Critical severity9.8NVD Advisory· Published Jul 17, 2017· Updated May 13, 2026

CVE-2017-1000056

Description

Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
k8s.io/kubernetesGo	>= 1.5.0, < 1.5.5	1.5.5

Affected products

Kubernetes/Kubernetes5 versions
cpe:2.3:a:kubernetes:kubernetes:1.5.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:kubernetes:kubernetes:1.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:kubernetes:kubernetes:1.5.4:*:*:*:*:*:*:*

Patches

7fef0a4f6a44

Authorize PSP usage for pods without service accounts

https://github.com/kubernetes/kubernetesJordan LiggittMar 2, 2017via ghsa

commit

2 files changed · +6 −8

plugin/pkg/admission/security/podsecuritypolicy/admission.go+3 −4 modified

@@ -316,7 +316,8 @@ func getMatchingPolicies(store cache.Store, user user.Info, sa user.Info, authz
 			return nil, errors.NewInternalError(fmt.Errorf("error converting object from store to a pod security policy: %v", c))
 		}
 
-		if authorizedForPolicy(user, constraint, authz) || authorizedForPolicy(sa, constraint, authz) {
+		// if no user info exists then the API is being hit via the unsecured port. In this case authorize the request.
+		if user == nil || authorizedForPolicy(user, constraint, authz) || authorizedForPolicy(sa, constraint, authz) {
 			matchedPolicies = append(matchedPolicies, constraint)
 		}
 	}
@@ -326,10 +327,8 @@ func getMatchingPolicies(store cache.Store, user user.Info, sa user.Info, authz
 
 // authorizedForPolicy returns true if info is authorized to perform a "get" on policy.
 func authorizedForPolicy(info user.Info, policy *extensions.PodSecurityPolicy, authz authorizer.Authorizer) bool {
-	// if no info exists then the API is being hit via the unsecured port.  In this case
-	// authorize the request.
 	if info == nil {
-		return true
+		return false
 	}
 	attr := buildAttributes(info, policy)
 	allowed, _, _ := authz.Authorize(attr)

plugin/pkg/admission/security/podsecuritypolicy/admission_test.go+3 −4 modified

@@ -1617,7 +1617,7 @@ func TestGetMatchingPolicies(t *testing.T) {
 			// (ie. a request hitting the unsecure port)
 			expectedPolicies: sets.NewString("policy1", "policy2", "policy3"),
 		},
-		"policies are allowed for nil sa info": {
+		"policies are not allowed for nil sa info": {
 			user: &user.DefaultInfo{Name: "user"},
 			sa:   nil,
 			disallowedPolicies: map[string][]string{
@@ -1629,9 +1629,8 @@ func TestGetMatchingPolicies(t *testing.T) {
 				policyWithName("policy2"),
 				policyWithName("policy3"),
 			},
-			// all policies are allowed regardless of the permissions when sa info is nil
-			// (ie. a request hitting the unsecure port)
-			expectedPolicies: sets.NewString("policy1", "policy2", "policy3"),
+			// only the policies for the user are allowed when sa info is nil
+			expectedPolicies: sets.NewString("policy2"),
 		},
 	}
 	for k, v := range tests {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-2jx2-76rc-2v7vghsaADVISORY
github.com/kubernetes/kubernetes/issues/43459nvdMitigationThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2017-1000056ghsaADVISORY
github.com/kubernetes/kubernetes/commit/7fef0a4f6a44ea36f166c39fdade5324eff2dd5eghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000