Cyber Resilience

CVE-2023-2728

Medium

Published: 03 July 2023

Published
03 July 2023
Modified
13 February 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0485 89.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2728 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Kubernetes Kubernetes. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 10.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-2728 affects the ServiceAccount admission plugin in Kubernetes when the kubernetes.io/enforce-mountable-secrets annotation is enabled. The flaw allows users to launch ephemeral containers that bypass the mountable secrets policy, which normally restricts pods to referencing only secrets listed in the service account’s secrets field. Clusters are impacted solely when the admission plugin, the annotation, and ephemeral containers are used together.

An attacker with privileges to create pods and ephemeral containers can exploit the issue over the network to access secrets that would otherwise be blocked, resulting in disclosure and potential modification of sensitive data without affecting availability. The CVSS 6.5 score reflects the requirement for high privileges and the limited attack surface.

Advisories referenced in the Kubernetes security announcement and related lists describe the conditions under which clusters are exposed and point to updates that address the bypass in affected versions. The EPSS score has remained low, with a modest peak of 0.0602 that has since receded to 0.0485, indicating limited observed exploitation interest after disclosure.

EU & UK References

Vulnerability details

Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service…

more

account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

kubernetes
kubernetes
≤ 1.24.14 · 1.25.0 — 1.25.10 · 1.26.0 — 1.26.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References