CVE-2023-2431: 
NixOS vulnerability analysis and mitigation

A security issue (CVE-2023-2431) was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. The vulnerability affects pods that use localhost type for seccomp profile but specify an empty profile field, enabling the pod to run in unconfined (seccomp disabled) mode. This vulnerability was reported by Tim Allclair and fixed by Craig Ingram, with a CVSS score of 5.5 (Medium) (Ubuntu CVE, K8s Issue).

The vulnerability affects Kubernetes versions v1.27.0-v1.27.1, v1.26.0-v1.26.4, v1.25.0-v1.25.9, and versions prior to v1.24.13. The issue occurs when pods use localhost type for seccomp profile with an empty profile field, which results in the pod running in unconfined mode, effectively disabling seccomp protection. The vulnerability has been assigned a CVSS base score of 5.5 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (Ubuntu CVE).

When exploited, this vulnerability allows pods to run in unconfined (seccomp disabled) mode, bypassing the intended security controls provided by seccomp profile enforcement. This could potentially lead to elevated privileges and compromise of container isolation mechanisms (K8s Issue, K8s Announce).

The vulnerability has been fixed in Kubernetes versions v1.27.2, v1.26.5, v1.25.10, and v1.24.14. Users are advised to upgrade their Kubelet to one of these fixed versions to remediate the vulnerability (K8s Issue, K8s Announce).