Kubernetes - Windows nodes - Insufficient input sanitization leads to privilege escalation
CVE-2023-3955

8.8HIGH

Key Information:

Vendor: Kubernetes
Status: Kubelet
Vendor: CVE Published:; 31 October 2023

Summary

A vulnerability has been identified in Kubernetes that allows users with pod creation permissions on Windows nodes to potentially escalate their privileges to an administrative level. This poses a risk to Kubernetes clusters that operate with Windows nodes, enabling unauthorized users to gain elevated access and control. It is crucial for administrators to review and apply necessary security measures to mitigate this vulnerability and protect their systems.

Affected Version(s)

kubelet v1.28.0

kubelet v1.27.0

kubelet v1.26.0

References

https://github.com/kubernetes/kubernetes/issues/119595

issue-tracking

https://groups.google.com/g/kubernetes-security-announce/...

mailing-list

https://security.netapp.com/advisory/ntap-20231221-0002/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 31, 2023
Vulnerability Reserved
Jul 26, 2023

Credit

James Sturtevant

Mark Rossetti