Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.
                
            Metrics
No CVSS v4.0
Attack Vector Network
Attack Complexity Low
Privileges Required High
Scope Unchanged
Confidentiality Impact High
Integrity Impact High
Availability Impact None
User Interaction None
No CVSS v3.0
No CVSS v2
This CVE is not in the KEV list.
Exploitation none
Automatable no
Technical Impact total
Affected Vendors & Products
| Vendors | Products | 
|---|---|
| Kubernetes | 
 | 
| Redhat | 
 | 
Configuration 1 [-]
| 
 | 
| Package | CPE | Advisory | Released Date | 
|---|---|---|---|
| Red Hat OpenShift Container Platform 4.14 | |||
| buildah-1:1.29.1-10.1.rhaos4.14.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| butane-0:0.19.0-1.1.rhaos4.14.el8 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| catch-0:3.3.2-1.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| conmon-3:2.1.7-3.1.rhaos4.14.el8 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| containernetworking-plugins-0:1.0.1-11.1.rhaos4.14.el8 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| containers-common-2:1-51.rhaos4.14.el8 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| container-selinux-3:2.221.0-2.rhaos4.14.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| coreos-installer-0:0.17.0-1.rhaos4.14.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| cri-o-0:1.27.1-8.1.rhaos4.14.git3fecb83.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| cri-tools-0:1.27.0-2.1.el8 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| crun-0:1.9.2-1.rhaos4.14.el8 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| crun-wasm-0:1.8.5-3.rhaos4.14.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| fmt-0:9.1.0-1.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| golang-github-prometheus-promu-0:0.15.0-15.1.gitd5383c5.el8 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| google-benchmark-0:1.8.2-1.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| gtest-0:1.13.0-1.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| haproxy-0:2.6.13-1.rhaos4.14.el8 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| ignition-0:2.16.2-1.1.rhaos4.14.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| kata-containers-0:3.1.3-4.rhaos4.14.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| kernel-0:5.14.0-284.36.1.el9_2 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| kernel-rt-0:5.14.0-284.36.1.rt14.321.el9_2 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| nmstate-0:2.2.12-1.rhaos4.14.el8 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| openshift-0:4.14.0-202310210404.p0.gf67aeb3.assembly.stream.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| openshift4-aws-iso-0:4.14.0-202309272140.p0.gd2acdd5.assembly.stream.el8 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| openshift-ansible-0:4.14.0-202310062327.p0.gf781421.assembly.stream.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| openshift-clients-0:4.14.0-202310191146.p0.g0c63f9d.assembly.stream.el8 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| openshift-kuryr-0:4.14.0-202309272140.p0.g8926a29.assembly.stream.el8 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| openstack-ironic-1:21.5.0-0.20231002130534.0df5961.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| openstack-ironic-inspector-0:11.5.0-0.20230706175125.193aa0d.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| openstack-ironic-python-agent-0:9.5.0-0.20230728140546.fce0b8c.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| ovn23.09-0:23.09.0-37.el9fdp | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| podman-3:4.4.1-10.1.rhaos4.14.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-automaton-0:3.1.0-0.20230608140652.a4f7631.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-cinderclient-0:9.3.0-0.20230608143053.f7a612e.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-cliff-0:4.3.0-0.20230608150702.72e81d7.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-debtcollector-0:2.5.0-0.20230308172820.a6b46c5.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-decorator-0:4.4.2-6.0.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-dracclient-0:8.0.0-0.20230308200614.9c7499c.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-fixtures-0:4.0.1-1.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-futurist-0:2.4.1-0.20230308173923.159d752.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-glanceclient-1:4.3.0-0.20230608143056.52fb6b2.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-hardware-0:0.30.0-0.20230308190813.f6ff0ed.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-ironic-lib-0:5.4.1-0.20230706172632.25d8671.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-ironic-prometheus-exporter-0:4.1.1-0.20230614150617.7b35627.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-keystoneauth1-0:5.2.0-0.20230608152518.2e40bbf.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-keystoneclient-1:5.1.0-0.20230608141554.4763cd8.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-keystonemiddleware-0:10.3.0-0.20230608151410.92cdf8a.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-openstacksdk-0:1.2.0-0.20230608155226.b7ff031.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-osc-lib-0:2.8.0-0.20230608151456.db9cdc9.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-cache-0:3.4.0-0.20230608153448.a720016.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-concurrency-0:5.1.1-0.20230706190204.0af5942.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-config-2:9.1.1-0.20230608145954.515daab.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-context-0:5.1.1-0.20230608143931.7696282.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-db-0:12.3.1-0.20230608142355.b689b63.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-i18n-0:6.0.0-0.20230608140652.03605c2.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-log-0:5.2.0-0.20230608150750.16a8a42.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-messaging-0:14.3.1-0.20230608152013.0602d1a.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-middleware-0:5.1.1-0.20230608145931.7725ac9.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-policy-0:4.2.0-0.20230608153320.93129eb.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-rootwrap-0:7.0.1-0.20230608144658.b72372b.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-serialization-0:5.1.1-0.20230608144505.b4be3a4.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-service-0:3.1.1-0.20230608145222.b3ba591.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-upgradecheck-0:2.1.1-0.20230608143829.eeedfc9.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-utils-0:6.1.0-0.20230608142355.d49d594.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-versionedobjects-0:3.1.0-0.20230608141554.b4ea834.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-osprofiler-0:3.4.3-0.20230308173821.3286301.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-os-service-types-0:1.7.0-0.20230308170555.0b2f473.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-os-traits-0:3.0.0-0.20230608152745.cff125c.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-pbr-0:5.11.1-0.1.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-proliantutils-0:2.14.1-0.20230608154738.3de2844.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-pycadf-0:3.1.1-0.20230308171749.4179996.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-requestsexceptions-0:1.4.0-0.20230308170555.d7ac0ff.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-scciclient-0:0.12.3-0.20230308201513.0940a71.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-stevedore-0:5.1.0-0.20230608154210.2d99ccc.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-sushy-0:4.5.0-0.20230719180619.146ed33.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-sushy-oem-idrac-0:5.0.0-0.20230308202122.da9a0e4.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-swiftclient-0:4.3.0-0.20230608151934.236c277.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-tenacity-0:6.3.1-1.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-tooz-0:4.1.0-0.20230608154038.d5bf20c.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-wrapt-0:1.14.1-1.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| runc-4:1.1.9-2.1.rhaos4.14.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| rust-afterburn-0:5.4.3-1.rhaos4.14.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| skopeo-2:1.11.2-10.1.rhaos4.14.el8 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| spdlog-0:1.12.0-1.rhaos4.14.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| toolbox-0:0.1.2-1.rhaos4.14.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| wasmedge-0:0.12.1-2.rhaos4.14.el9 | cpe:/a:redhat:openshift:4.14::el8 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| microshift-0:4.14.0-202310261440.p0.g1586504.assembly.4.14.0.el9 | cpe:/a:redhat:openshift:4.14::el9 | RHSA-2023:5008 | 2023-10-31T00:00:00Z | 
| buildah-1:1.29.1-10.1.rhaos4.14.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| butane-0:0.19.0-1.1.rhaos4.14.el8 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| catch-0:3.3.2-1.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| conmon-3:2.1.7-3.1.rhaos4.14.el8 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| containernetworking-plugins-0:1.0.1-11.1.rhaos4.14.el8 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| containers-common-2:1-51.rhaos4.14.el8 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| container-selinux-3:2.221.0-2.rhaos4.14.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| coreos-installer-0:0.17.0-1.rhaos4.14.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| cri-o-0:1.27.1-8.1.rhaos4.14.git3fecb83.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| cri-tools-0:1.27.0-2.1.el8 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| crun-0:1.9.2-1.rhaos4.14.el8 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| crun-wasm-0:1.8.5-3.rhaos4.14.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| fmt-0:9.1.0-1.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| golang-github-prometheus-promu-0:0.15.0-15.1.gitd5383c5.el8 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| google-benchmark-0:1.8.2-1.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| gtest-0:1.13.0-1.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| haproxy-0:2.6.13-1.rhaos4.14.el8 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| ignition-0:2.16.2-1.1.rhaos4.14.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| kata-containers-0:3.1.3-4.rhaos4.14.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| kernel-0:5.14.0-284.36.1.el9_2 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| kernel-rt-0:5.14.0-284.36.1.rt14.321.el9_2 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| nmstate-0:2.2.12-1.rhaos4.14.el8 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| openshift-0:4.14.0-202310210404.p0.gf67aeb3.assembly.stream.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| openshift4-aws-iso-0:4.14.0-202309272140.p0.gd2acdd5.assembly.stream.el8 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| openshift-ansible-0:4.14.0-202310062327.p0.gf781421.assembly.stream.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| openshift-clients-0:4.14.0-202310191146.p0.g0c63f9d.assembly.stream.el8 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| openshift-kuryr-0:4.14.0-202309272140.p0.g8926a29.assembly.stream.el8 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| openstack-ironic-1:21.5.0-0.20231002130534.0df5961.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| openstack-ironic-inspector-0:11.5.0-0.20230706175125.193aa0d.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| openstack-ironic-python-agent-0:9.5.0-0.20230728140546.fce0b8c.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| ovn23.09-0:23.09.0-37.el9fdp | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| podman-3:4.4.1-10.1.rhaos4.14.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-automaton-0:3.1.0-0.20230608140652.a4f7631.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-cinderclient-0:9.3.0-0.20230608143053.f7a612e.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-cliff-0:4.3.0-0.20230608150702.72e81d7.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-debtcollector-0:2.5.0-0.20230308172820.a6b46c5.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-decorator-0:4.4.2-6.0.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-dracclient-0:8.0.0-0.20230308200614.9c7499c.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-fixtures-0:4.0.1-1.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-futurist-0:2.4.1-0.20230308173923.159d752.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-glanceclient-1:4.3.0-0.20230608143056.52fb6b2.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-hardware-0:0.30.0-0.20230308190813.f6ff0ed.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-ironic-lib-0:5.4.1-0.20230706172632.25d8671.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-ironic-prometheus-exporter-0:4.1.1-0.20230614150617.7b35627.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-keystoneauth1-0:5.2.0-0.20230608152518.2e40bbf.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-keystoneclient-1:5.1.0-0.20230608141554.4763cd8.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-keystonemiddleware-0:10.3.0-0.20230608151410.92cdf8a.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-openstacksdk-0:1.2.0-0.20230608155226.b7ff031.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-osc-lib-0:2.8.0-0.20230608151456.db9cdc9.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-cache-0:3.4.0-0.20230608153448.a720016.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-concurrency-0:5.1.1-0.20230706190204.0af5942.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-config-2:9.1.1-0.20230608145954.515daab.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-context-0:5.1.1-0.20230608143931.7696282.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-db-0:12.3.1-0.20230608142355.b689b63.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-i18n-0:6.0.0-0.20230608140652.03605c2.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-log-0:5.2.0-0.20230608150750.16a8a42.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-messaging-0:14.3.1-0.20230608152013.0602d1a.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-middleware-0:5.1.1-0.20230608145931.7725ac9.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-policy-0:4.2.0-0.20230608153320.93129eb.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-rootwrap-0:7.0.1-0.20230608144658.b72372b.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-serialization-0:5.1.1-0.20230608144505.b4be3a4.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-service-0:3.1.1-0.20230608145222.b3ba591.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-upgradecheck-0:2.1.1-0.20230608143829.eeedfc9.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-utils-0:6.1.0-0.20230608142355.d49d594.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-oslo-versionedobjects-0:3.1.0-0.20230608141554.b4ea834.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-osprofiler-0:3.4.3-0.20230308173821.3286301.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-os-service-types-0:1.7.0-0.20230308170555.0b2f473.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-os-traits-0:3.0.0-0.20230608152745.cff125c.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-pbr-0:5.11.1-0.1.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-proliantutils-0:2.14.1-0.20230608154738.3de2844.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-pycadf-0:3.1.1-0.20230308171749.4179996.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-requestsexceptions-0:1.4.0-0.20230308170555.d7ac0ff.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-scciclient-0:0.12.3-0.20230308201513.0940a71.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-stevedore-0:5.1.0-0.20230608154210.2d99ccc.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-sushy-0:4.5.0-0.20230719180619.146ed33.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-sushy-oem-idrac-0:5.0.0-0.20230308202122.da9a0e4.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-swiftclient-0:4.3.0-0.20230608151934.236c277.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-tenacity-0:6.3.1-1.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-tooz-0:4.1.0-0.20230608154038.d5bf20c.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| python-wrapt-0:1.14.1-1.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| runc-4:1.1.9-2.1.rhaos4.14.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| rust-afterburn-0:5.4.3-1.rhaos4.14.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| skopeo-2:1.11.2-10.1.rhaos4.14.el8 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| spdlog-0:1.12.0-1.rhaos4.14.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| toolbox-0:0.1.2-1.rhaos4.14.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
| wasmedge-0:0.12.1-2.rhaos4.14.el9 | cpe:/a:redhat:openshift_ironic:4.14::el9 | RHSA-2023:5009 | 2023-10-31T00:00:00Z | 
References
        History
                    Wed, 16 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | epss 
 | epss 
 | 
Thu, 13 Feb 2025 17:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers. | Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers. | 
Mon, 25 Nov 2024 17:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: kubernetes
Published: 2023-07-03T20:06:11.796Z
Updated: 2025-02-13T16:45:20.353Z
Reserved: 2023-05-16T00:32:00.189Z
Link: CVE-2023-2728
 Vulnrichment
                        Vulnrichment
                    Updated: 2024-08-02T06:33:05.263Z
 NVD
                        NVD
                    Status : Modified
Published: 2023-07-03T21:15:09.557
Modified: 2025-02-13T17:16:22.447
Link: CVE-2023-2728
 Redhat
                        Redhat