{"id":"CVE-2023-3676","summary":"Kubernetes - Windows nodes - Insufficient input sanitization leads to privilege escalation","details":"A security issue was discovered in Kubernetes where a user\n that can create pods on Windows nodes may be able to escalate to admin \nprivileges on those nodes. Kubernetes clusters are only affected if they\n include Windows nodes.","aliases":["GHSA-7fxm-f474-hf8w","GO-2023-2330"],"modified":"2026-05-18T05:55:29.032555841Z","published":"2023-10-31T20:22:53.620Z","related":["CGA-33r6-gv35-447j","openSUSE-SU-2024:14599-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/3xxx/CVE-2023-3676.json","cna_assigner":"kubernetes","cwe_ids":["CWE-20"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/3xxx/CVE-2023-3676.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-3676"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20231130-0007/"},{"type":"REPORT","url":"https://github.com/kubernetes/kubernetes/issues/119339"},{"type":"PACKAGE","url":"https://github.com/kubernetes/kubernetes"},{"type":"ARTICLE","url":"https://groups.google.com/g/kubernetes-security-announce/c/d_fvHZ9a5zc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kubernetes/kubelet","events":[{"introduced":"0"},{"fixed":"2535c48bc9b3b2e68ea2812f3a82ac889cede1a3"},{"introduced":"d37f045d808033445aaa284ad80454c948b37958"},{"fixed":"13ac7af26da6189832297d78b2e9a6c75ab4ae5f"},{"introduced":"202e223fff3b2425eb941c13ff02e10b8e11a568"},{"fixed":"a1decd7b5f0c274ed3708a7171b6053fcd937cad"},{"introduced":"bc4c2f36af4e19e04b0d09b6fe4d101916a504fb"},{"fixed":"10dd04e1a6627ca44118059c16d9b4aa64492918"},{"introduced":"64c8471fa33c114d66df8f2efc02789f07449c63"},{"fixed":"dc5331fd4f6ffed03e5c81a6159aa90478f2e080"}],"database_specific":{"cpe":"cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"1.24.17"},{"introduced":"1.25.0"},{"fixed":"1.25.13"},{"introduced":"1.26.0"},{"fixed":"1.26.8"},{"introduced":"1.27.0"},{"fixed":"1.27.5"},{"introduced":"1.28.0"},{"fixed":"1.28.1"}]}}],"versions":["kubernetes-1.9.0-alpha.3","kubernetes-1.9.0-alpha.2","kubernetes-1.9.0-alpha.1","kubernetes-1.9.0-alpha.0","kubernetes-1.13.0-alpha.0","kubernetes-1.12.0-beta.0","kubernetes-1.12.0-alpha.1","kubernetes-1.12.0-alpha.0","kubernetes-1.11.0-alpha.2","kubernetes-1.11.0-alpha.1","kubernetes-1.11.0-alpha.0","kubernetes-1.10.0-alpha.3","kubernetes-1.10.0-alpha.2","kubernetes-1.10.0-alpha.1","kubernetes-1.10.0-alpha.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-3676.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/kubernetes/kubernetes","events":[{"introduced":"0"},{"fixed":"22a9682c8fe855c321be75c5faacde343f909b04"},{"introduced":"a866cbe2e5bbaa01cfd5e969aa3e033f3282a8a2"},{"fixed":"5244794d27b4cc68290bc496b00e248857ac8b47"},{"introduced":"b46a3f887ca979b1a5d14fd39cb1af43e7e5d12d"},{"fixed":"395f0a2fdc940aeb9ab88849e8fa4321decbf6e1"},{"introduced":"1b4df30b3cdfeaba6024e81e559a6cd09a089d65"},{"fixed":"93e0d7146fb9c3e9f68aa41b2b4265b2fcdb0a4c"},{"introduced":"855e7c48de7388eb330da0f8d9d2394ee818fb8d"},{"fixed":"8dc49c4b984b897d423aab4971090e1879eb4f23"}],"database_specific":{"cpe":"cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"1.24.17"},{"introduced":"1.25.0"},{"fixed":"1.25.13"},{"introduced":"1.26.0"},{"fixed":"1.26.8"},{"introduced":"1.27.0"},{"fixed":"1.27.5"},{"introduced":"1.28.0"},{"fixed":"1.28.1"}]}}],"versions":["v1.28.0","v1.24.16","v1.26.7","v1.25.12","v1.27.4","v1.26.6","v1.25.11","v1.24.15","v1.27.3","v1.24.14","v1.27.2","v1.26.5","v1.25.10","v1.27.1","v1.25.9","v1.26.4","v1.24.13","v1.27.0","v1.26.3","v1.25.8","v1.24.12","v1.25.8-rc.0","v1.26.3-rc.0","v1.24.12-rc.0","v1.25.7","v1.26.2","v1.24.11","v1.25.7-rc.0","v1.24.11-rc.0","v1.25.6","v1.24.10","v1.26.2-rc.0","v1.26.1","v1.26.1-rc.0","v1.26.0","v1.25.6-rc.0","v1.24.10-rc.0","v1.25.5","v1.24.9","v1.25.5-rc.0","v1.24.9-rc.0","v1.24.8","v1.25.4","v1.25.4-rc.0","v1.24.8-rc.0","v1.24.7","v1.25.3","v1.25.3-rc.0","v1.25.2","v1.24.7-rc.0","v1.24.6","v1.25.2-rc.0","v1.25.1","v1.24.6-rc.0","v1.24.5","v1.25.1-rc.0","v1.25.0","v1.24.5-rc.0","v1.24.4","v1.24.4-rc.0","v1.24.3","v1.25.0-alpha.0","v1.24.3-rc.0","v1.24.2","v1.24.2-rc.0","v1.24.1","v1.24.1-rc.0","v1.24.0","v1.24.0-rc.1","v1.24.0-rc.0","v1.24.0-beta.0","v1.24.0-alpha.4","v1.24.0-alpha.3","v1.24.0-alpha.2","v1.24.0-alpha.1","v1.24.0-alpha.0","v1.23.0-alpha.4","v1.23.0-alpha.3","v1.23.0-alpha.2","v1.23.0-alpha.1","v1.23.0-alpha.0","v1.22.0-beta.2","v1.22.0-beta.1","v1.22.0-beta.0","v1.22.0-alpha.3","v1.22.0-alpha.2","v1.22.0-alpha.1","v1.22.0-alpha.0","v1.21.0-beta.1","v1.21.0-beta.0","v1.21.0-alpha.3","v1.21.0-alpha.2","v1.21.0-alpha.1","v1.21.0-alpha.0","v1.20.0-beta.2","v1.20.0-beta.1","v1.20.0-beta.0","v1.20.0-alpha.3","v1.20.0-alpha.2","v1.20.0-alpha.1","v1.20.0-alpha.0","v1.19.0-beta.2","v1.19.0-beta.1","v1.19.0-beta.0","v1.19.0-alpha.3","v1.19.0-alpha.2","v1.19.0-alpha.1","v1.19.0-alpha.0","v1.18.0-alpha.5","v1.18.0-alpha.4","v1.18.0-alpha.2","v1.18.0-alpha.1","v1.18.0-alpha.0","v1.17.0-alpha.3","v1.17.0-alpha.1","v1.17.0-alpha.2","v1.17.0-alpha.0","v1.16.0-alpha.3","v1.16.0-alpha.2","v1.16.0-alpha.1","v1.16.0-alpha.0","v1.15.0-alpha.3","v1.15.0-alpha.2","v1.15.0-alpha.1","v1.14.0-alpha.3","v1.15.0-alpha.0","v1.14.0-alpha.2","v1.14.0-alpha.1","v1.14.0-alpha.0","v1.13.0-alpha.3","v1.13.0-alpha.2","v1.13.0-alpha.1","v1.13.0-alpha.0","v1.12.0-alpha.1","v1.12.0-alpha.0","v1.11.0-alpha.2","v1.11.0-alpha.1","v1.11.0-alpha.0","v1.10.0-alpha.3","v1.10.0-alpha.2","v1.10.0-alpha.1","v1.9.0-alpha.3","v1.10.0-alpha.0","v1.9.0-alpha.2","v1.9.0-alpha.1","v1.9.0-alpha.0","v1.8.0-alpha.3","v1.8.0-alpha.2","v1.8.0-alpha.0","v1.8.0-alpha.1","v1.7.0-alpha.4","v1.7.0-alpha.3","v1.7.0-alpha.2","v1.7.0-alpha.1","v1.7.0-alpha.0","v1.6.0-alpha.3","v1.6.0-alpha.2","v1.6.0-alpha.1","v1.6.0-alpha.0","v1.5.0-alpha.2","v1.5.0-alpha.1","v1.5.0-alpha.0","v1.4.0-alpha.3","v1.4.0-alpha.1","v1.4.0-alpha.2","v1.3.0-alpha.5","v1.3.0-alpha.4","v1.3.0-alpha.3","v1.3.0-alpha.1","v1.3.0-alpha.2","v1.3.0-alpha.0","v1.2.0-alpha.8","v1.2.0-alpha.7","v1.2.0-alpha.6","v1.2.0-alpha.5","v1.2.0-alpha.4","v1.2.0-alpha.3","v1.2.0-alpha.2","v1.2.0-alpha.1","v1.1.0-alpha.1","v1.1.0-alpha.0","v0.17.0","v0.13.1-dev"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-3676.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}