CVE-2023-2431

A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.

CVSS v3 3.4 LOW

3.4^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/kubernetes/kubernetes/issues/118690	Issue Tracking
https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43HDSKBKPSW53OW647B5ETHRWFFNHSRQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBX4RL4UOC7JHWWYB2AJCKSUM7EG5Y5G/	Mailing List
https://github.com/kubernetes/kubernetes/issues/118690	Issue Tracking
https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43HDSKBKPSW53OW647B5ETHRWFFNHSRQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBX4RL4UOC7JHWWYB2AJCKSUM7EG5Y5G/	Mailing List
https://github.com/kubernetes/kubernetes/issues/118690	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:kubernetes:kubernetes::::::::
	cpe:2.3:a:kubernetes:kubernetes::::::::
	cpe:2.3:a:kubernetes:kubernetes::::::::
	cpe:2.3:a:kubernetes:kubernetes::::::::

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

History

12 Dec 2024, 16:15

Type	Values Removed	Values Added
References	~~() https://github.com/kubernetes/kubernetes/issues/118690 - Issue Tracking~~	() https://github.com/kubernetes/kubernetes/issues/118690 - Issue Tracking

21 Nov 2024, 07:58

Type	Values Removed	Values Added
References	~~() https://github.com/kubernetes/kubernetes/issues/118690 - Issue Tracking~~	() https://github.com/kubernetes/kubernetes/issues/118690 - Issue Tracking
References	~~() https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10 - Mailing List~~	() https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10 - Mailing List
References	~~() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43HDSKBKPSW53OW647B5ETHRWFFNHSRQ/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43HDSKBKPSW53OW647B5ETHRWFFNHSRQ/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBX4RL4UOC7JHWWYB2AJCKSUM7EG5Y5G/ - Mailing List~~	() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBX4RL4UOC7JHWWYB2AJCKSUM7EG5Y5G/ - Mailing List
CVSS	v2 : ~~unknown~~ v3 : ~~5.5~~	v2 : unknown v3 : 3.4

Information

Published : 2023-06-16 08:15

Updated : 2024-12-12 16:15

NVD link : CVE-2023-2431

Mitre link : CVE-2023-2431

CVE.ORG link : CVE-2023-2431

JSON object : View

Products Affected

fedoraproject

fedora

kubernetes

kubernetes

CWE

CWE-1287

Improper Validation of Specified Type of Input

NVD-CWE-Other

{"id": "CVE-2023-2431", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "jordan@liggitt.net", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.4, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 0.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2023-06-16T08:15:08.770", "references": [{"url": "https://github.com/kubernetes/kubernetes/issues/118690", "tags": ["Issue Tracking"], "source": "jordan@liggitt.net"}, {"url": "https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10", "tags": ["Mailing List"], "source": "jordan@liggitt.net"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43HDSKBKPSW53OW647B5ETHRWFFNHSRQ/", "source": "jordan@liggitt.net"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBX4RL4UOC7JHWWYB2AJCKSUM7EG5Y5G/", "tags": ["Mailing List"], "source": "jordan@liggitt.net"}, {"url": "https://github.com/kubernetes/kubernetes/issues/118690", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43HDSKBKPSW53OW647B5ETHRWFFNHSRQ/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBX4RL4UOC7JHWWYB2AJCKSUM7EG5Y5G/", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/kubernetes/kubernetes/issues/118690", "tags": ["Issue Tracking"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "jordan@liggitt.net", "description": [{"lang": "en", "value": "CWE-1287"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet."}], "lastModified": "2024-12-12T16:15:07.937", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "59A9CBF2-B94B-4311-AE41-6CEA2DA7E24B", "versionEndExcluding": "1.24.14"}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E2D70178-BDE0-430B-8446-0A93FB2323FB", "versionEndExcluding": "1.25.10", "versionStartIncluding": "1.25.0"}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D02A28B2-70E6-4B48-9D58-39525AD66C20", "versionEndExcluding": "1.26.5", "versionStartIncluding": "1.26.0"}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C04A62B-D3F5-4E63-819A-0A8868F34643", "versionEndExcluding": "1.27.2", "versionStartIncluding": "1.27.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9"}], "operator": "OR"}]}], "sourceIdentifier": "jordan@liggitt.net"}

3.4 /10