CVE-2023-3676 – k8s.io/kubernetes

Package

Manager: go
Name: k8s.io/kubernetes
Vulnerable Version: =1.28.0 || >=1.28.0 <1.28.1 || >=1.27.0 <1.27.5 || >=1.26.0 <1.26.8 || >=1.25.0 <1.25.13 || >=0 <1.24.17

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.35687 pctl0.96958

Details

Kubernetes privilege escalation vulnerability A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

Metadata

Created: 2023-10-31T21:32:35Z
Modified: 2025-02-13T19:20:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-7fxm-f474-hf8w/GHSA-7fxm-f474-hf8w.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-7fxm-f474-hf8w
Finding: F184
Auto approve: 1