Описание
Directory traversal in Kubernetes Secrets Store CSI Driver
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.
Specific Go Packages Affected
sigs.k8s.io/secrets-store-csi-driver/controllers sigs.k8s.io/secrets-store-csi-driver/pkg/rotation sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-8568
- https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378
- https://github.com/kubernetes-sigs/secrets-store-csi-driver/pull/371
- https://github.com/kubernetes-sigs/secrets-store-csi-driver/commit/c2cbb19e2eef16638fa0523383788a4bc22231fd
- https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4
- https://pkg.go.dev/vuln/GO-2022-0629
Пакеты
sigs.k8s.io/secrets-store-csi-driver
>= 0.0.15, < 0.0.17
0.0.17
Связанные уязвимости
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.