Advisory ROSA-SA-2024-2405

software: kubernetes 1.25.15
WASP: ROSA-CHROME

package_evr_string: kubernetes-1.25.15-1

CVE-ID: CVE-2023-2431
BDU-ID: 2023-03899
CVE-Crit: LOW
CVE-DESC.: A vulnerability in the kubelet utility of the Kubernetes virtual machine cluster management software tool is related to insufficient validation of a specified input data type. Exploitation of the vulnerability could allow an attacker to configure certain modules to run in “unrestricted mode”
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update kubernetes

CVE-ID: CVE-2023-2727
BDU-ID: 2023-03213
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the Kubernetes virtual machine cluster management software tool is related to the ability to bypass the policies of the ImagePolicyWebhook admission module. Exploitation of the vulnerability could allow an attacker acting remotely to bypass existing security restrictions when running containers
CVE-STATUS: Resolved
CVE-REV: To close, run the command: sudo dnf update kubernetes

CVE-ID: CVE-2023-2728
BDU-ID: None
CVE-Crit: MEDIUM
CVE-DESC.: Users may be able to run containers to bypass the mounted secrets policy enforced by the ServiceAccount admission plug-in when using ephemeral containers. The policy ensures that modules running ServiceAccount can only reference the secrets specified in the ServiceAccount secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used in conjunction with ephemeral containers.
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update kubernetes