Vulnerability Report: GO-2022-0629

CVE-2020-8568, GHSA-5cgx-vhfp-6cf9
Affects: sigs.k8s.io/secrets-store-csi-driver
Published: Feb 15, 2022
Modified: Jun 12, 2023

Modifying pod status allows host directory traversal. Kubernetes Secrets Store CSI Driver allows an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.

Affected Packages

Path

Versions

Symbols
sigs.k8s.io/secrets-store-csi-driver/controllers

from v0.0.15 before v0.0.17
- SecretProviderClassPodStatusReconciler.Reconcile
sigs.k8s.io/secrets-store-csi-driver/pkg/rotation

from v0.0.15 before v0.0.17
- Reconciler.Run
sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store

from v0.0.15 before v0.0.17
- SecretsStore.Run

Aliases

CVE-2020-8568
GHSA-5cgx-vhfp-6cf9

References

https://github.com/kubernetes-sigs/secrets-store-csi-driver/pull/371
https://github.com/kubernetes-sigs/secrets-store-csi-driver/commit/c2cbb19e2eef16638fa0523383788a4bc22231fd
https://vuln.go.dev/ID/GO-2022-0629.json

Credits

tam7t (Tommy Murphy)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL