VDB
DEBIAN-CVE-2023-2728
DEBIAN-CVE-2023-2728
PUBLISHED
CVSS 6.5 MEDIUM
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
Risk Scores
CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | kubernetes | 0, 0, 0 |
| Debian:11 | kubernetes | 0, 0, 0 |
| Debian:12 | kubernetes | 0, 0, 0 |
| Debian:13 | kubernetes | 0, 0, 0 |
Exploit Intelligence
- Module written in Ruby with the objective of exploiting vulnerabilities CVE-2023-2728 and CVE-2024-3177, both related to the secret mount policy in a Kubernetes cluster using a custom Metasploit module. Part of a Cybersecurity Master's degree finalization project. (github-poc-repo)
- Module written in Ruby with the objective of exploiting vulnerabilities CVE-2023-2728 and CVE-2024-3177, both related to the secret mount policy in a Kubernetes cluster using a custom Metasploit module. Part of a Cybersecurity Master's degree finalization project. (github-poc)
- CVE.json (github-poc)
- cve_db.json (github-poc)
Timeline
- Jul 3, 2023 CVE Published
- Apr 28, 2026 CVE Updated