data/reports: review GO-2023-2170 and GO-2023-2330

tatianab · gopherbot · commit 004aa43e79b1 · 2024-12-12T14:00:26.000-08:00
User-requested review. - data/reports/GO-2023-2170.yaml - data/reports/GO-2023-2330.yaml Updates #2170 Updates #2330 Fixes #3322 Change-Id: I1eec81f034263c43dd2938d84c366df9fc9a0bb1 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/635706 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
diff --git a/data/osv/GO-2023-2170.json b/data/osv/GO-2023-2170.json
@@ -7,8 +7,8 @@
     "CVE-2023-3955",
     "GHSA-q78c-gwqw-jcmc"
   ],
-  "summary": "Kubernetes privilege escalation vulnerability in k8s.io/kubernetes",
-  "details": "Kubernetes privilege escalation vulnerability in k8s.io/kubernetes",
+  "summary": "Insufficient input sanitization on Windows nodes leads to privilege escalation in k8s.io/kubernetes and k8s.io/mount-utils",
+  "details": "A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.",
   "affected": [
     {
       "package": {
@@ -52,18 +52,83 @@
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "k8s.io/kubernetes/pkg/volume/util",
+            "goos": [
+              "windows"
+            ],
+            "symbols": [
+              "WriteVolumeCache"
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "package": {
+        "name": "k8s.io/mount-utils",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.24.17"
+            },
+            {
+              "introduced": "0.25.0"
+            },
+            {
+              "fixed": "0.25.13"
+            },
+            {
+              "introduced": "0.26.0"
+            },
+            {
+              "fixed": "0.26.8"
+            },
+            {
+              "introduced": "0.27.0"
+            },
+            {
+              "fixed": "0.27.5"
+            },
+            {
+              "introduced": "0.28.0"
+            },
+            {
+              "fixed": "0.28.1"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "k8s.io/mount-utils",
+            "goos": [
+              "windows"
+            ],
+            "symbols": [
+              "SafeFormatAndMount.formatAndMountSensitive",
+              "listVolumesOnDisk"
+            ]
+          }
+        ]
+      }
     }
   ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://github.com/advisories/GHSA-q78c-gwqw-jcmc"
     },
-    {
-      "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3955"
-    },
     {
       "type": "WEB",
       "url": "https://github.com/kubernetes/kubernetes/commit/38c97fa67ed35f36e730856728c9e3807f63546a"
@@ -119,6 +184,6 @@
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2023-2170",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/osv/GO-2023-2330.json b/data/osv/GO-2023-2330.json
@@ -7,8 +7,8 @@
     "CVE-2023-3676",
     "GHSA-7fxm-f474-hf8w"
   ],
-  "summary": "Kubernetes privilege escalation vulnerability in k8s.io/kubernetes",
-  "details": "Kubernetes privilege escalation vulnerability in k8s.io/kubernetes",
+  "summary": "Insufficient input sanitization on Windows nodes leads to privilege escalation in k8s.io/kubernetes",
+  "details": "A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.",
   "affected": [
     {
       "package": {
@@ -52,18 +52,27 @@
           ]
         }
       ],
-      "ecosystem_specific": {}
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "k8s.io/kubernetes/pkg/volume/util/subpath",
+            "goos": [
+              "windows"
+            ],
+            "symbols": [
+              "evalSymlink",
+              "getUpperPath"
+            ]
+          }
+        ]
+      }
     }
   ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://github.com/advisories/GHSA-7fxm-f474-hf8w"
     },
-    {
-      "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3676"
-    },
     {
       "type": "WEB",
       "url": "https://github.com/kubernetes/kubernetes/commit/073f9ea33a93ddaecdc2e829150fb715f6387399"
@@ -123,6 +132,6 @@
   ],
   "database_specific": {
     "url": "https://pkg.go.dev/vuln/GO-2023-2330",
-    "review_status": "UNREVIEWED"
+    "review_status": "REVIEWED"
   }
 }
diff --git a/data/reports/GO-2023-2170.yaml b/data/reports/GO-2023-2170.yaml
@@ -12,14 +12,42 @@ modules:
         - introduced: 1.28.0
         - fixed: 1.28.1
       vulnerable_at: 1.28.0
-summary: Kubernetes privilege escalation vulnerability in k8s.io/kubernetes
+      packages:
+        - package: k8s.io/kubernetes/pkg/volume/util
+          goos:
+            - windows
+          symbols:
+            - WriteVolumeCache
+    - module: k8s.io/mount-utils
+      versions:
+        - fixed: 0.24.17
+        - introduced: 0.25.0
+        - fixed: 0.25.13
+        - introduced: 0.26.0
+        - fixed: 0.26.8
+        - introduced: 0.27.0
+        - fixed: 0.27.5
+        - introduced: 0.28.0
+        - fixed: 0.28.1
+      vulnerable_at: 0.28.0
+      packages:
+        - package: k8s.io/mount-utils
+          goos:
+            - windows
+          symbols:
+            - SafeFormatAndMount.formatAndMountSensitive
+            - listVolumesOnDisk
+summary: Insufficient input sanitization on Windows nodes leads to privilege escalation in k8s.io/kubernetes and k8s.io/mount-utils
+description: |-
+    A security issue was discovered in Kubernetes where a user that can create pods
+    on Windows nodes may be able to escalate to admin privileges on those nodes.
+    Kubernetes clusters are only affected if they include Windows nodes.
 cves:
     - CVE-2023-3955
 ghsas:
     - GHSA-q78c-gwqw-jcmc
 references:
     - advisory: https://github.com/advisories/GHSA-q78c-gwqw-jcmc
-    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-3955
     - web: https://github.com/kubernetes/kubernetes/commit/38c97fa67ed35f36e730856728c9e3807f63546a
     - web: https://github.com/kubernetes/kubernetes/commit/50334505cd27cbe7cf71865388f25a00e29b2596
     - web: https://github.com/kubernetes/kubernetes/commit/7da6d72c05dffb3b87e62e2bc8c3228ea12ba1b9
@@ -35,6 +63,6 @@ references:
     - web: https://groups.google.com/g/kubernetes-security-announce/c/JrX4bb7d83E
 source:
     id: GHSA-q78c-gwqw-jcmc
-    created: 2024-08-20T12:12:15.292286-04:00
-review_status: UNREVIEWED
+    created: 2024-12-12T14:41:27.794119-05:00
+review_status: REVIEWED
 unexcluded: EFFECTIVELY_PRIVATE
diff --git a/data/reports/GO-2023-2330.yaml b/data/reports/GO-2023-2330.yaml
@@ -12,14 +12,24 @@ modules:
         - introduced: 1.28.0
         - fixed: 1.28.1
       vulnerable_at: 1.28.0
-summary: Kubernetes privilege escalation vulnerability in k8s.io/kubernetes
+      packages:
+        - package: k8s.io/kubernetes/pkg/volume/util/subpath
+          goos:
+            - windows
+          symbols:
+            - getUpperPath
+            - evalSymlink
+summary: Insufficient input sanitization on Windows nodes leads to privilege escalation in k8s.io/kubernetes
+description: |-
+    A security issue was discovered in Kubernetes where a user that can create pods
+    on Windows nodes may be able to escalate to admin privileges on those nodes.
+    Kubernetes clusters are only affected if they include Windows nodes.
 cves:
     - CVE-2023-3676
 ghsas:
     - GHSA-7fxm-f474-hf8w
 references:
     - advisory: https://github.com/advisories/GHSA-7fxm-f474-hf8w
-    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-3676
     - web: https://github.com/kubernetes/kubernetes/commit/073f9ea33a93ddaecdc2e829150fb715f6387399
     - web: https://github.com/kubernetes/kubernetes/commit/39cc101c7855341c651a943b9836b50fbace8a6b
     - web: https://github.com/kubernetes/kubernetes/commit/74b617310c24ca84c2ec90c3858af745d65b5226
@@ -36,6 +46,6 @@ references:
     - web: https://security.netapp.com/advisory/ntap-20231130-0007
 source:
     id: GHSA-7fxm-f474-hf8w
-    created: 2024-08-20T12:14:41.740115-04:00
-review_status: UNREVIEWED
+    created: 2024-12-12T15:03:43.614919-05:00
+review_status: REVIEWED
 unexcluded: EFFECTIVELY_PRIVATE
