Kubernetes - csi-proxy - Insufficient input sanitization leads to privilege escalation
CVE-2023-3893

8.8HIGH

Key Information:

Vendor: Kubernetes
Status: Csi-proxy
Vendor: CVE Published:; 3 November 2023

What is CVE-2023-3893?

A security flaw has been identified in Kubernetes affecting environments where Windows nodes are running the kubernetes-csi-proxy. Specifically, users with the capability to create pods may exploit this vulnerability to escalate their privileges to admin-level access on the affected nodes. This issue emphasizes the need for diligent monitoring and management of permissions within Kubernetes clusters hosting Windows components.

Affected Version(s)

csi-proxy v2.0.0-alpha.0

csi-proxy 0

csi-proxy v2.0.0-alpha.1

References

https://github.com/kubernetes/kubernetes/issues/119594

issue-tracking

https://groups.google.com/g/kubernetes-security-announce/...

mailing-list

https://security.netapp.com/advisory/ntap-20231221-0004/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 3, 2023
Vulnerability Reserved
Jul 24, 2023

Credit

James Sturtevant

Mark Rossetti