CVE-2020-8568

Summary

Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.

Affected Software

VendorProductVersion RangeStatus
KubernetesKubernetes Secrets Store CSI DriverKubernetes Secrets Store CSI Driver v0.0.15affected
KubernetesKubernetes Secrets Store CSI DriverKubernetes Secrets Store CSI Driver v0.0.16affected

Weaknesses

  • CWE-24: CWE-24 Path Traversal: '../filedir'
  • CWE-20: CWE-20 Improper Input Validation

ADP Enrichment

CVE Program Container

Additional References

References