CVE-2023-5528 — Improper Input Validation in Kubernetes

CWE-20 — Improper Input Validation9 documents8 sources

Severity

8.8HIGHNVD

CNA7.2

EPSS

18.5%

top 4.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

K8s.io Kubernetes Kubernetes Kubernetes Kubelet +1 more

Timeline

PublishedNov 14

Latest updateAug 21

Description

A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Gok8s.io/kubernetes1.28.0 — 1.28.4+3

▶NVDkubernetes/kubernetes1.8.0 — 1.25.16+3

▶CVEListV5kubernetes/kubeletv1.28.0 — v1.28.3+3

Also affects: Fedora 37, 38, 39

Patches

Patch: github.com ↗Patch: github.com ↗Patch: lists.fedoraproject.org ↗

🔴Vulnerability Details

OSV

Kubernetes Improper Input Validation vulnerability in k8s.io/kubernetes↗2024-08-21

▶

OSV

Kubernetes Improper Input Validation vulnerability↗2023-11-14

▶

GHSA

Kubernetes Improper Input Validation vulnerability↗2023-11-14

▶

CVEList

Kubernetes - Windows nodes - Insufficient input sanitization in in-tree storage plugin leads to privilege escalation↗2023-11-14

▶

📋Vendor Advisories

Red Hat

kubernetes: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes↗2023-11-14

▶

Microsoft

Kubernetes - Windows nodes - Insufficient input sanitization in in-tree storage plugin leads to privilege escalation↗2023-11-14

▶

Debian

CVE-2023-5528: kubernetes - A security issue was discovered in Kubernetes where a user that can create pods ...↗2023

▶

💬Community

HackerOne

CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes↗2023-12-21

▶