Bug 7590 - [Anolis OS 23] Bugfix for CVE-2023-2728
Summary: [Anolis OS 23] Bugfix for CVE-2023-2728
Status: NEW
Alias: None
Product: Anolis OS 23
Classification: Anolis OS
Component: BaseOS Packages (show other bugs) BaseOS Packages
Version: unspecified
Hardware: All Linux
: P3-Medium S3-normal
Target Milestone: ---
Assignee: happy_orange
QA Contact: bolong_tbl
URL:
Whiteboard:
Keywords: CVE
Depends on:
Blocks:
 
Reported: 2023-11-21 17:58 UTC by 小龙
Modified: 2023-11-21 17:58 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description 小龙 admin 2023-11-21 17:58:59 UTC 
Description:
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.



Broken commit info:

Bugfix commit info:
https://github.com/kubernetes/kubernetes/pull/118356
https://github.com/kubernetes/kubernetes/pull/118512
https://github.com/kubernetes/kubernetes/pull/118474
https://github.com/kubernetes/kubernetes/pull/118356/commits/d6168bb65878192491f6c0c21583404932cdcb82
https://github.com/kubernetes/kubernetes/pull/118471
https://github.com/kubernetes/kubernetes/pull/118473