CVE-2020-8568 Kubernetes Secrets Store CSI Driver sync/rotate directory traversal

2021-01-2117:09:21

CWE-20

CWE-24

kubernetes

www.cve.org

kubernetes

secrets

csi driver

vulnerability

directory traversal

host filesystem

kubernetes secrets

cve-2020-8568

CVSS3

5.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

EPSS

0.001

Percentile

37.3%

JSON

Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.

CNA Affected

[
  {
    "product": "Kubernetes Secrets Store CSI Driver",
    "vendor": "Kubernetes",
    "versions": [
      {
        "status": "affected",
        "version": "Kubernetes Secrets Store CSI Driver v0.0.15"
      },
      {
        "status": "affected",
        "version": "Kubernetes Secrets Store CSI Driver v0.0.16"
      }
    ]
  }
]