GO-2023-2330

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2023-2330

Import Source

https://vuln.go.dev/ID/GO-2023-2330.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2023-2330

Aliases

Published

2024-08-21T14:30:22Z

Modified

2024-12-12T22:00:26Z

Summary

Insufficient input sanitization on Windows nodes leads to privilege escalation in k8s.io/kubernetes

Details

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2023-2330"
}

References

Affected packages

Go / k8s.io/kubernetes

Package

Name: k8s.io/kubernetes; View open source insights on deps.dev
Purl: pkg:golang/k8s.io/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.24.17

Introduced

1.25.0

Fixed

1.25.13

Introduced

1.26.0

Fixed

1.26.8

Introduced

1.27.0

Fixed

1.27.5

Introduced

1.28.0

Fixed

1.28.1

Ecosystem specific

{
    "imports": [
        {
            "path": "k8s.io/kubernetes/pkg/volume/util/subpath",
            "symbols": [
                "evalSymlink",
                "getUpperPath"
            ],
            "goos": [
                "windows"
            ]
        }
    ]
}