Moderate severityNVD Advisory· Published Jan 21, 2021· Updated Sep 17, 2024
Kubernetes Secrets Store CSI Driver sync/rotate directory traversal
CVE-2020-8568
Description
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sigs.k8s.io/secrets-store-csi-driverGo | >= 0.0.15, < 0.0.17 | 0.0.17 |
Affected products
2- Kubernetes/Kubernetes Secrets Store CSI Driverv5Range: Kubernetes Secrets Store CSI Driver v0.0.15
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-5cgx-vhfp-6cf9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-8568ghsaADVISORY
- github.com/kubernetes-sigs/secrets-store-csi-driver/commit/c2cbb19e2eef16638fa0523383788a4bc22231fdghsaWEB
- github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378ghsax_refsource_MISCWEB
- github.com/kubernetes-sigs/secrets-store-csi-driver/pull/371ghsaWEB
- groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4ghsax_refsource_MISCWEB
- pkg.go.dev/vuln/GO-2022-0629ghsaWEB
News mentions
0No linked articles in our index yet.