CVE-2023-3955 – k8s.io/kubernetes

Package

Manager: go
Name: k8s.io/kubernetes
Vulnerable Version: =1.28.0 || >=1.28.0 <1.28.1 || >=1.27.0 <1.27.5 || >=1.26.0 <1.26.8 || >=1.25.0 <1.25.13 || >=0 <1.24.17

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L

EPSS: 0.00579 pctl0.67914

Details

Kubernetes privilege escalation vulnerability A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

Metadata

Created: 2023-10-31T21:32:35Z
Modified: 2025-02-13T19:20:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-q78c-gwqw-jcmc/GHSA-q78c-gwqw-jcmc.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-q78c-gwqw-jcmc
Finding: F159
Auto approve: 1