Kubernetes Secrets Store CSI Driver plugin directory traversals
CVE-2020-8567

4.9MEDIUM

Key Information:

Vendor: Kubernetes
Status: Kubernetes Secrets Store Csi Driver
Vendor: CVE Published:; 21 January 2021

What is CVE-2020-8567?

Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.

Affected Version(s)

Kubernetes Secrets Store CSI Driver Vault Plugin

Kubernetes Secrets Store CSI Driver Azure Plugin

Kubernetes Secrets Store CSI Driver GCP Plugin

References

https://groups.google.com/g/kubernetes-secrets-store-csi-...

x_refsource_MISC

https://github.com/kubernetes-sigs/secrets-store-csi-driv...

x_refsource_MISC

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 21, 2021
Vulnerability Reserved
Feb 3, 2020

Credit

Tommy Murphy of Google