Moderate severityNVD Advisory· Published Jul 3, 2023· Updated Feb 13, 2025
Bypassing policies imposed by the ImagePolicyWebhook admission plugin
CVE-2023-2727
Description
Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/kubernetesGo | >= 1.27.0, < 1.27.3 | 1.27.3 |
k8s.io/kubernetesGo | >= 1.26.0, < 1.26.6 | 1.26.6 |
k8s.io/kubernetesGo | >= 1.25.0, < 1.25.11 | 1.25.11 |
k8s.io/kubernetesGo | < 1.24.15 | 1.24.15 |
Affected products
101- osv-coords100 versionspkg:apk/chainguard/aws-ebs-csi-driver-1.18pkg:apk/chainguard/aws-efs-csi-driverpkg:apk/chainguard/calicopkg:apk/chainguard/calico-apiserverpkg:apk/chainguard/calico-app-policypkg:apk/chainguard/calico-cnipkg:apk/chainguard/calico-cni-compatpkg:apk/chainguard/calicoctlpkg:apk/chainguard/calico-felixpkg:apk/chainguard/calico-key-cert-provisionerpkg:apk/chainguard/calico-kube-controllerspkg:apk/chainguard/calico-nodepkg:apk/chainguard/calico-pod2daemonpkg:apk/chainguard/calico-pod2daemon-flexvol-compatpkg:apk/chainguard/calico-typha-clientpkg:apk/chainguard/calico-typhadpkg:apk/chainguard/kubeflow-pipelinespkg:apk/chainguard/kubeflow-pipelines-apiserverpkg:apk/chainguard/kubeflow-pipelines-cache-deployerpkg:apk/chainguard/kubeflow-pipelines-cache-deployer-compatpkg:apk/chainguard/kubeflow-pipelines-cache_serverpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/kubeflow-pipelines-metadata-envoy-configpkg:apk/chainguard/kubeflow-pipelines-metadata-writerpkg:apk/chainguard/kubeflow-pipelines-metadata-writer-compatpkg:apk/chainguard/kubeflow-pipelines-persistence_agentpkg:apk/chainguard/kubeflow-pipelines-scheduledworkflowpkg:apk/chainguard/kubeflow-pipelines-viewer-crd-controllerpkg:apk/chainguard/kubernetes-dns-node-cache-1.17pkg:apk/chainguard/nodetaintpkg:apk/chainguard/sparkctlpkg:apk/chainguard/spark-operatorpkg:apk/chainguard/spark-operator-oci-entrypointpkg:apk/wolfi/aws-efs-csi-driverpkg:apk/wolfi/calicopkg:apk/wolfi/calico-apiserverpkg:apk/wolfi/calico-app-policypkg:apk/wolfi/calico-cnipkg:apk/wolfi/calico-cni-compatpkg:apk/wolfi/calicoctlpkg:apk/wolfi/calico-felixpkg:apk/wolfi/calico-key-cert-provisionerpkg:apk/wolfi/calico-kube-controllerspkg:apk/wolfi/calico-nodepkg:apk/wolfi/calico-pod2daemonpkg:apk/wolfi/calico-pod2daemon-flexvol-compatpkg:apk/wolfi/calico-typha-clientpkg:apk/wolfi/calico-typhadpkg:apk/wolfi/kubeflow-pipelinespkg:apk/wolfi/kubeflow-pipelines-apiserverpkg:apk/wolfi/kubeflow-pipelines-cache-deployerpkg:apk/wolfi/kubeflow-pipelines-cache-deployer-compatpkg:apk/wolfi/kubeflow-pipelines-cache_serverpkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/kubeflow-pipelines-metadata-envoy-configpkg:apk/wolfi/kubeflow-pipelines-metadata-writerpkg:apk/wolfi/kubeflow-pipelines-metadata-writer-compatpkg:apk/wolfi/kubeflow-pipelines-persistence_agentpkg:apk/wolfi/kubeflow-pipelines-scheduledworkflowpkg:apk/wolfi/kubeflow-pipelines-viewer-crd-controllerpkg:apk/wolfi/nodetaintpkg:apk/wolfi/sparkctlpkg:apk/wolfi/spark-operatorpkg:apk/wolfi/spark-operator-oci-entrypointpkg:golang/k8s.io/kubernetespkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/kubernetes1.18&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/kubernetes1.18&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kubernetes1.23&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kubernetes1.23&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/kubernetes1.24&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/kubernetes1.24&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/kubernetes1.24&distro=openSUSE%20Tumbleweedpkg:rpm/suse/kubernetes1.18&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/kubernetes1.18&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/kubernetes1.18&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/kubernetes1.18&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/kubernetes1.18&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/kubernetes1.18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4pkg:rpm/suse/kubernetes1.18&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/kubernetes1.18&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/kubernetes1.18&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/kubernetes1.18&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/kubernetes1.23&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/kubernetes1.23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/kubernetes1.23&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/kubernetes1.23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4pkg:rpm/suse/kubernetes1.23&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP5pkg:rpm/suse/kubernetes1.23&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/kubernetes1.23&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/kubernetes1.24&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/kubernetes1.24&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/kubernetes1.24&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/kubernetes1.24&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/kubernetes1.24&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4pkg:rpm/suse/kubernetes1.24&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP5pkg:rpm/suse/kubernetes1.24&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/kubernetes1.24&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/kubernetes1.24&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/kubernetes1.24&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4
< 1.18.0-r15+ 99 more
- (no CPE)range: < 1.18.0-r15
- (no CPE)range: < 0
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 1.27.0, < 1.27.3
- (no CPE)range: < 0.0.20250807T150727-1.1
- (no CPE)range: < 1.18.10-150200.5.10.1
- (no CPE)range: < 1.18.10-150200.5.10.1
- (no CPE)range: < 1.23.17-150500.3.3.1
- (no CPE)range: < 1.23.17-4.1
- (no CPE)range: < 1.24.16-150400.9.8.2
- (no CPE)range: < 1.24.13-150500.3.3.1
- (no CPE)range: < 1.24.15-1.1
- (no CPE)range: < 1.18.10-150200.5.10.1
- (no CPE)range: < 1.18.10-150200.5.10.1
- (no CPE)range: < 1.18.10-150200.5.10.1
- (no CPE)range: < 1.18.10-150200.5.10.1
- (no CPE)range: < 1.18.10-150200.5.10.1
- (no CPE)range: < 1.18.10-150200.5.10.1
- (no CPE)range: < 1.18.10-150200.5.10.1
- (no CPE)range: < 1.18.10-150200.5.10.1
- (no CPE)range: < 1.18.10-150200.5.10.1
- (no CPE)range: < 1.18.10-150200.5.10.1
- (no CPE)range: < 1.23.17-150300.7.9.1
- (no CPE)range: < 1.23.17-150300.7.9.1
- (no CPE)range: < 1.23.17-150300.7.9.1
- (no CPE)range: < 1.23.17-150300.7.9.1
- (no CPE)range: < 1.23.17-150500.3.3.1
- (no CPE)range: < 1.23.17-150300.7.9.1
- (no CPE)range: < 1.23.17-150300.7.9.1
- (no CPE)range: < 1.24.17-150300.7.6.1
- (no CPE)range: < 1.24.17-150300.7.6.1
- (no CPE)range: < 1.24.17-150400.9.16.1
- (no CPE)range: < 1.24.17-150400.9.16.1
- (no CPE)range: < 1.24.16-150400.9.8.2
- (no CPE)range: < 1.24.13-150500.3.3.1
- (no CPE)range: < 1.24.17-150300.7.6.1
- (no CPE)range: < 1.24.17-150400.9.16.1
- (no CPE)range: < 1.24.17-150300.7.6.1
- (no CPE)range: < 1.24.17-150400.9.16.1
- Range: v1.24.14
Patches
Vulnerability mechanics
References
12- github.com/advisories/GHSA-qc2g-gmh6-95p4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-2727ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/07/06/2ghsaWEB
- github.com/kubernetes/kubernetes/issues/118640ghsaissue-trackingWEB
- github.com/kubernetes/kubernetes/pull/118356ghsaWEB
- github.com/kubernetes/kubernetes/pull/118471ghsaWEB
- github.com/kubernetes/kubernetes/pull/118473ghsaWEB
- github.com/kubernetes/kubernetes/pull/118474ghsaWEB
- github.com/kubernetes/kubernetes/pull/118512ghsaWEB
- groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8ghsamailing-listWEB
- security.netapp.com/advisory/ntap-20230803-0004ghsaWEB
- security.netapp.com/advisory/ntap-20230803-0004/mitre
News mentions
0No linked articles in our index yet.