Nov 2024 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: kubernetes

Published: 2023-07-03T20:06:11.796Z

Updated: 2025-02-13T16:45:20.353Z

Reserved: 2023-05-16T00:32:00.189Z

Link: CVE-2023-2728

Vulnrichment

Updated: 2024-08-02T06:33:05.263Z

NVD

Status : Modified

Published: 2023-07-03T21:15:09.557

Modified: 2025-02-13T17:16:22.447

Link: CVE-2023-2728

Redhat

Severity : Moderate

Publid Date: 2023-06-15T04:00:00Z

Links: CVE-2023-2728 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object