Veracode Vulnerability DatabaseVERACODE:40828Insertion Of Sensitive Information Into Log File
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS
Percentile
15.5%
sigs.k8s.io/secrets-store-csi-driver is vulnerable to Insertion of Sensitive Information Into Log File. An attacker with access to the driver logs could observe service account tokens due to the NodePublishVolume function of nodeserver.go
References
github.com/advisories/GHSA-g82w-58jf-gcxx
github.com/kubernetes-sigs/secrets-store-csi-driver/commit/dcb2c294be3bc8b792e02b9f03e5078664db0581
github.com/kubernetes-sigs/secrets-store-csi-driver/pull/1210
github.com/kubernetes/kubernetes/issues/118419
groups.google.com/g/kubernetes-security-announce/c/5K8ghQHBDdQ/m/Udee6YUgAAAJ
security.netapp.com/advisory/ntap-20230814-0003/
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS
Percentile
15.5%