CVE-2023-3893Improper Input Validation in Kubernetes-csi Csi-proxy

CWE-20Improper Input ValidationCWE-269Improper Privilege Management8 documents6 sources
Severity
8.8HIGHNVD
EPSS
3.7%
top 12.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
KubernetesGithub.com Kubernetes-csi Csi-proxyGithub.com Kubernetes-csi Csi-proxy V2+3 more
Timeline
PublishedNov 3
Latest updateAug 21

Description

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes running kubernetes-csi-proxy may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes running kubernetes-csi-proxy.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

Gogithub.com/kubernetes-csi_csi-proxy0.1.0-rc11.1.3+3
Gogithub.com/kubernetes-csi_csi-proxy_v22.0.0-alpha.02.0.0-alpha.1
CVEListV5kubernetes/csi-proxyv1.1.2+1
debiandebian/kubernetes< kubernetes 1.20.5+really1.20.2-1 (bookworm)

🔴Vulnerability Details

4
OSV
Kubernetes csi-proxy vulnerable to privilege escalation due to improper input validation in github.com/kubernetes-csi/csi-proxy2024-08-21
OSV
Kubernetes csi-proxy vulnerable to privilege escalation due to improper input validation2023-11-03
OSV
CVE-2023-3893: A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes running kubernetes-csi-proxy may be able to escalate2023-11-03
GHSA
Kubernetes csi-proxy vulnerable to privilege escalation due to improper input validation2023-11-03

📋Vendor Advisories

2
Red Hat
kubernetes: Insufficient input sanitization on kubernetes CSI proxy leads to privilege escalation2023-08-23
Debian
CVE-2023-3893: kubernetes - A security issue was discovered in Kubernetes where a user that can create pods...2023

🕵️Threat Intelligence

1
Wiz
Crying Out Cloud - August Newsletter | Wiz2023-08-30