Overview
- Description
- Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
- Source
- jordan@liggitt.net
- NVD status
- Modified
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 5.2
- Exploitability score
- 1.2
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
- Severity
- MEDIUM
Weaknesses
- nvd@nist.gov
- NVD-CWE-noinfo
- jordan@liggitt.net
- CWE-20
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "44D47082-4E70-4CBE-B52B-B2A83903F17B",
"versionEndIncluding": "1.24.14"
},
{
"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9CB1E96C-4CC8-4BE3-9BC6-2AE760B8AD3F",
"versionEndIncluding": "1.25.10",
"versionStartIncluding": "1.25.0"
},
{
"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "2EFB3393-262F-4179-B397-A08519AD6BE3",
"versionEndIncluding": "1.26.5",
"versionStartIncluding": "1.26.0"
},
{
"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "0B26D20B-7A52-4957-8D0A-9D65572B764C",
"versionEndIncluding": "1.27.2",
"versionStartIncluding": "1.27.0"
}
],
"operator": "OR"
}
]
}
]