CVE-2023-2727

Summary

Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.

Affected Software

VendorProductVersion RangeStatus
KubernetesKubernetesv1.24.14 <= <=affected
KubernetesKubernetesv1.25.0 - v1.25.10affected
KubernetesKubernetesv1.26.0 - v1.26.5affected
KubernetesKubernetesv1.27.0 - v1.27.2affected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

Workarounds

Prior to upgrading, this vulnerability can be mitigated by running validation webhooks (such as Gatekeeper and Kyverno) to enforce the same restrictions for ephemeral containers.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References