Kubernetes - Windows nodes - Insufficient input sanitization leads to privilege escalation
CVE-2023-3676

8.8HIGH

Key Information:

Vendor: Kubernetes
Status: Kubelet
Vendor: CVE Published:; 31 October 2023

Summary

A security issue has been identified in Kubernetes that potentially allows users with pod creation permissions on Windows nodes to escalate their privileges to admin level. This vulnerability poses a risk specifically for Kubernetes clusters that integrate Windows nodes, as it can lead to unauthorized access and control over the affected nodes, potentially compromising the entire cluster's security.

Affected Version(s)

kubelet v1.28.0

kubelet v1.27.0

kubelet v1.26.0

References

https://github.com/kubernetes/kubernetes/issues/119339

issue-tracking

https://groups.google.com/g/kubernetes-security-announce/...

mailing-list

https://security.netapp.com/advisory/ntap-20231130-0007/

EPSS Score

15% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 31, 2023
Vulnerability Reserved
Jul 14, 2023

Credit

Tomer Peled