CVE-2023-2431

NameCVE-2023-2431
DescriptionA security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kubernetes (PTS)bullseye1.20.5+really1.20.2-1fixed
sid, bookworm1.20.5+really1.20.2-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kubernetessource(unstable)1.20.5+really1.20.2-1

Notes

Server components no longer built since 1.20.5+really1.20.2-1, marking that as fixed version
The source package itself it still vulnerable, but custom rebuilds are not really a usecase here
https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10
https://github.com/kubernetes/kubernetes/issues/118690

Search for package or bug name: Reporting problems