CVE-2023-2727: 
NixOS vulnerability analysis and mitigation

CVE-2023-2727 is a security vulnerability discovered in Kubernetes where users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. The vulnerability was discovered and disclosed in July 2023, affecting Kubernetes clusters that use the ImagePolicyWebhook admission plugin together with ephemeral containers. The affected versions include kube-apiserver v1.27.0-v1.27.2, v1.26.0-v1.26.5, v1.25.0-v1.25.10, and versions up to v1.24.14 (Kubernetes Announce, GitHub Issue).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N. The vulnerability specifically affects the ImagePolicyWebhook admission plugin functionality when used in conjunction with ephemeral containers, allowing potential bypass of image restrictions (OSS Security, NetApp Advisory).

When successfully exploited, this vulnerability could lead to unauthorized container launches using restricted images, potentially compromising the security policies implemented through the ImagePolicyWebhook admission plugin. The impact is particularly significant for clusters that rely on ImagePolicyWebhook for enforcing image usage policies (GitHub Issue).

The vulnerability has been patched in kube-apiserver versions v1.27.3, v1.26.6, v1.25.11, and v1.24.15. The patch prevents ephemeral containers from using images that are restricted by ImagePolicyWebhook. As an alternative mitigation, validation webhooks such as Gatekeeper and Kyverno can be used to enforce the same restrictions (OSS Security).

The vulnerability was reported by Stanislav Láznička and fixed by Rita Zhang. The Kubernetes Security Response Committee has rated this as a Medium severity issue, and various organizations including NetApp have issued security advisories to their customers regarding this vulnerability (NetApp Advisory).