Rita Zhang

**Nome do software vulnerável e versões afetadas** azure-file-csi-driver (versões afetadas não especificadas) **Descrição** Foi detectada uma falha de segurança no azure-file-csi-driver, na qual um invasor com acesso aos registros do driver poderia observar tokens de contas de serviço. Esses tokens poderiam, então, ser potencialmente trocados com provedores de nuvem externos para acessar segredos armazenados em soluções de cofre na nuvem. Os tokens são registrados apenas quando `TokenRequests` está configurado no objeto `CSIDriver` e o driver está definido para ser executado no nível de log 2 ou superior por meio do sinalizador `-v`. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Kubernetes (affected versions not specified) **Description** The issue allows users to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. This policy ensures that pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Kubernetes (affected versions not specified) **Description** The issue is related to the possibility of bypassing the ImagePolicyWebhook admission plugin's policies when using ephemeral containers in Kubernetes clusters. This could allow a remote attacker to circumvent existing security restrictions when launching containers. The vulnerability is associated with the use of the ImagePolicyWebhook admission plugin together with ephemeral containers. **Recommendations** As a temporary workaround, consider disabling the use of ephemeral containers with the ImagePolicyWebhook admission plugin until a patch is available. Restrict access to the ImagePolicyWebhook admission plugin to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.