This is an imported report from the email i have sent a month ago about a code injection vulnerability
The vulnerability was assigned as CVE-2023-5528
As a reference i have talked with Balaji from the k8 team.
Excerpts from the email chain that might be relevant:
“Just a quick update to let you know that we were able to reproduce the issue and are working on a fix. CVE-2023-5528 has been reserved for this issue. We’ll keep you updated on the next steps as we review the proposed fix.”
“Hi Tomer,
This is being rated as a Tier 1 High severity ($5,000) bounty.”
The vulnerability was verified and assigned a CVE by the k8 team
Code execution from kubelet context(SYSYTEM privileges) on all windows nodes on a cluster.