High severityNVD Advisory· Published Oct 31, 2023· Updated Feb 13, 2025
Kubernetes - Windows nodes - Insufficient input sanitization leads to privilege escalation
CVE-2023-3955
Description
A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/kubernetesGo | >= 1.28.0, < 1.28.1 | 1.28.1 |
k8s.io/kubernetesGo | >= 1.27.0, < 1.27.5 | 1.27.5 |
k8s.io/kubernetesGo | >= 1.26.0, < 1.26.8 | 1.26.8 |
k8s.io/kubernetesGo | >= 1.25.0, < 1.25.13 | 1.25.13 |
k8s.io/kubernetesGo | < 1.24.17 | 1.24.17 |
Affected products
122- osv-coords121 versionspkg:apk/chainguard/argo-cd-2.7pkg:apk/chainguard/argo-cd-2.7-compatpkg:apk/chainguard/argo-cd-2.7-repo-serverpkg:apk/chainguard/argo-cd-2.8pkg:apk/chainguard/argo-cd-2.8-compatpkg:apk/chainguard/argo-cd-2.8-repo-serverpkg:apk/chainguard/aws-ebs-csi-driver-1.18pkg:apk/chainguard/aws-ebs-csi-driver-1.19pkg:apk/chainguard/aws-efs-csi-driverpkg:apk/chainguard/aws-efs-csi-driver-fipspkg:apk/chainguard/aws-efs-csi-driver-fips-1.6pkg:apk/chainguard/calicopkg:apk/chainguard/calico-apiserverpkg:apk/chainguard/calico-app-policypkg:apk/chainguard/calico-cnipkg:apk/chainguard/calico-cni-compatpkg:apk/chainguard/calico-cni-fips-3.25-compatpkg:apk/chainguard/calico-cni-fips-compatpkg:apk/chainguard/calicoctlpkg:apk/chainguard/calicoctl-fipspkg:apk/chainguard/calicoctl-fips-3.25pkg:apk/chainguard/calico-felixpkg:apk/chainguard/calico-fipspkg:apk/chainguard/calico-fips-3.25pkg:apk/chainguard/calico-fips-apiserverpkg:apk/chainguard/calico-fips-apiserver-3.25pkg:apk/chainguard/calico-fips-app-policypkg:apk/chainguard/calico-fips-app-policy-3.25pkg:apk/chainguard/calico-fips-cnipkg:apk/chainguard/calico-fips-cni-3.25pkg:apk/chainguard/calico-fips-felixpkg:apk/chainguard/calico-fips-felix-3.25pkg:apk/chainguard/calico-fips-key-cert-provisionerpkg:apk/chainguard/calico-fips-kube-controllerspkg:apk/chainguard/calico-fips-kube-controllers-3.25pkg:apk/chainguard/calico-fips-nodepkg:apk/chainguard/calico-fips-node-3.25pkg:apk/chainguard/calico-fips-pod2daemonpkg:apk/chainguard/calico-fips-pod2daemon-3.25pkg:apk/chainguard/calico-fips-typha-clientpkg:apk/chainguard/calico-fips-typha-client-3.25pkg:apk/chainguard/calico-fips-typhadpkg:apk/chainguard/calico-fips-typhad-3.25pkg:apk/chainguard/calico-key-cert-provisionerpkg:apk/chainguard/calico-kube-controllerspkg:apk/chainguard/calico-nodepkg:apk/chainguard/calico-pod2daemonpkg:apk/chainguard/calico-pod2daemon-flexvol-compatpkg:apk/chainguard/calico-typha-clientpkg:apk/chainguard/calico-typhadpkg:apk/chainguard/cluster-autoscaler-1.25pkg:apk/chainguard/cluster-autoscaler-1.25-compatpkg:apk/chainguard/cluster-autoscaler-1.26pkg:apk/chainguard/cluster-autoscaler-1.26-compatpkg:apk/chainguard/cluster-autoscaler-fips-1.25pkg:apk/chainguard/cluster-autoscaler-fips-1.25-compatpkg:apk/chainguard/cluster-autoscaler-fips-1.28pkg:apk/chainguard/cluster-autoscaler-fips-1.28-compatpkg:apk/chainguard/kubeflow-pipelinespkg:apk/chainguard/kubeflow-pipelines-apiserverpkg:apk/chainguard/kubeflow-pipelines-cache-deployerpkg:apk/chainguard/kubeflow-pipelines-cache-deployer-compatpkg:apk/chainguard/kubeflow-pipelines-cache_serverpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/kubeflow-pipelines-metadata-envoy-configpkg:apk/chainguard/kubeflow-pipelines-metadata-writerpkg:apk/chainguard/kubeflow-pipelines-metadata-writer-compatpkg:apk/chainguard/kubeflow-pipelines-persistence_agentpkg:apk/chainguard/kubeflow-pipelines-scheduledworkflowpkg:apk/chainguard/kubeflow-pipelines-viewer-crd-controllerpkg:apk/chainguard/kubernetes-dns-node-cache-1.17pkg:apk/chainguard/nodetaintpkg:apk/chainguard/secrets-store-csi-driverpkg:apk/chainguard/secrets-store-csi-driver-fipspkg:apk/chainguard/sparkctlpkg:apk/chainguard/spark-operatorpkg:apk/chainguard/spark-operator-oci-entrypointpkg:apk/wolfi/argo-cd-2.7pkg:apk/wolfi/argo-cd-2.7-compatpkg:apk/wolfi/argo-cd-2.7-repo-serverpkg:apk/wolfi/argo-cd-2.8pkg:apk/wolfi/argo-cd-2.8-compatpkg:apk/wolfi/argo-cd-2.8-repo-serverpkg:apk/wolfi/aws-efs-csi-driverpkg:apk/wolfi/calicopkg:apk/wolfi/calico-apiserverpkg:apk/wolfi/calico-app-policypkg:apk/wolfi/calico-cnipkg:apk/wolfi/calico-cni-compatpkg:apk/wolfi/calicoctlpkg:apk/wolfi/calico-felixpkg:apk/wolfi/calico-key-cert-provisionerpkg:apk/wolfi/calico-kube-controllerspkg:apk/wolfi/calico-nodepkg:apk/wolfi/calico-pod2daemonpkg:apk/wolfi/calico-pod2daemon-flexvol-compatpkg:apk/wolfi/calico-typha-clientpkg:apk/wolfi/calico-typhadpkg:apk/wolfi/cluster-autoscaler-1.25pkg:apk/wolfi/cluster-autoscaler-1.25-compatpkg:apk/wolfi/cluster-autoscaler-1.26pkg:apk/wolfi/cluster-autoscaler-1.26-compatpkg:apk/wolfi/kubeflow-pipelinespkg:apk/wolfi/kubeflow-pipelines-apiserverpkg:apk/wolfi/kubeflow-pipelines-cache-deployerpkg:apk/wolfi/kubeflow-pipelines-cache-deployer-compatpkg:apk/wolfi/kubeflow-pipelines-cache_serverpkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/kubeflow-pipelines-metadata-envoy-configpkg:apk/wolfi/kubeflow-pipelines-metadata-writerpkg:apk/wolfi/kubeflow-pipelines-metadata-writer-compatpkg:apk/wolfi/kubeflow-pipelines-persistence_agentpkg:apk/wolfi/kubeflow-pipelines-scheduledworkflowpkg:apk/wolfi/kubeflow-pipelines-viewer-crd-controllerpkg:apk/wolfi/nodetaintpkg:apk/wolfi/secrets-store-csi-driverpkg:apk/wolfi/sparkctlpkg:apk/wolfi/spark-operatorpkg:apk/wolfi/spark-operator-oci-entrypointpkg:golang/k8s.io/kubernetespkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 2.7.14-r8+ 120 more
- (no CPE)range: < 2.7.14-r8
- (no CPE)range: < 2.7.14-r8
- (no CPE)range: < 2.7.14-r8
- (no CPE)range: < 2.8.6-r1
- (no CPE)range: < 2.8.6-r1
- (no CPE)range: < 2.8.6-r1
- (no CPE)range: < 1.18.0-r8
- (no CPE)range: < 1.19.0-r8
- (no CPE)range: < 1.7.0-r6
- (no CPE)range: < 1.7.0-r5
- (no CPE)range: < 1.6.0-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 0
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 0
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 0
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 0
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 0
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 0
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 0
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 0
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 0
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 0
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 0
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 1.25.3-r4
- (no CPE)range: < 1.25.3-r4
- (no CPE)range: < 1.26.4-r4
- (no CPE)range: < 1.26.4-r4
- (no CPE)range: < 1.25.3-r7
- (no CPE)range: < 1.25.3-r7
- (no CPE)range: < 1.28.0-r5
- (no CPE)range: < 1.28.0-r5
- (no CPE)range: < 2.0.5-r5
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.7.14-r8
- (no CPE)range: < 2.7.14-r8
- (no CPE)range: < 2.7.14-r8
- (no CPE)range: < 2.8.6-r1
- (no CPE)range: < 2.8.6-r1
- (no CPE)range: < 2.8.6-r1
- (no CPE)range: < 1.7.0-r6
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 3.26.3-r5
- (no CPE)range: < 1.25.3-r4
- (no CPE)range: < 1.25.3-r4
- (no CPE)range: < 1.26.4-r4
- (no CPE)range: < 1.26.4-r4
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 2.14.3-r3
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 1.28.0, < 1.28.1
- (no CPE)range: < 0.0.20241213T205935-1.1
- Kubernetes/kubeletv5Range: v1.28.0
Patches
Vulnerability mechanics
References
17- github.com/advisories/GHSA-q78c-gwqw-jcmcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-3955ghsaADVISORY
- github.com/kubernetes/kubernetes/commit/38c97fa67ed35f36e730856728c9e3807f63546aghsaWEB
- github.com/kubernetes/kubernetes/commit/50334505cd27cbe7cf71865388f25a00e29b2596ghsaWEB
- github.com/kubernetes/kubernetes/commit/7da6d72c05dffb3b87e62e2bc8c3228ea12ba1b9ghsaWEB
- github.com/kubernetes/kubernetes/commit/b7547e28f898af37aa2f1107a49111f963250fe6ghsaWEB
- github.com/kubernetes/kubernetes/commit/c4e17abb04728e3a3f9bb26e727b0f978df20ec9ghsaWEB
- github.com/kubernetes/kubernetes/issues/119595ghsaissue-trackingWEB
- github.com/kubernetes/kubernetes/pull/120128ghsaWEB
- github.com/kubernetes/kubernetes/pull/120134ghsaWEB
- github.com/kubernetes/kubernetes/pull/120135ghsaWEB
- github.com/kubernetes/kubernetes/pull/120136ghsaWEB
- github.com/kubernetes/kubernetes/pull/120137ghsaWEB
- github.com/kubernetes/kubernetes/pull/120138ghsaWEB
- groups.google.com/g/kubernetes-security-announce/c/JrX4bb7d83Eghsamailing-listWEB
- security.netapp.com/advisory/ntap-20231221-0002ghsaWEB
- security.netapp.com/advisory/ntap-20231221-0002/mitre
News mentions
0No linked articles in our index yet.