High severityNVD Advisory· Published Nov 14, 2023· Updated Feb 25, 2026
Kubernetes - Windows nodes - Insufficient input sanitization in in-tree storage plugin leads to privilege escalation
CVE-2023-5528
Description
A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/kubernetesGo | >= 1.28.0, < 1.28.4 | 1.28.4 |
k8s.io/kubernetesGo | >= 1.27.0, < 1.27.8 | 1.27.8 |
k8s.io/kubernetesGo | >= 1.26.0, < 1.26.11 | 1.26.11 |
k8s.io/kubernetesGo | < 1.25.16 | 1.25.16 |
Affected products
144- osv-coords143 versionspkg:apk/chainguard/argo-cd-2.7pkg:apk/chainguard/argo-cd-2.7-compatpkg:apk/chainguard/argo-cd-2.7-repo-serverpkg:apk/chainguard/argo-cd-2.8pkg:apk/chainguard/argo-cd-2.8-compatpkg:apk/chainguard/argo-cd-2.8-repo-serverpkg:apk/chainguard/argo-cd-2.9pkg:apk/chainguard/argo-cd-2.9-compatpkg:apk/chainguard/argo-cd-2.9-repo-serverpkg:apk/chainguard/argo-cd-fips-2.8pkg:apk/chainguard/argo-cd-fips-2.8-compatpkg:apk/chainguard/argo-cd-fips-2.8-repo-serverpkg:apk/chainguard/argo-cd-fips-2.9pkg:apk/chainguard/argo-cd-fips-2.9-compatpkg:apk/chainguard/argo-cd-fips-2.9-repo-serverpkg:apk/chainguard/aws-ebs-csi-driverpkg:apk/chainguard/aws-ebs-csi-driver-1.18pkg:apk/chainguard/aws-ebs-csi-driver-1.19pkg:apk/chainguard/aws-efs-csi-driverpkg:apk/chainguard/aws-efs-csi-driver-fipspkg:apk/chainguard/aws-efs-csi-driver-fips-1.6pkg:apk/chainguard/calicopkg:apk/chainguard/calico-apiserverpkg:apk/chainguard/calico-app-policypkg:apk/chainguard/calico-cnipkg:apk/chainguard/calico-cni-compatpkg:apk/chainguard/calico-cni-fips-3.25-compatpkg:apk/chainguard/calico-cni-fips-compatpkg:apk/chainguard/calicoctlpkg:apk/chainguard/calicoctl-fipspkg:apk/chainguard/calicoctl-fips-3.25pkg:apk/chainguard/calico-felixpkg:apk/chainguard/calico-fipspkg:apk/chainguard/calico-fips-3.25pkg:apk/chainguard/calico-fips-apiserverpkg:apk/chainguard/calico-fips-apiserver-3.25pkg:apk/chainguard/calico-fips-app-policypkg:apk/chainguard/calico-fips-app-policy-3.25pkg:apk/chainguard/calico-fips-cnipkg:apk/chainguard/calico-fips-cni-3.25pkg:apk/chainguard/calico-fips-felixpkg:apk/chainguard/calico-fips-felix-3.25pkg:apk/chainguard/calico-fips-key-cert-provisionerpkg:apk/chainguard/calico-fips-kube-controllerspkg:apk/chainguard/calico-fips-kube-controllers-3.25pkg:apk/chainguard/calico-fips-nodepkg:apk/chainguard/calico-fips-node-3.25pkg:apk/chainguard/calico-fips-pod2daemonpkg:apk/chainguard/calico-fips-pod2daemon-3.25pkg:apk/chainguard/calico-fips-typha-clientpkg:apk/chainguard/calico-fips-typha-client-3.25pkg:apk/chainguard/calico-fips-typhadpkg:apk/chainguard/calico-fips-typhad-3.25pkg:apk/chainguard/calico-key-cert-provisionerpkg:apk/chainguard/calico-kube-controllerspkg:apk/chainguard/calico-nodepkg:apk/chainguard/calico-pod2daemonpkg:apk/chainguard/calico-pod2daemon-flexvol-compatpkg:apk/chainguard/calico-typha-clientpkg:apk/chainguard/calico-typhadpkg:apk/chainguard/cluster-autoscaler-1.25pkg:apk/chainguard/cluster-autoscaler-1.25-compatpkg:apk/chainguard/cluster-autoscaler-1.27pkg:apk/chainguard/cluster-autoscaler-1.27-compatpkg:apk/chainguard/cluster-autoscaler-1.28pkg:apk/chainguard/cluster-autoscaler-1.28-compatpkg:apk/chainguard/cluster-autoscaler-fips-1.25pkg:apk/chainguard/cluster-autoscaler-fips-1.25-compatpkg:apk/chainguard/cluster-autoscaler-fips-1.28pkg:apk/chainguard/cluster-autoscaler-fips-1.28-compatpkg:apk/chainguard/ip-masq-agentpkg:apk/chainguard/kubeflow-pipelinespkg:apk/chainguard/kubeflow-pipelines-apiserverpkg:apk/chainguard/kubeflow-pipelines-cache-deployerpkg:apk/chainguard/kubeflow-pipelines-cache-deployer-compatpkg:apk/chainguard/kubeflow-pipelines-cache_serverpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/kubeflow-pipelines-metadata-envoy-configpkg:apk/chainguard/kubeflow-pipelines-metadata-writerpkg:apk/chainguard/kubeflow-pipelines-metadata-writer-compatpkg:apk/chainguard/kubeflow-pipelines-persistence_agentpkg:apk/chainguard/kubeflow-pipelines-scheduledworkflowpkg:apk/chainguard/kubeflow-pipelines-viewer-crd-controllerpkg:apk/chainguard/kubernetes-csi-driver-hostpathpkg:apk/chainguard/kubernetes-dns-node-cachepkg:apk/chainguard/nodetaintpkg:apk/chainguard/prometheus-adapterpkg:apk/chainguard/sparkctlpkg:apk/chainguard/spark-operatorpkg:apk/chainguard/spark-operator-oci-entrypointpkg:apk/wolfi/argo-cd-2.7pkg:apk/wolfi/argo-cd-2.7-compatpkg:apk/wolfi/argo-cd-2.7-repo-serverpkg:apk/wolfi/argo-cd-2.8pkg:apk/wolfi/argo-cd-2.8-compatpkg:apk/wolfi/argo-cd-2.8-repo-serverpkg:apk/wolfi/argo-cd-2.9pkg:apk/wolfi/argo-cd-2.9-compatpkg:apk/wolfi/argo-cd-2.9-repo-serverpkg:apk/wolfi/aws-ebs-csi-driverpkg:apk/wolfi/aws-efs-csi-driverpkg:apk/wolfi/calicopkg:apk/wolfi/calico-apiserverpkg:apk/wolfi/calico-app-policypkg:apk/wolfi/calico-cnipkg:apk/wolfi/calico-cni-compatpkg:apk/wolfi/calicoctlpkg:apk/wolfi/calico-felixpkg:apk/wolfi/calico-key-cert-provisionerpkg:apk/wolfi/calico-kube-controllerspkg:apk/wolfi/calico-nodepkg:apk/wolfi/calico-pod2daemonpkg:apk/wolfi/calico-pod2daemon-flexvol-compatpkg:apk/wolfi/calico-typha-clientpkg:apk/wolfi/calico-typhadpkg:apk/wolfi/cluster-autoscaler-1.25pkg:apk/wolfi/cluster-autoscaler-1.25-compatpkg:apk/wolfi/cluster-autoscaler-1.27pkg:apk/wolfi/cluster-autoscaler-1.27-compatpkg:apk/wolfi/cluster-autoscaler-1.28pkg:apk/wolfi/cluster-autoscaler-1.28-compatpkg:apk/wolfi/ip-masq-agentpkg:apk/wolfi/kubeflow-pipelinespkg:apk/wolfi/kubeflow-pipelines-apiserverpkg:apk/wolfi/kubeflow-pipelines-cache-deployerpkg:apk/wolfi/kubeflow-pipelines-cache-deployer-compatpkg:apk/wolfi/kubeflow-pipelines-cache_serverpkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/kubeflow-pipelines-metadata-envoy-configpkg:apk/wolfi/kubeflow-pipelines-metadata-writerpkg:apk/wolfi/kubeflow-pipelines-metadata-writer-compatpkg:apk/wolfi/kubeflow-pipelines-persistence_agentpkg:apk/wolfi/kubeflow-pipelines-scheduledworkflowpkg:apk/wolfi/kubeflow-pipelines-viewer-crd-controllerpkg:apk/wolfi/kubernetes-csi-driver-hostpathpkg:apk/wolfi/kubernetes-dns-node-cachepkg:apk/wolfi/nodetaintpkg:apk/wolfi/prometheus-adapterpkg:apk/wolfi/sparkctlpkg:apk/wolfi/spark-operatorpkg:apk/wolfi/spark-operator-oci-entrypointpkg:golang/k8s.io/kubernetespkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0+ 142 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.9.9-r1
- (no CPE)range: < 2.9.9-r1
- (no CPE)range: < 2.9.9-r1
- (no CPE)range: < 1.25.0-r2
- (no CPE)range: < 1.18.0-r9
- (no CPE)range: < 1.19.0-r9
- (no CPE)range: < 1.7.1-r1
- (no CPE)range: < 1.7.0-r5
- (no CPE)range: < 1.6.0-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 1.25.3-r5
- (no CPE)range: < 1.25.3-r5
- (no CPE)range: < 1.27.3-r7
- (no CPE)range: < 1.27.3-r7
- (no CPE)range: < 1.28.0-r7
- (no CPE)range: < 1.28.0-r7
- (no CPE)range: < 1.25.3-r7
- (no CPE)range: < 1.25.3-r7
- (no CPE)range: < 1.28.0-r6
- (no CPE)range: < 1.28.0-r6
- (no CPE)range: < 2.9.3-r4
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.22.28-r1
- (no CPE)range: < 0.0.4-r8
- (no CPE)range: < 0.11.2-r1
- (no CPE)range: < 1.1.27-r17
- (no CPE)range: < 1.1.27-r17
- (no CPE)range: < 1.1.27-r17
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.25.0-r2
- (no CPE)range: < 1.7.1-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 1.25.3-r5
- (no CPE)range: < 1.25.3-r5
- (no CPE)range: < 1.27.3-r7
- (no CPE)range: < 1.27.3-r7
- (no CPE)range: < 1.28.0-r7
- (no CPE)range: < 1.28.0-r7
- (no CPE)range: < 2.9.3-r4
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.22.28-r1
- (no CPE)range: < 0.0.4-r8
- (no CPE)range: < 0.11.2-r1
- (no CPE)range: < 1.1.27-r17
- (no CPE)range: < 1.1.27-r17
- (no CPE)range: < 1.1.27-r17
- (no CPE)range: >= 1.28.0, < 1.28.4
- (no CPE)range: < 0.0.20250807T150727-1.1
- Kubernetes/kubeletv5Range: v1.28.0
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-hq6q-c2x6-hmchghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-5528ghsaADVISORY
- github.com/kubernetes/kubernetes/issues/121879ghsaissue-trackingWEB
- github.com/kubernetes/kubernetes/pull/121881ghsaWEB
- github.com/kubernetes/kubernetes/pull/121882ghsaWEB
- github.com/kubernetes/kubernetes/pull/121883ghsaWEB
- github.com/kubernetes/kubernetes/pull/121884ghsaWEB
- github.com/kubernetes/kubernetes/pull/121885ghsaWEB
- groups.google.com/g/kubernetes-security-announce/c/SL_d4NR8pzAghsamailing-listWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3JH444PWZBINXLLFV7XLIJIZJHSK6UEZghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XZIX727JIKF5RQW7RVVBLWXBCDIBJA7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MPGMITSZXUCAVO7Q75675SOLXC2XXU4ghsaWEB
- security.netapp.com/advisory/ntap-20240119-0009ghsaWEB
News mentions
0No linked articles in our index yet.