Lucene search

GoogleOSV:GHSA-QJQG-4WG7-957H

HistoryMay 15, 2024 - 3:30 a.m.

azure-file-csi-driver leaks service account tokens in the logs

2024-05-1503:30:43

Google

osv.dev

azure

file

csi

driver

service account

tokens

logs

security issue

cloud vault solutions

tokenrequests

csidriver.

6.3 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

8.7%

JSON

A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

CPENameOperatorVersion
sigs.k8s.io/azurefile-csi-drivereq1.30.0
sigs.k8s.io/azurefile-csi-driverlt1.29.4

CPE	Name	Operator	Version
	sigs.k8s.io/azurefile-csi-driver	eq	1.30.0
	sigs.k8s.io/azurefile-csi-driver	lt	1.29.4

References

github.com/kubernetes-sigs/azurefile-csi-driver

github.com/kubernetes-sigs/azurefile-csi-driver/commit/a1b7446de942136419f07394efeef804523f87ae

github.com/kubernetes-sigs/azurefile-csi-driver/commit/e11ff3dc2c03894cde692213308f9991e7bbd5bf

github.com/kubernetes/kubernetes/issues/124759

groups.google.com/g/kubernetes-security-announce/c/hcgZE2MQo1A/m/Y4C6q-CYAgAJ

nvd.nist.gov/vuln/detail/CVE-2024-3744