CVE-2020-8569
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, is automatically restarted by Kubernetes, and processes the same VolumeSnapshot custom resource after the restart, entering an endless crashloop. Only the volume snapshot feature is affected by this vulnerability. When exploited, users can’t take snapshots of their volumes or delete the snapshots. All other Kubernetes functionality is not affected.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Kubernetes | CSI Snapshotter | snapshot-controller v3.0 <= v3.0.1 | affected |
| Kubernetes | CSI Snapshotter | snapshot-controller v2.1 <= v2.1.2 | affected |
Weaknesses
- CWE-476: CWE-476 NULL Pointer Dereference
Workarounds
Prior to upgrading, this vulnerability can be mitigated by restricting creation of VolumeSnapshot custom resources in API group snapshot.storage.k8s.io only to trusted users.
ADP Enrichment
CVE Program Container
Additional References
- https://groups.google.com/g/kubernetes-security-announce/c/1EzCr1qUxxU
- https://github.com/kubernetes-csi/external-snapshotter/issues/380
References
- https://groups.google.com/g/kubernetes-security-announce/c/1EzCr1qUxxU
- https://github.com/kubernetes-csi/external-snapshotter/issues/380
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.