Vulnerability Report: GO-2022-0629
- CVE-2020-8568, GHSA-5cgx-vhfp-6cf9
- Affects: sigs.k8s.io/secrets-store-csi-driver
- Published: Feb 15, 2022
- Modified: May 20, 2024
Modifying pod status allows host directory traversal. Kubernetes Secrets Store CSI Driver allows an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.
Affected Packages
-
PathGo VersionsSymbols
-
from v0.0.15 before v0.0.17
-
from v0.0.15 before v0.0.17
-
from v0.0.15 before v0.0.17
Aliases
References
- https://github.com/kubernetes-sigs/secrets-store-csi-driver/pull/371
- https://github.com/kubernetes-sigs/secrets-store-csi-driver/commit/c2cbb19e2eef16638fa0523383788a4bc22231fd
- https://vuln.go.dev/ID/GO-2022-0629.json
Credits
- tam7t (Tommy Murphy)
Feedback
See anything missing or incorrect?
Suggest an edit to this report.