CVE-2020-8567

Summary

Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.

Affected Software

VendorProductVersion RangeStatus
KubernetesKubernetes Secrets Store CSI DriverVault Plugin < v0.0.6affected
KubernetesKubernetes Secrets Store CSI DriverAzure Plugin < v0.0.10affected
KubernetesKubernetes Secrets Store CSI DriverGCP Plugin < v0.2.0affected

Weaknesses

  • CWE-24: CWE-24 Path Traversal: '../filedir'

ADP Enrichment

CVE Program Container

Additional References

References