CVE-2023-2727

Bypassing policies imposed by the ImagePolicyWebhook admission plugin

Description

Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.

Remediation

Solution:

  • To mitigate this vulnerability, upgrade Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Workaround:

  • Prior to upgrading, this vulnerability can be mitigated by running validation webhooks (such as Gatekeeper and Kyverno) to enforce the same restrictions for ephemeral containers.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.17%
Third-Party Advisory openwall.com
Affected: Kubernetes Kubernetes
Published at:
Updated at:

References

Link Tags
https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8 mailing list
https://github.com/kubernetes/kubernetes/issues/118640 issue tracking
http://www.openwall.com/lists/oss-security/2023/07/06/2 third party advisory mailing list
https://security.netapp.com/advisory/ntap-20230803-0004/

Frequently Asked Questions

What is the severity of CVE-2023-2727?
CVE-2023-2727 has been scored as a medium severity vulnerability.
How to fix CVE-2023-2727?
To fix CVE-2023-2727: To mitigate this vulnerability, upgrade Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
Is CVE-2023-2727 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-2727 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-2727?
CVE-2023-2727 affects Kubernetes Kubernetes.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.