Skip to content

Commit

Permalink
data/reports: review GO-2023-2170 and GO-2023-2330
Browse files Browse the repository at this point in the history 
User-requested review.

  - data/reports/GO-2023-2170.yaml
  - data/reports/GO-2023-2330.yaml

Updates #2170
Updates #2330
Fixes #3322

Change-Id: I1eec81f034263c43dd2938d84c366df9fc9a0bb1
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/635706
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
  • Loading branch information
@tatianab @gopherbot
tatianab authored and gopherbot committed Dec 12, 2024
1 parent ec8e9cf commit 004aa43
Show file tree
Hide file tree
Showing 4 changed files with 136 additions and 24 deletions.
81 changes: 73 additions & 8 deletions data/osv/GO-2023-2170.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@
"CVE-2023-3955",
"GHSA-q78c-gwqw-jcmc"
],
"summary": "Kubernetes privilege escalation vulnerability in k8s.io/kubernetes",
"details": "Kubernetes privilege escalation vulnerability in k8s.io/kubernetes",
"summary": "Insufficient input sanitization on Windows nodes leads to privilege escalation in k8s.io/kubernetes and k8s.io/mount-utils",
"details": "A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.",
"affected": [
{
"package": {
Expand Down Expand Up @@ -52,18 +52,83 @@
]
}
],
"ecosystem_specific": {}
"ecosystem_specific": {
"imports": [
{
"path": "k8s.io/kubernetes/pkg/volume/util",
"goos": [
"windows"
],
"symbols": [
"WriteVolumeCache"
]
}
]
}
},
{
"package": {
"name": "k8s.io/mount-utils",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.24.17"
},
{
"introduced": "0.25.0"
},
{
"fixed": "0.25.13"
},
{
"introduced": "0.26.0"
},
{
"fixed": "0.26.8"
},
{
"introduced": "0.27.0"
},
{
"fixed": "0.27.5"
},
{
"introduced": "0.28.0"
},
{
"fixed": "0.28.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "k8s.io/mount-utils",
"goos": [
"windows"
],
"symbols": [
"SafeFormatAndMount.formatAndMountSensitive",
"listVolumesOnDisk"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-q78c-gwqw-jcmc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3955"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/38c97fa67ed35f36e730856728c9e3807f63546a"
Expand Down Expand Up @@ -119,6 +184,6 @@
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-2170",
"review_status": "UNREVIEWED"
"review_status": "REVIEWED"
}
}
25 changes: 17 additions & 8 deletions data/osv/GO-2023-2330.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@
"CVE-2023-3676",
"GHSA-7fxm-f474-hf8w"
],
"summary": "Kubernetes privilege escalation vulnerability in k8s.io/kubernetes",
"details": "Kubernetes privilege escalation vulnerability in k8s.io/kubernetes",
"summary": "Insufficient input sanitization on Windows nodes leads to privilege escalation in k8s.io/kubernetes",
"details": "A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.",
"affected": [
{
"package": {
Expand Down Expand Up @@ -52,18 +52,27 @@
]
}
],
"ecosystem_specific": {}
"ecosystem_specific": {
"imports": [
{
"path": "k8s.io/kubernetes/pkg/volume/util/subpath",
"goos": [
"windows"
],
"symbols": [
"evalSymlink",
"getUpperPath"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-7fxm-f474-hf8w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3676"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/073f9ea33a93ddaecdc2e829150fb715f6387399"
Expand Down Expand Up @@ -123,6 +132,6 @@
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-2330",
"review_status": "UNREVIEWED"
"review_status": "REVIEWED"
}
}
36 changes: 32 additions & 4 deletions data/reports/GO-2023-2170.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,42 @@ modules:
- introduced: 1.28.0
- fixed: 1.28.1
vulnerable_at: 1.28.0
summary: Kubernetes privilege escalation vulnerability in k8s.io/kubernetes
packages:
- package: k8s.io/kubernetes/pkg/volume/util
goos:
- windows
symbols:
- WriteVolumeCache
- module: k8s.io/mount-utils
versions:
- fixed: 0.24.17
- introduced: 0.25.0
- fixed: 0.25.13
- introduced: 0.26.0
- fixed: 0.26.8
- introduced: 0.27.0
- fixed: 0.27.5
- introduced: 0.28.0
- fixed: 0.28.1
vulnerable_at: 0.28.0
packages:
- package: k8s.io/mount-utils
goos:
- windows
symbols:
- SafeFormatAndMount.formatAndMountSensitive
- listVolumesOnDisk
summary: Insufficient input sanitization on Windows nodes leads to privilege escalation in k8s.io/kubernetes and k8s.io/mount-utils
description: |-
A security issue was discovered in Kubernetes where a user that can create pods
on Windows nodes may be able to escalate to admin privileges on those nodes.
Kubernetes clusters are only affected if they include Windows nodes.
cves:
- CVE-2023-3955
ghsas:
- GHSA-q78c-gwqw-jcmc
references:
- advisory: https://github.com/advisories/GHSA-q78c-gwqw-jcmc
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-3955
- web: https://github.com/kubernetes/kubernetes/commit/38c97fa67ed35f36e730856728c9e3807f63546a
- web: https://github.com/kubernetes/kubernetes/commit/50334505cd27cbe7cf71865388f25a00e29b2596
- web: https://github.com/kubernetes/kubernetes/commit/7da6d72c05dffb3b87e62e2bc8c3228ea12ba1b9
Expand All @@ -35,6 +63,6 @@ references:
- web: https://groups.google.com/g/kubernetes-security-announce/c/JrX4bb7d83E
source:
id: GHSA-q78c-gwqw-jcmc
created: 2024-08-20T12:12:15.292286-04:00
review_status: UNREVIEWED
created: 2024-12-12T14:41:27.794119-05:00
review_status: REVIEWED
unexcluded: EFFECTIVELY_PRIVATE
18 changes: 14 additions & 4 deletions data/reports/GO-2023-2330.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,24 @@ modules:
- introduced: 1.28.0
- fixed: 1.28.1
vulnerable_at: 1.28.0
summary: Kubernetes privilege escalation vulnerability in k8s.io/kubernetes
packages:
- package: k8s.io/kubernetes/pkg/volume/util/subpath
goos:
- windows
symbols:
- getUpperPath
- evalSymlink
summary: Insufficient input sanitization on Windows nodes leads to privilege escalation in k8s.io/kubernetes
description: |-
A security issue was discovered in Kubernetes where a user that can create pods
on Windows nodes may be able to escalate to admin privileges on those nodes.
Kubernetes clusters are only affected if they include Windows nodes.
cves:
- CVE-2023-3676
ghsas:
- GHSA-7fxm-f474-hf8w
references:
- advisory: https://github.com/advisories/GHSA-7fxm-f474-hf8w
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-3676
- web: https://github.com/kubernetes/kubernetes/commit/073f9ea33a93ddaecdc2e829150fb715f6387399
- web: https://github.com/kubernetes/kubernetes/commit/39cc101c7855341c651a943b9836b50fbace8a6b
- web: https://github.com/kubernetes/kubernetes/commit/74b617310c24ca84c2ec90c3858af745d65b5226
Expand All @@ -36,6 +46,6 @@ references:
- web: https://security.netapp.com/advisory/ntap-20231130-0007
source:
id: GHSA-7fxm-f474-hf8w
created: 2024-08-20T12:14:41.740115-04:00
review_status: UNREVIEWED
created: 2024-12-12T15:03:43.614919-05:00
review_status: REVIEWED
unexcluded: EFFECTIVELY_PRIVATE

0 comments on commit 004aa43

Please sign in to comment.