cbcvebase.
CVE-2023-5528
published 2023-11-14

CVE-2023-5528: A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin…

PriorityP353high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
3.58%
87.9th percentile
A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

Affected

24 ranges
VendorProductVersion rangeFixed in
debiankubernetes
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
k8s.iokubernetes>= 0 < 1.25.161.25.16
k8s.iokubernetes>= 1.26.0 < 1.26.111.26.11
k8s.iokubernetes>= 1.27.0 < 1.27.81.27.8
k8s.iokubernetes>= 1.28.0 < 1.28.41.28.4
kuberneteskubelet<= v1.25.15
kuberneteskubeletv1.26.0 – v1.26.10
kuberneteskubeletv1.27.0 – v1.27.7
kuberneteskubeletv1.28.0 – v1.28.3
kuberneteskubernetes>= 1.26.0 < 1.26.111.26.11
kuberneteskubernetes>= 1.27.0 < 1.27.81.27.8
kuberneteskubernetes>= 1.28.0 < 1.28.41.28.4
kuberneteskubernetes>= 1.8.0 < 1.25.161.25.16
msrcazl3_kubernetes_1.28.3-2_on_azure_linux_3.0
msrcazl3_kubernetes_1.28.7-2_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_cri-o_1.22.3-14_on_cbl_mariner_2.0
msrccbl2_kubernetes_1.28.4-1_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64

Detection & IOCsextracted from sources · hover to see the quote

  • Detect exploitation via Kubernetes audit logs: look for Persistent Volume create events where local path fields contain special characters
  • Check for presence of Windows nodes in the cluster as a prerequisite for exposure
  • Exploitation results in code execution from kubelet context (SYSTEM privileges) on Windows nodes
  • ·Only Kubernetes clusters using an in-tree storage plugin for Windows nodes are affected; clusters without Windows nodes or without in-tree storage plugins are not impacted
  • ·Any Kubernetes environment with Windows nodes is impacted regardless of cloud provider

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_debian7.2LOW
vendor_msrc7.2HIGH
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.