First published: Tue Nov 14 2023(Updated: )
A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
Affected Software | Affected Version | How to fix |
---|---|---|
go/k8s.io/kubernetes | <1.25.16 | 1.25.16 |
go/k8s.io/kubernetes | >=1.26.0<1.26.11 | 1.26.11 |
go/k8s.io/kubernetes | >=1.27.0<1.27.8 | 1.27.8 |
go/k8s.io/kubernetes | >=1.28.0<1.28.4 | 1.28.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of GHSA-hq6q-c2x6-hmch is high.
Kubernetes clusters are affected if they are using an in-tree storage plugin for Windows nodes.
A user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes.
To fix GHSA-hq6q-c2x6-hmch, update to version 1.25.16, 1.26.11, 1.27.8, or 1.28.4 of Kubernetes.
More information about GHSA-hq6q-c2x6-hmch can be found at the following references: [CVE-2023-5528](https://nvd.nist.gov/vuln/detail/CVE-2023-5528), [GitHub issue](https://github.com/kubernetes/kubernetes/issues/121879), [Google group discussion](https://groups.google.com/g/kubernetes-security-announce/c/SL_d4NR8pzA).