x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-cgcv-5272-97pr #1892

GoVulnBot · 2023-07-06T16:01:16Z

In GitHub Security Advisory GHSA-cgcv-5272-97pr, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
k8s.io/kubernetes	1.24.15	< 1.24.15

Cross references:

Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-qh36-44jv-c8xj #617 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/apiserver: GHSA-pmqp-h87c-mr78 #703 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/util/mount: GHSA-wqwf-x5cj-rg56 #886 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8561, GHSA-74j8-88mm-7496 #904 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25735, GHSA-g42g-737j-qx6j #907 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25737, GHSA-mfv7-gq43-w965 #908 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25740, GHSA-vw47-mr44-3jf9 #909 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25741, GHSA-f5f7-6478-qm6p #910 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8554, GHSA-j9wf-vvm6-4r9w #940 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/kubectl: CVE-2021-25743, GHSA-f9jg-8p32-2f55 #983 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2jx2-76rc-2v7v #1492 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-xc8m-28vv-4pjc #1864 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue dummy issue #64
Module k8s.io/kubernetes appears in issue dummy issue #65
Module k8s.io/kubernetes appears in issue dummy issue #66
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-jp32-vmm6-3vf5 #701

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: k8s.io/kubernetes
      versions:
        - fixed: 1.24.15
      vulnerable_at: 1.24.14
      packages:
        - package: k8s.io/kubernetes
    - module: k8s.io/kubernetes
      versions:
        - introduced: 1.25.0
          fixed: 1.25.11
      vulnerable_at: 1.25.10
      packages:
        - package: k8s.io/kubernetes
    - module: k8s.io/kubernetes
      versions:
        - introduced: 1.26.0
          fixed: 1.26.6
      vulnerable_at: 1.26.5
      packages:
        - package: k8s.io/kubernetes
    - module: k8s.io/kubernetes
      versions:
        - introduced: 1.27.0
          fixed: 1.27.3
      vulnerable_at: 1.27.2
      packages:
        - package: k8s.io/kubernetes
summary: Kubernetes mountable secrets policy bypass
description: |-
    Users may be able to launch containers that bypass the mountable secrets policy
    enforced by the ServiceAccount admission plugin when using ephemeral containers.
    The policy ensures pods running with a service account may only reference
    secrets specified in the service account’s secrets field. Kubernetes clusters
    are only affected if the ServiceAccount admission plugin and the
    `kubernetes.io/enforce-mountable-secrets` annotation are used together with
    ephemeral containers.
cves:
    - CVE-2023-2728
ghsas:
    - GHSA-cgcv-5272-97pr
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2023-2728
    - report: https://github.com/kubernetes/kubernetes/issues/118640
    - web: https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8
    - fix: https://github.com/kubernetes/kubernetes/pull/118356
    - fix: https://github.com/kubernetes/kubernetes/pull/118471
    - fix: https://github.com/kubernetes/kubernetes/pull/118473
    - fix: https://github.com/kubernetes/kubernetes/pull/118474
    - fix: https://github.com/kubernetes/kubernetes/pull/118512
    - advisory: https://github.com/advisories/GHSA-cgcv-5272-97pr

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-07-07T17:16:54Z

Change https://go.dev/cl/508456 mentions this issue: data/excluded: batch add 14 excluded reports

gopherbot · 2024-06-14T17:44:08Z

Change https://go.dev/cl/592761 mentions this issue: data/reports: unexclude 75 reports

gopherbot · 2024-08-20T16:53:10Z

Change https://go.dev/cl/606787 mentions this issue: data/reports: unexclude 20 reports (7)

- data/reports/GO-2023-1862.yaml - data/reports/GO-2023-1863.yaml - data/reports/GO-2023-1864.yaml - data/reports/GO-2023-1865.yaml - data/reports/GO-2023-1866.yaml - data/reports/GO-2023-1871.yaml - data/reports/GO-2023-1879.yaml - data/reports/GO-2023-1887.yaml - data/reports/GO-2023-1888.yaml - data/reports/GO-2023-1891.yaml - data/reports/GO-2023-1892.yaml - data/reports/GO-2023-1894.yaml - data/reports/GO-2023-1895.yaml - data/reports/GO-2023-1896.yaml - data/reports/GO-2023-1897.yaml - data/reports/GO-2023-1898.yaml - data/reports/GO-2023-1899.yaml - data/reports/GO-2023-1900.yaml - data/reports/GO-2023-1901.yaml - data/reports/GO-2023-1911.yaml Updates #1862 Updates #1863 Updates #1864 Updates #1865 Updates #1866 Updates #1871 Updates #1879 Updates #1887 Updates #1888 Updates #1891 Updates #1892 Updates #1894 Updates #1895 Updates #1896 Updates #1897 Updates #1898 Updates #1899 Updates #1900 Updates #1901 Updates #1911 Change-Id: Iffcbe8e6325ef654a17298cd4c7072192626ad21 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606787 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

jba self-assigned this Jul 7, 2023

jba added the excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. label Jul 7, 2023

gopherbot closed this as completed in aaf5b81 Jul 7, 2023

This was referenced Jul 19, 2023

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-f4w6-3rh6-6q4q #1943

Closed

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-q4rr-64r9-fwgf #1946

Closed

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2jq6-ffph-p4h8 #1959

Closed

This was referenced Jul 26, 2023

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-mm7g-f2gg-cw8g #1977

Closed

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2h9c-34v6-3qmr #1985

Closed

GoVulnBot mentioned this issue Nov 1, 2023

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-q78c-gwqw-jcmc #2170

Closed

This was referenced Nov 10, 2023

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-7fxm-f474-hf8w #2330

Closed

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-hq6q-c2x6-hmch #2341

Closed

GoVulnBot mentioned this issue Apr 23, 2024

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-pxhw-596r-rwq5 #2746

Closed

GoVulnBot mentioned this issue Jul 18, 2024

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-82m2-cv7p-4m75 #2994

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-cgcv-5272-97pr #1892

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-cgcv-5272-97pr #1892

GoVulnBot commented Jul 6, 2023

gopherbot commented Jul 7, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-cgcv-5272-97pr #1892

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-cgcv-5272-97pr #1892

Comments

GoVulnBot commented Jul 6, 2023

gopherbot commented Jul 7, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024