{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-2727","assignerOrgId":"a6081bf6-c852-4425-ad4f-a67919267565","state":"PUBLISHED","assignerShortName":"kubernetes","dateReserved":"2023-05-16T00:31:53.873Z","datePublished":"2023-07-03T20:05:04.329Z","dateUpdated":"2025-02-13T16:45:04.559Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Kubernetes","vendor":"Kubernetes","versions":[{"lessThanOrEqual":"<=","status":"affected","version":"v1.24.14","versionType":"semver"},{"status":"affected","version":"v1.25.0 - v1.25.10"},{"status":"affected","version":"v1.26.0 - v1.26.5"},{"status":"affected","version":"v1.27.0 - v1.27.2"}]}],"credits":[{"lang":"en","type":"reporter","user":"00000000-0000-4000-9000-000000000000","value":"Stanislav Láznička"}],"datePublic":"2023-06-15T04:30:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div>Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.</div>"}],"value":"Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers."}],"impacts":[{"capecId":"CAPEC-554","descriptions":[{"lang":"en","value":"CAPEC-554 Functionality Bypass"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-20","description":"CWE-20 Improper Input Validation","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"a6081bf6-c852-4425-ad4f-a67919267565","shortName":"kubernetes","dateUpdated":"2023-08-03T14:06:28.553Z"},"references":[{"tags":["mailing-list"],"url":"https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8"},{"tags":["issue-tracking"],"url":"https://github.com/kubernetes/kubernetes/issues/118640"},{"url":"http://www.openwall.com/lists/oss-security/2023/07/06/2"},{"url":"https://security.netapp.com/advisory/ntap-20230803-0004/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div><div>To mitigate this vulnerability, upgrade Kubernetes: <a target=\"_blank\" rel=\"nofollow\" href=\"https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster\">https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster</a></div></div>"}],"value":"To mitigate this vulnerability, upgrade Kubernetes:  https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster"}],"source":{"discovery":"EXTERNAL"},"title":"Bypassing policies imposed by the ImagePolicyWebhook admission plugin","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div><div>Prior to upgrading, this vulnerability can be mitigated by running v<span style=\"background-color: var(--wht);\">alidation webhooks (such as Gatekeeper and Kyverno) to enforce the same restrictions for ephemeral containers.</span></div></div>"}],"value":"Prior to upgrading, this vulnerability can be mitigated by running validation webhooks (such as Gatekeeper and Kyverno) to enforce the same restrictions for ephemeral containers."}],"x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T06:33:05.475Z"},"title":"CVE Program Container","references":[{"tags":["mailing-list","x_transferred"],"url":"https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8"},{"tags":["issue-tracking","x_transferred"],"url":"https://github.com/kubernetes/kubernetes/issues/118640"},{"url":"http://www.openwall.com/lists/oss-security/2023/07/06/2","tags":["x_transferred"]},{"url":"https://security.netapp.com/advisory/ntap-20230803-0004/","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-11-25T17:43:56.206309Z","id":"CVE-2023-2727","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-11-25T17:44:04.977Z"}}]}}