What is CVE-2023-5528?

CVE-2023-5528 is a vulnerability in Kubernetes that allows a user to escalate to admin privileges on Windows nodes.

How does CVE-2023-5528 impact Kubernetes clusters?

Kubernetes clusters are affected if they are using an in-tree storage plugin for Windows nodes.

What is the severity of CVE-2023-5528?

The severity of CVE-2023-5528 is high with a CVSS score of 7.2.

How can I fix CVE-2023-5528?

To fix CVE-2023-5528, update Kubernetes to version 1.25.16, 1.26.11, 1.27.8, or 1.28.4.

Where can I find more information about CVE-2023-5528?

More information about CVE-2023-5528 can be found in the following references: [GitHub](https://github.com/kubernetes/kubernetes/issues/121879), [Google Groups](https://groups.google.com/g/kubernetes-security-announce/c/SL_d4NR8pzA), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-5528).

Vulnerability/
CVE-2023-5528

high

8.8

CWE

31/10/2023

14/11/2023

6/9/2024

CVE-2023-5528: Kubernetes - Windows nodes - Insufficient input sanitization in in-tree storage plugin leads to privilege escalation

First published: Tue Oct 31 2023(Updated: )

A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

Credit: jordan@liggitt.net jordan@liggitt.net

Affected Software	Affected Version	How to fix
go/k8s.io/kubernetes	<1.25.16	1.25.16
go/k8s.io/kubernetes	>=1.26.0<1.26.11	1.26.11
go/k8s.io/kubernetes	>=1.27.0<1.27.8	1.27.8
go/k8s.io/kubernetes	>=1.28.0<1.28.4	1.28.4
redhat/kubernetes	<1.25.16	1.25.16
redhat/kubernetes	<1.26.11	1.26.11
redhat/kubernetes	<1.27.8	1.27.8
redhat/kubernetes	<1.28.4	1.28.4
Kubernetes Kubernetes	>=1.8.0<1.25.16
Kubernetes Kubernetes	>=1.26.0<1.26.11
Kubernetes Kubernetes	>=1.27.0<1.27.8
Kubernetes Kubernetes	>=1.28.0<1.28.4
Fedoraproject Fedora	=37
Fedoraproject Fedora	=38
Fedoraproject Fedora	=39
	>=1.8.0<1.25.16
	>=1.26.0<1.26.11
	>=1.27.0<1.27.8
	>=1.28.0<1.28.4
	=37
	=38
	=39

Remedy

https://github.com/kubernetes/kubernetes/issues/121879

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-5528?
CVE-2023-5528 is a vulnerability in Kubernetes that allows a user to escalate to admin privileges on Windows nodes.
How does CVE-2023-5528 impact Kubernetes clusters?
Kubernetes clusters are affected if they are using an in-tree storage plugin for Windows nodes.
What is the severity of CVE-2023-5528?
The severity of CVE-2023-5528 is high with a CVSS score of 7.2.
How can I fix CVE-2023-5528?
To fix CVE-2023-5528, update Kubernetes to version 1.25.16, 1.26.11, 1.27.8, or 1.28.4.
Where can I find more information about CVE-2023-5528?
More information about CVE-2023-5528 can be found in the following references: [GitHub](https://github.com/kubernetes/kubernetes/issues/121879), [Google Groups](https://groups.google.com/g/kubernetes-security-announce/c/SL_d4NR8pzA), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-5528).

collector/oss-sec
alias/CVE-2023-5528
agent/author
agent/type
agent/first-publish-date
agent/weakness
agent/title
agent/remedy
agent/severity
agent/description
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
collector/github-advisory-latest
source/GitHub
alias/GHSA-hq6q-c2x6-hmch
agent/last-modified-date
agent/references
agent/tags
agent/softwarecombine
agent/event
collector/nvd-cve
collector/github-advisory
package-manager/redhat
vendor/kubernetes
canonical/kubernetes kubernetes
version/kubernetes kubernetes/1.8.0
version/kubernetes kubernetes/1.26.0
version/kubernetes kubernetes/1.27.0
version/kubernetes kubernetes/1.28.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/37
version/fedoraproject fedora/38
version/fedoraproject fedora/39
package-manager/go