An authentication bypass vulnerability was discovered in kube-apiserver. This issue could allow a remote, authenticated attacker who has been given permissions update, patch the pods/ephemeralcontainers subresource beyond what the default is. They would then need to create a new pod or patch one that they already have access to. This might allow evasion of SCC admission restrictions, thereby gaining control of a privileged pod.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Kube-apiserver | Kubernetes | - (including) | - (including) |
| Red Hat OpenShift Container Platform 4.10 | RedHat | openshift-0:4.10.0-202308291228.p0.g26fdcdf.assembly.stream.el8 | * |
| Red Hat OpenShift Container Platform 4.11 | RedHat | openshift-0:4.11.0-202307200925.p0.ga9da4a8.assembly.stream.el8 | * |
| Red Hat OpenShift Container Platform 4.12 | RedHat | openshift-0:4.12.0-202307040929.p0.g1485cc9.assembly.stream.el9 | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | openshift-0:4.13.0-202307132344.p0.gf245ced.assembly.stream.el8 | * |
| Red Hat OpenShift Container Platform 4.14 | RedHat | microshift-0:4.14.0-202310261440.p0.g1586504.assembly.4.14.0.el9 | * |