CVE-2023-5528
published 2023-11-14CVE-2023-5528: A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin…
PriorityP353high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
3.58%
87.9th percentile
A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| k8s.io | kubernetes | >= 0 < 1.25.16 | 1.25.16 |
| k8s.io | kubernetes | >= 1.26.0 < 1.26.11 | 1.26.11 |
| k8s.io | kubernetes | >= 1.27.0 < 1.27.8 | 1.27.8 |
| k8s.io | kubernetes | >= 1.28.0 < 1.28.4 | 1.28.4 |
| kubernetes | kubelet | <= v1.25.15 | — |
| kubernetes | kubelet | v1.26.0 – v1.26.10 | — |
| kubernetes | kubelet | v1.27.0 – v1.27.7 | — |
| kubernetes | kubelet | v1.28.0 – v1.28.3 | — |
| kubernetes | kubernetes | >= 1.26.0 < 1.26.11 | 1.26.11 |
| kubernetes | kubernetes | >= 1.27.0 < 1.27.8 | 1.27.8 |
| kubernetes | kubernetes | >= 1.28.0 < 1.28.4 | 1.28.4 |
| kubernetes | kubernetes | >= 1.8.0 < 1.25.16 | 1.25.16 |
| msrc | azl3_kubernetes_1.28.3-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubernetes_1.28.7-2_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_cri-o_1.22.3-14_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kubernetes_1.28.4-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation via Kubernetes audit logs: look for Persistent Volume create events where local path fields contain special characters ↗
- →Check for presence of Windows nodes in the cluster as a prerequisite for exposure ↗
- →Exploitation results in code execution from kubelet context (SYSTEM privileges) on Windows nodes ↗
- ·Only Kubernetes clusters using an in-tree storage plugin for Windows nodes are affected; clusters without Windows nodes or without in-tree storage plugins are not impacted ↗
- ·Any Kubernetes environment with Windows nodes is impacted regardless of cloud provider ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_debian7.2LOW
vendor_msrc7.2HIGH
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kubernetes: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes
vendor_redhat·2023-11-14·CVSS 7.2
CVE-2023-5528 [HIGH] CWE-20 kubernetes: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes
kubernetes: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes
A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
A flaw was found in Kubernetes, where a user who can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
Statement: Any Kubernetes environment with Windows nodes is impacted. Run kubectl get nodes -l kubernetes.io/os=windows to see if any
Microsoft
Kubernetes - Windows nodes - Insufficient input sanitization in in-tree storage plugin leads to privilege escalation
vendor_msrc·2023-11-14·CVSS 7.2
CVE-2023-5528 [HIGH] CWE-20 Kubernetes - Windows nodes - Insufficient input sanitization in in-tree storage plugin leads to privilege escalation
Kubernetes - Windows nodes - Insufficient input sanitization in in-tree storage plugin leads to privilege escalation
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
kubernetes: kubernetes
Customer Action Req
Debian
CVE-2023-5528: kubernetes - A security issue was discovered in Kubernetes where a user that can create pods ...
vendor_debian·2023·CVSS 7.2
CVE-2023-5528 [HIGH] CVE-2023-5528: kubernetes - A security issue was discovered in Kubernetes where a user that can create pods ...
A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
OSV
Kubernetes Improper Input Validation vulnerability in k8s.io/kubernetes
osv·2024-08-21
CVE-2023-5528 Kubernetes Improper Input Validation vulnerability in k8s.io/kubernetes
Kubernetes Improper Input Validation vulnerability in k8s.io/kubernetes
Kubernetes Improper Input Validation vulnerability in k8s.io/kubernetes
OSV
Kubernetes Improper Input Validation vulnerability
osv·2023-11-14
CVE-2023-5528 [HIGH] Kubernetes Improper Input Validation vulnerability
Kubernetes Improper Input Validation vulnerability
A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
GHSA
Kubernetes Improper Input Validation vulnerability
ghsa·2023-11-14
CVE-2023-5528 [HIGH] CWE-20 Kubernetes Improper Input Validation vulnerability
Kubernetes Improper Input Validation vulnerability
A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
No detection rules found.
No public exploits indexed.
arXiv
KubeFence: Security Hardening of the Kubernetes Attack Surface
arxiv_fulltext·2025-04-15
KubeFence: Security Hardening of the Kubernetes Attack Surface
: Security Hardening of the
Kubernetes Attack Surface
Carmine Cesarano, Roberto Natella
Universit\`a degli Studi di Napoli Federico II, Italy
\carmine.cesarano2, roberto.natella\@unina.it
## Abstract
Kubernetes (K8s) is widely used to orchestrate containerized applications, including critical services in domains such as finance, healthcare, and government. However, its extensive and feature-rich API interface exposes a broad attack surface, making K8s vulnerable to exploits of software vulnerabilities and misconfigurations. Even if K8s adopts role-based access control (RBAC) to manage access to K8s APIs, this approach lacks the granularity needed to protect specification attributes within API requests.
This paper proposes a novel solution, , which implements finer-grain API filtering t
HackerOne
CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes
hackerone·2023-12-21·CVSS 7.2
CVE-2023-5528 [HIGH] CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes
CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes
This is an imported report from the email i have sent a month ago about a code injection vulnerability
The vulnerability was assigned as CVE-2023-5528
As a reference i have talked with Balaji from the k8 team.
Excerpts from the email chain that might be relevant:
"Just a quick update to let you know that we were able to reproduce the issue and are working on a fix. CVE-2023-5528 has been reserved for this issue. We'll keep you updated on the next steps as we review the proposed fix."
"Hi Tomer,
This is being rated as a Tier 1 High severity ($5,000) bounty."
The vulnerability was verified and assigned a CVE by the k8 team
## Impact
Code execution from kubelet context
https://github.com/kubernetes/kubernetes/issues/121879https://groups.google.com/g/kubernetes-security-announce/c/SL_d4NR8pzAhttps://github.com/kubernetes/kubernetes/issues/121879https://groups.google.com/g/kubernetes-security-announce/c/SL_d4NR8pzAhttps://lists.fedoraproject.org/archives/list/[email protected]/message/3JH444PWZBINXLLFV7XLIJIZJHSK6UEZ/https://lists.fedoraproject.org/archives/list/[email protected]/message/4XZIX727JIKF5RQW7RVVBLWXBCDIBJA7/https://lists.fedoraproject.org/archives/list/[email protected]/message/7MPGMITSZXUCAVO7Q75675SOLXC2XXU4/https://security.netapp.com/advisory/ntap-20240119-0009/
2023-11-14
Published