CVE-2023-5528: 
NixOS vulnerability analysis and mitigation

A security vulnerability (CVE-2023-5528) was discovered in Kubernetes affecting versions 1.8.0 and later, where users with permissions to create pods and persistent volumes on Windows nodes could potentially escalate to admin privileges on those nodes. The vulnerability specifically affects Kubernetes clusters using in-tree storage plugins for Windows nodes. This issue was disclosed on November 14, 2023, and has been assigned a CVSS v3.1 score of 7.2 (High) (Kubernetes Issue, Security Announce).

The vulnerability stems from insufficient input sanitization in the in-tree storage plugin system for Windows nodes. The issue received a CVSS v3.1 base score of 8.8 (High) from NVD with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Kubernetes assessed it at 7.2 (High) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-20 (Improper Input Validation) (NVD Database).

Successful exploitation of this vulnerability could allow an attacker to escalate to admin privileges on affected Windows nodes. The vulnerability potentially enables disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) on affected systems (NetApp Advisory).

The vulnerability has been patched in multiple Kubernetes versions: v1.28.4, v1.27.8, v1.26.11, and v1.25.16. Users are advised to upgrade to these fixed versions. Outside of applying the provided patches, there are no known alternative mitigations for this vulnerability. To check if a system is vulnerable, administrators can run 'kubectl get nodes -l kubernetes.io/os=windows' to identify Windows nodes in use (Security Announce).