Privilege Escalation in kOps using GCE/GCP Provider in Gossip Mode
CVE-2023-1943

8HIGH

Key Information:

Vendor: Kubernetes
Status: Kops
Vendor: CVE Published:; 12 October 2023

Summary

A privilege escalation vulnerability exists in kOps when operating with the GCE/GCP Provider in Gossip Mode. This flaw could potentially allow unauthorized users to gain elevated access privileges within the Kubernetes environment, posing a significant risk to system security and data integrity. Users of kOps should ensure that they are following best practices for configuration and security to mitigate this risk.

Affected Version(s)

kops 0 < 1.25.3

kops 1.26.0 < 1.26.2

kops 1.25.3

References

https://github.com/kubernetes/kops/issues/15539

issue-tracking

https://groups.google.com/g/kubernetes-security-announce/...

mailing-list

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 12, 2023
Vulnerability Reserved
Apr 7, 2023

Credit

James Cleverley-Prance