Описание
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.
A flaw was found in Kubernetes. This issue occurs when Kubernetes allows a local authenticated attacker to bypass security restrictions, caused by a flaw when using the localhost type for a seccomp profile but specifying an empty profile field. An attacker can bypass the seccomp profile enforcement by sending a specially crafted request.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | kubernetes | Not affected | ||
| OpenShift API for Data Protection | oadp/oadp-velero-plugin-for-microsoft-azure-rhel8 | Fix deferred | ||
| OpenShift Serverless | io.fabric8:kubernetes-model | Fix deferred | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-main-rhel8 | Fix deferred | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-scanner-rhel8 | Fix deferred | ||
| Red Hat Advanced Cluster Security 4 | advanced-cluster-security/rhacs-main-rhel8 | Fix deferred | ||
| Red Hat Enterprise Linux 7 | kubernetes | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | csi-driver-nfs-container | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/cnf-tests-rhel8 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/dpu-network-rhel8-operator | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
3.4 Low
CVSS3
Связанные уязвимости
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.
A security issue was discovered in Kubelet that allows pods to bypass ...
Kubelet vulnerable to bypass of seccomp profile enforcement
EPSS
3.4 Low
CVSS3