CVE-2023-2728

MEDIUM

kubernetes <1.24.14, 1.27.0-1.27.2 - Policy Bypass via Ephemeral Container Mountable Secrets

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-2728. PoCs published by Cgv-Dev.

AI-analyzed exploit summary This repository contains a functional Metasploit module that exploits CVE-2024-3177 and CVE-2023-2728 in Kubernetes to bypass the mountable secrets policy imposed by the ServiceAccount admission plugin. The module creates a Pod with a specified container type (normal, init, or ephemeral) to expose secrets as environment variables.

Description

Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers.

Exploits (1)

nomisec WORKING POC

by Cgv-Dev · poc

https://github.com/Cgv-Dev/Metasploit-Module-TFM

View Code ZIP pw:eip

This repository contains a functional Metasploit module that exploits CVE-2024-3177 and CVE-2023-2728 in Kubernetes to bypass the mountable secrets policy imposed by the ServiceAccount admission plugin. The module creates a Pod with a specified container type (normal, init, or ephemeral) to expose secrets as environment variables.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Kubernetes v1.27.2 and other vulnerable versions

Auth required

Prerequisites: Valid Kubernetes API token with necessary permissions · Access to the Kubernetes API server · Knowledge of the target namespace and secret name

MITRE ATT&CK

T1552 - Unsecured Credentials T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2023/07/06/3

Mailing List mailing-list

https://groups.google.com/g/kubernetes-security-announce/c/vPWYJ_L84m8

Issue Tracking issue-tracking

https://github.com/kubernetes/kubernetes/issues/118640

Vendor Advisory

https://security.netapp.com/advisory/ntap-20230803-0004/

Scores

CVSS v3 6.5

EPSS 0.0485

EPSS Percentile 89.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (2)

k8s.io/kubernetes 1.27.0 - 1.27.3Go

kubernetes/kubernetes < 1.24.14

Published Jul 03, 2023

Tracked Since Feb 18, 2026