Skip to content

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-q78c-gwqw-jcmc #2170

New issue
New issue
Closed
Closed
x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-q78c-gwqw-jcmc#2170
Assignees
neild
Labels
excluded: EFFECTIVELY_PRIVATEThis vulnerability exists in a package can be imported, but isn't meant to be outside that module.
@GoVulnBot

Description

@GoVulnBot
GoVulnBot
opened on Nov 1, 2023

In GitHub Security Advisory GHSA-q78c-gwqw-jcmc, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
k8s.io/kubernetes 1.24.17 < 1.24.17

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: k8s.io/kubernetes
      versions:
        - fixed: 1.24.17
      vulnerable_at: 1.24.16
      packages:
        - package: k8s.io/kubernetes
    - module: k8s.io/kubernetes
      versions:
        - introduced: 1.25.0
          fixed: 1.25.13
      vulnerable_at: 1.25.12
      packages:
        - package: k8s.io/kubernetes
    - module: k8s.io/kubernetes
      versions:
        - introduced: 1.26.0
          fixed: 1.26.8
      vulnerable_at: 1.26.7
      packages:
        - package: k8s.io/kubernetes
    - module: k8s.io/kubernetes
      versions:
        - introduced: 1.27.0
          fixed: 1.27.5
      vulnerable_at: 1.27.4
      packages:
        - package: k8s.io/kubernetes
    - module: k8s.io/kubernetes
      versions:
        - introduced: TODO (earliest fixed "1.28.1", vuln range "= 1.28.0")
      packages:
        - package: k8s.io/kubernetes
summary: Kubernetes privilege escalation vulnerability
cves:
    - CVE-2023-3955
ghsas:
    - GHSA-q78c-gwqw-jcmc
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2023-3955
    - report: https://github.com/kubernetes/kubernetes/issues/119595
    - web: https://groups.google.com/g/kubernetes-security-announce/c/JrX4bb7d83E
    - fix: https://github.com/kubernetes/kubernetes/pull/120128
    - fix: https://github.com/kubernetes/kubernetes/pull/120134
    - fix: https://github.com/kubernetes/kubernetes/pull/120135
    - fix: https://github.com/kubernetes/kubernetes/pull/120136
    - fix: https://github.com/kubernetes/kubernetes/pull/120137
    - fix: https://github.com/kubernetes/kubernetes/pull/120138
    - fix: https://github.com/kubernetes/kubernetes/commit/38c97fa67ed35f36e730856728c9e3807f63546a
    - fix: https://github.com/kubernetes/kubernetes/commit/50334505cd27cbe7cf71865388f25a00e29b2596
    - fix: https://github.com/kubernetes/kubernetes/commit/7da6d72c05dffb3b87e62e2bc8c3228ea12ba1b9
    - fix: https://github.com/kubernetes/kubernetes/commit/b7547e28f898af37aa2f1107a49111f963250fe6
    - fix: https://github.com/kubernetes/kubernetes/commit/c4e17abb04728e3a3f9bb26e727b0f978df20ec9
    - advisory: https://github.com/advisories/GHSA-q78c-gwqw-jcmc

Metadata

Metadata

Assignees

Labels

excluded: EFFECTIVELY_PRIVATEThis vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions