CVE-2023-5528

Kubernetes - Windows nodes - Insufficient input sanitization in in-tree storage plugin leads to privilege escalation

Description

A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

References

Link	Tags
https://github.com/kubernetes/kubernetes/issues/121879	patch issue tracking
https://groups.google.com/g/kubernetes-security-announce/c/SL_d4NR8pzA	mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3JH444PWZBINXLLFV7XLIJIZJHSK6UEZ/	patch release notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XZIX727JIKF5RQW7RVVBLWXBCDIBJA7/	patch release notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MPGMITSZXUCAVO7Q75675SOLXC2XXU4/	patch release notes
https://security.netapp.com/advisory/ntap-20240119-0009/	third party advisory

Frequently Asked Questions

What is the severity of CVE-2023-5528?: CVE-2023-5528 has been scored as a high severity vulnerability.
How to fix CVE-2023-5528?: To fix CVE-2023-5528, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-5528 being actively exploited in the wild?: It is possible that CVE-2023-5528 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~18% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-5528?: CVE-2023-5528 affects Kubernetes kubelet.

Description

Category

CWE-20 – Improper Input Validation

References

Frequently Asked Questions