{"api_version":"1","generated_at":"2026-04-23T00:40:39+00:00","cve":"CVE-2023-2727","urls":{"html":"https://cve.report/CVE-2023-2727","api":"https://cve.report/api/cve/CVE-2023-2727.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-2727","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-2727"},"summary":{"title":"CVE-2023-2727","description":"Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.","state":"PUBLIC","assigner":"security@kubernetes.io","published_at":"2023-07-03 21:15:00","updated_at":"2023-08-03 15:15:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"http://www.openwall.com/lists/oss-security/2023/07/06/2","name":"http://www.openwall.com/lists/oss-security/2023/07/06/2","refsource":"MISC","tags":[],"title":"oss-security - [kubernetes] CVE-2023-2727: Bypassing policies imposed by the\n ImagePolicyWebhook admission plugin","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8","name":"https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8","refsource":"MISC","tags":[],"title":"[Security Advisory] CVE-2023-2727: Bypassing policies imposed by the ImagePolicyWebhook admission plugin","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/kubernetes/kubernetes/issues/118640","name":"https://github.com/kubernetes/kubernetes/issues/118640","refsource":"MISC","tags":[],"title":"CVE-2023-2727, CVE-2023-2728: Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin · Issue #118640 · kubernetes/kubernetes · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20230803-0004/","name":"https://security.netapp.com/advisory/ntap-20230803-0004/","refsource":"MISC","tags":[],"title":"July 2023 Kubernetes Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-2727","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2727","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"2727","vulnerable":"1","versionEndIncluding":"1.24.14","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"kubernetes","cpe5":"kubernetes","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"2727","vulnerable":"1","versionEndIncluding":"1.25.10","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"kubernetes","cpe5":"kubernetes","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"2727","vulnerable":"1","versionEndIncluding":"1.26.5","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"kubernetes","cpe5":"kubernetes","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"2727","vulnerable":"1","versionEndIncluding":"1.27.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"kubernetes","cpe5":"kubernetes","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-2727","qid":"160760","title":"Oracle Enterprise Linux Security Update for kubernetes (ELSA-2023-12562)"},{"cve":"CVE-2023-2727","qid":"160761","title":"Oracle Enterprise Linux Security Update for kubernetes (ELSA-2023-12563)"},{"cve":"CVE-2023-2727","qid":"160762","title":"Oracle Enterprise Linux Security Update for olcne (ELSA-2023-25546)"},{"cve":"CVE-2023-2727","qid":"160763","title":"Oracle Enterprise Linux Security Update for kubernetes (ELSA-2023-12564)"},{"cve":"CVE-2023-2727","qid":"160764","title":"Oracle Enterprise Linux Security Update for olcne (ELSA-2023-25545)"},{"cve":"CVE-2023-2727","qid":"160765","title":"Oracle Enterprise Linux Security Update for kubernetes (ELSA-2023-12561)"},{"cve":"CVE-2023-2727","qid":"181950","title":"Debian Security Update for kubernetes (CVE-2023-2727)"},{"cve":"CVE-2023-2727","qid":"242359","title":"Red Hat Update for red hat build of microshift 4.14.0 (RHSA-2023:5008)"},{"cve":"CVE-2023-2727","qid":"754112","title":"SUSE Enterprise Linux Security Update for kubernetes1.23 (SUSE-SU-2023:2542-1)"},{"cve":"CVE-2023-2727","qid":"754113","title":"SUSE Enterprise Linux Security Update for kubernetes1.18 (SUSE-SU-2023:2541-1)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-2727","ASSIGNER":"security@kubernetes.io","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.\n\n"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20 Improper Input Validation","cweId":"CWE-20"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Kubernetes","product":{"product_data":[{"product_name":"Kubernetes","version":{"version_data":[{"version_affected":"<=","version_name":"v1.24.14","version_value":"<="},{"version_affected":"=","version_value":"v1.25.0 - v1.25.10"},{"version_affected":"=","version_value":"v1.26.0 - v1.26.5"},{"version_affected":"=","version_value":"v1.27.0 - v1.27.2"}]}}]}}]}},"references":{"reference_data":[{"url":"https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8","refsource":"MISC","name":"https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8"},{"url":"https://github.com/kubernetes/kubernetes/issues/118640","refsource":"MISC","name":"https://github.com/kubernetes/kubernetes/issues/118640"},{"url":"http://www.openwall.com/lists/oss-security/2023/07/06/2","refsource":"MISC","name":"http://www.openwall.com/lists/oss-security/2023/07/06/2"},{"url":"https://security.netapp.com/advisory/ntap-20230803-0004/","refsource":"MISC","name":"https://security.netapp.com/advisory/ntap-20230803-0004/"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"discovery":"EXTERNAL"},"work_around":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div><div>Prior to upgrading, this vulnerability can be mitigated by running v<span style=\"background-color: var(--wht);\">alidation webhooks (such as Gatekeeper and Kyverno) to enforce the same restrictions for ephemeral containers.</span></div></div>"}],"value":"Prior to upgrading, this vulnerability can be mitigated by running validation webhooks (such as Gatekeeper and Kyverno) to enforce the same restrictions for ephemeral containers.\n\n\n\n"}],"solution":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div><div>To mitigate this vulnerability, upgrade Kubernetes: <a target=\"_blank\" rel=\"nofollow\" href=\"https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster\">https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster</a></div></div>"}],"value":"To mitigate this vulnerability, upgrade Kubernetes:  https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster \n\n\n\n"}],"credits":[{"lang":"en","value":"Stanislav Láznička"}],"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}]}},"nvd":{"publishedDate":"2023-07-03 21:15:00","lastModifiedDate":"2023-08-03 15:15:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.2,"impactScore":5.2}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*","versionStartIncluding":"1.27.0","versionEndIncluding":"1.27.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*","versionStartIncluding":"1.26.0","versionEndIncluding":"1.26.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*","versionStartIncluding":"1.25.0","versionEndIncluding":"1.25.10","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*","versionEndIncluding":"1.24.14","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}