Input validation error in CSI Proxy

#VU80010 Input validation error in CSI Proxy

Published: 2023-08-25

Vulnerability identifier: #VU80010

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-3893

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
CSI Proxy
Universal components / Libraries / Programming Languages & Components

Vendor: Kubernetes

Description

The vulnerability allows a remote user to escalate privileges on Windows nodes.

The vulnerability exists due to improper input validation. A remote user with ability to create pods on Windows nodes can obtain administrative privileges on these nodes.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

CSI Proxy: 0.1.0 - 1.1.2

External links
http://seclists.org/oss-sec/2023/q3/127
http://github.com/kubernetes/kubernetes/issues/119594

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Privilege escalation in Kubernetes CSI Proxy