Kubernetes secrets-store-csi-driver discloses service account tokens in logs

What the vulnerability is

The Kubernetes secrets-store-csi-driver, before version 1.3.3, improperly discloses Kubernetes service account tokens in its logs. The tokens are logged only when two conditions are met: the TokenRequests field is configured in the CSIDriver object, and the driver's log verbosity is set to level 2 or higher with the -v flag. This constitutes an information disclosure vulnerability in the driver's logging mechanism [1][4].

How it is exploited

Exploitation requires local access to the driver's logs. An attacker with access to the cluster (e.g., a pod or user with kubectl logs privileges on the secrets-store-csi-driver pods) can examine the logs and extract service account tokens. The token appears in log entries containing the string "csi.storage.k8s.io/serviceAccount.tokens". No network-based exploitation is needed; the attack vector is local (AV:L) and requires low privileges (PR:L) [1][4].

Impact

The exposed service account tokens can be exchanged with external cloud providers (such as AWS, Azure, GCP, or HashiCorp Vault) to access secrets stored in those cloud vault solutions. This could lead to unauthorized access to sensitive data managed by the secrets-store-csi-driver, with high confidentiality impact (C:H). The vulnerability does not affect integrity or availability directly [1][4].

Mitigation status

Kubernetes SIG Auth released version 1.3.3 of the secrets-store-csi-driver, which fixes the issue by ensuring service account tokens are no longer logged. Users should upgrade to v1.3.3 or later. As a temporary workaround, administrators can run the driver at log level 0 or 1 (flags -v=0 or -v=1) to prevent token logging. The advisory was published on May 25, 2023 [2][4].