CVE-2023-2728

Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin

Description

Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.

Remediation

Solution:

  • To mitigate this vulnerability, upgrade Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 3.26% Top 15%
Affected: Kubernetes Kubernetes
Published at:
Updated at:

References

Link Tags
https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8 mailing list
https://github.com/kubernetes/kubernetes/issues/118640 issue tracking
http://www.openwall.com/lists/oss-security/2023/07/06/3 mailing list
https://security.netapp.com/advisory/ntap-20230803-0004/

Frequently Asked Questions

What is the severity of CVE-2023-2728?
CVE-2023-2728 has been scored as a medium severity vulnerability.
How to fix CVE-2023-2728?
To fix CVE-2023-2728: To mitigate this vulnerability, upgrade Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
Is CVE-2023-2728 being actively exploited in the wild?
It is possible that CVE-2023-2728 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~3% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-2728?
CVE-2023-2728 affects Kubernetes Kubernetes.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.