GoogleOSV:GHSA-5CGX-VHFP-6CF9Directory traversal in Kubernetes Secrets Store CSI Driver
0.001 Low
EPSS
Percentile
37.5%
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.
Specific Go Packages Affected
sigs.k8s.io/secrets-store-csi-driver/controllers
sigs.k8s.io/secrets-store-csi-driver/pkg/rotation
sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store
| CPE | Name | Operator | Version |
|---|---|---|---|
| sigs.k8s.io/secrets-store-csi-driver | lt | 0.0.17 | |
| sigs.k8s.io/secrets-store-csi-driver | ge | 0.0.15 |
References
github.com/kubernetes-sigs/secrets-store-csi-driver
github.com/kubernetes-sigs/secrets-store-csi-driver/commit/c2cbb19e2eef16638fa0523383788a4bc22231fd
github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378
github.com/kubernetes-sigs/secrets-store-csi-driver/pull/371
groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4
nvd.nist.gov/vuln/detail/CVE-2020-8568
pkg.go.dev/vuln/GO-2022-0629
Related
