OpenCVE

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Kubernetes	Kubelet Kubernetes
Microsoft	Windows
Redhat	Openshift

Configuration 1 [-]

AND

OR	cpe:2.3:a:kubernetes:kubernetes::::::::
	cpe:2.3:a:kubernetes:kubernetes::::::::
	cpe:2.3:a:kubernetes:kubernetes::::::::
	cpe:2.3:a:kubernetes:kubernetes::::::::
	cpe:2.3:a:kubernetes:kubernetes::::::::

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat OpenShift Container Platform 4.10
openshift4-wincw/windows-machine-config-rhel8-operator:5.1.2-3	cpe:/a:redhat:openshift:4.10::el8	RHSA-2023:4835	2023-08-29T00:00:00Z
Red Hat OpenShift Container Platform 4.11
openshift4-wincw/windows-machine-config-rhel8-operator:6.0.2-5	cpe:/a:redhat:openshift:4.11::el8	RHSA-2023:4780	2023-08-28T00:00:00Z
Red Hat OpenShift Container Platform 4.12
openshift4-wincw/windows-machine-config-rhel8-operator:7.1.1-9	cpe:/a:redhat:openshift:4.12::el8	RHSA-2023:4777	2023-08-28T00:00:00Z
Red Hat OpenShift Container Platform 4.13
openshift4-wincw/windows-machine-config-rhel9-operator:8.0.2-9	cpe:/a:redhat:openshift:4.13::el9	RHSA-2023:4885	2023-08-30T00:00:00Z
Red Hat OpenShift Container Platform 4.14
openshift4-wincw/windows-machine-config-operator-bundle:v9.0.0-104	cpe:/a:redhat:openshift:4.14::el9	RHSA-2023:7515	2023-11-27T00:00:00Z
openshift4-wincw/windows-machine-config-rhel9-operator:9.0.0-105	cpe:/a:redhat:openshift:4.14::el9	RHSA-2023:7515	2023-11-27T00:00:00Z
openshift4/windows-machine-config-operator-bundle:v9.0.0-104	cpe:/a:redhat:openshift:4.14::el9	RHSA-2023:7515	2023-11-27T00:00:00Z

References

Link	Providers
https://github.com/kubernetes/kubernetes/issues/119595
https://groups.google.com/g/kubernetes-security-announce/c/JrX4bb7d83E
https://nvd.nist.gov/vuln/detail/CVE-2023-3955
https://security.netapp.com/advisory/ntap-20231221-0002/
https://www.cve.org/CVERecord?id=CVE-2023-3955

History

Tue, 15 Oct 2024 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kubernetes kubelet
CPEs		cpe:2.3:a:kubernetes:kubelet::::::::
Vendors & Products		Kubernetes kubelet
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: kubernetes

Published: 2023-10-31T20:36:54.352Z

Updated: 2024-10-15T17:57:40.577Z

Reserved: 2023-07-26T13:51:11.192Z

Link: CVE-2023-3955

Vulnrichment

Updated: 2024-08-02T07:08:50.695Z

NVD

Status : Modified

Published: 2023-10-31T21:15:08.613

Modified: 2023-12-21T22:15:14.280

Link: CVE-2023-3955

Redhat

Severity : Important

Publid Date: 2023-08-23T13:00:00Z

Links: CVE-2023-3955 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object