CVE-2023-2728: 
NixOS vulnerability analysis and mitigation

A security vulnerability (CVE-2023-2728) was discovered in Kubernetes where users could potentially bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The vulnerability was disclosed on July 3, 2023, affecting multiple versions of Kubernetes including v1.27.0-v1.27.2, v1.26.0-v1.26.5, v1.25.0-v1.25.10, and versions up to v1.24.14 (Kubernetes Issue, OSS Security).

The vulnerability allows containers to bypass the policy that ensures pods running with a service account may only reference secrets specified in the service account's secrets field. The issue received a CVSS v3.1 score of 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N. The vulnerability specifically affects clusters where both the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used in conjunction with ephemeral containers (Kubernetes Issue).

When successfully exploited, this vulnerability could lead to unauthorized access to secrets and potential disclosure of sensitive information. The impact is particularly significant as it could allow containers to access secrets that weren't explicitly specified in the service account's secrets field, potentially compromising the security boundaries established by the ServiceAccount admission plugin (NetApp Advisory).

The vulnerability has been patched in multiple Kubernetes versions: v1.27.3, v1.26.6, v1.25.11, and v1.24.15. The fix prevents ephemeral containers from bypassing the mountable secrets policy enforced by the ServiceAccount admission plugin. Users are advised to upgrade to these patched versions to mitigate the vulnerability (Kubernetes Issue).