Search criteria
4 vulnerabilities found for Kubernetes Secrets Store CSI Driver by Kubernetes
CVE-2020-8568 (GCVE-0-2020-8568)
Vulnerability from cvelistv5 – Published: 2021-01-21 17:09 – Updated: 2024-09-17 03:28
VLAI?
Title
Kubernetes Secrets Store CSI Driver sync/rotate directory traversal
Summary
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.
Severity ?
5.8 (Medium)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kubernetes | Kubernetes Secrets Store CSI Driver |
Affected:
Kubernetes Secrets Store CSI Driver v0.0.15
Affected: Kubernetes Secrets Store CSI Driver v0.0.16 |
Credits
Tommy Murphy of Google
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.239Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kubernetes Secrets Store CSI Driver",
"vendor": "Kubernetes",
"versions": [
{
"status": "affected",
"version": "Kubernetes Secrets Store CSI Driver v0.0.15"
},
{
"status": "affected",
"version": "Kubernetes Secrets Store CSI Driver v0.0.16"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tommy Murphy of Google"
}
],
"datePublic": "2020-11-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-24",
"description": "CWE-24 Path Traversal: \u0027../filedir\u0027",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-21T17:09:21",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
}
],
"source": {
"defect": [
"https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
],
"discovery": "INTERNAL"
},
"title": "Kubernetes Secrets Store CSI Driver sync/rotate directory traversal",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"DATE_PUBLIC": "2020-11-10T21:00:00.000Z",
"ID": "CVE-2020-8568",
"STATE": "PUBLIC",
"TITLE": "Kubernetes Secrets Store CSI Driver sync/rotate directory traversal"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kubernetes Secrets Store CSI Driver",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "Kubernetes Secrets Store CSI Driver",
"version_value": "v0.0.15"
},
{
"version_affected": "=",
"version_name": "Kubernetes Secrets Store CSI Driver",
"version_value": "v0.0.16"
}
]
}
}
]
},
"vendor_name": "Kubernetes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Tommy Murphy of Google"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-24 Path Traversal: \u0027../filedir\u0027"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4",
"refsource": "MISC",
"url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4"
},
{
"name": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378",
"refsource": "MISC",
"url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
}
]
},
"source": {
"defect": [
"https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2020-8568",
"datePublished": "2021-01-21T17:09:21.450754Z",
"dateReserved": "2020-02-03T00:00:00",
"dateUpdated": "2024-09-17T03:28:40.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8567 (GCVE-0-2020-8567)
Vulnerability from cvelistv5 – Published: 2021-01-21 17:09 – Updated: 2024-09-16 18:23
VLAI?
Title
Kubernetes Secrets Store CSI Driver plugin directory traversals
Summary
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
Severity ?
4.9 (Medium)
CWE
- CWE-24 - Path Traversal: '../filedir'
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kubernetes | Kubernetes Secrets Store CSI Driver |
Affected:
Vault Plugin , < v0.0.6
(custom)
Affected: Azure Plugin , < v0.0.10 (custom) Affected: GCP Plugin , < v0.2.0 (custom) |
Credits
Tommy Murphy of Google
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.223Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kubernetes Secrets Store CSI Driver",
"vendor": "Kubernetes",
"versions": [
{
"lessThan": "v0.0.6",
"status": "affected",
"version": "Vault Plugin",
"versionType": "custom"
},
{
"lessThan": "v0.0.10",
"status": "affected",
"version": "Azure Plugin",
"versionType": "custom"
},
{
"lessThan": "v0.2.0",
"status": "affected",
"version": "GCP Plugin",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tommy Murphy of Google"
}
],
"datePublic": "2020-11-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-24",
"description": "CWE-24 Path Traversal: \u0027../filedir\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-21T17:09:21",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
}
],
"source": {
"defect": [
"https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
],
"discovery": "INTERNAL"
},
"title": "Kubernetes Secrets Store CSI Driver plugin directory traversals",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"DATE_PUBLIC": "2020-11-16T21:00:00.000Z",
"ID": "CVE-2020-8567",
"STATE": "PUBLIC",
"TITLE": "Kubernetes Secrets Store CSI Driver plugin directory traversals"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kubernetes Secrets Store CSI Driver",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Vault Plugin",
"version_value": "v0.0.6"
},
{
"version_affected": "\u003c",
"version_name": "Azure Plugin",
"version_value": "v0.0.10"
},
{
"version_affected": "\u003c",
"version_name": "GCP Plugin",
"version_value": "v0.2.0"
}
]
}
}
]
},
"vendor_name": "Kubernetes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Tommy Murphy of Google"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-24 Path Traversal: \u0027../filedir\u0027"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY",
"refsource": "MISC",
"url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY"
},
{
"name": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384",
"refsource": "MISC",
"url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
}
]
},
"source": {
"defect": [
"https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2020-8567",
"datePublished": "2021-01-21T17:09:21.322492Z",
"dateReserved": "2020-02-03T00:00:00",
"dateUpdated": "2024-09-16T18:23:40.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8568 (GCVE-0-2020-8568)
Vulnerability from nvd – Published: 2021-01-21 17:09 – Updated: 2024-09-17 03:28
VLAI?
Title
Kubernetes Secrets Store CSI Driver sync/rotate directory traversal
Summary
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.
Severity ?
5.8 (Medium)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kubernetes | Kubernetes Secrets Store CSI Driver |
Affected:
Kubernetes Secrets Store CSI Driver v0.0.15
Affected: Kubernetes Secrets Store CSI Driver v0.0.16 |
Credits
Tommy Murphy of Google
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.239Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kubernetes Secrets Store CSI Driver",
"vendor": "Kubernetes",
"versions": [
{
"status": "affected",
"version": "Kubernetes Secrets Store CSI Driver v0.0.15"
},
{
"status": "affected",
"version": "Kubernetes Secrets Store CSI Driver v0.0.16"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tommy Murphy of Google"
}
],
"datePublic": "2020-11-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-24",
"description": "CWE-24 Path Traversal: \u0027../filedir\u0027",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-21T17:09:21",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
}
],
"source": {
"defect": [
"https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
],
"discovery": "INTERNAL"
},
"title": "Kubernetes Secrets Store CSI Driver sync/rotate directory traversal",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"DATE_PUBLIC": "2020-11-10T21:00:00.000Z",
"ID": "CVE-2020-8568",
"STATE": "PUBLIC",
"TITLE": "Kubernetes Secrets Store CSI Driver sync/rotate directory traversal"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kubernetes Secrets Store CSI Driver",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "Kubernetes Secrets Store CSI Driver",
"version_value": "v0.0.15"
},
{
"version_affected": "=",
"version_name": "Kubernetes Secrets Store CSI Driver",
"version_value": "v0.0.16"
}
]
}
}
]
},
"vendor_name": "Kubernetes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Tommy Murphy of Google"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-24 Path Traversal: \u0027../filedir\u0027"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4",
"refsource": "MISC",
"url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4"
},
{
"name": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378",
"refsource": "MISC",
"url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
}
]
},
"source": {
"defect": [
"https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2020-8568",
"datePublished": "2021-01-21T17:09:21.450754Z",
"dateReserved": "2020-02-03T00:00:00",
"dateUpdated": "2024-09-17T03:28:40.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8567 (GCVE-0-2020-8567)
Vulnerability from nvd – Published: 2021-01-21 17:09 – Updated: 2024-09-16 18:23
VLAI?
Title
Kubernetes Secrets Store CSI Driver plugin directory traversals
Summary
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
Severity ?
4.9 (Medium)
CWE
- CWE-24 - Path Traversal: '../filedir'
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kubernetes | Kubernetes Secrets Store CSI Driver |
Affected:
Vault Plugin , < v0.0.6
(custom)
Affected: Azure Plugin , < v0.0.10 (custom) Affected: GCP Plugin , < v0.2.0 (custom) |
Credits
Tommy Murphy of Google
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.223Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kubernetes Secrets Store CSI Driver",
"vendor": "Kubernetes",
"versions": [
{
"lessThan": "v0.0.6",
"status": "affected",
"version": "Vault Plugin",
"versionType": "custom"
},
{
"lessThan": "v0.0.10",
"status": "affected",
"version": "Azure Plugin",
"versionType": "custom"
},
{
"lessThan": "v0.2.0",
"status": "affected",
"version": "GCP Plugin",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tommy Murphy of Google"
}
],
"datePublic": "2020-11-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-24",
"description": "CWE-24 Path Traversal: \u0027../filedir\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-21T17:09:21",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
}
],
"source": {
"defect": [
"https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
],
"discovery": "INTERNAL"
},
"title": "Kubernetes Secrets Store CSI Driver plugin directory traversals",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"DATE_PUBLIC": "2020-11-16T21:00:00.000Z",
"ID": "CVE-2020-8567",
"STATE": "PUBLIC",
"TITLE": "Kubernetes Secrets Store CSI Driver plugin directory traversals"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kubernetes Secrets Store CSI Driver",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Vault Plugin",
"version_value": "v0.0.6"
},
{
"version_affected": "\u003c",
"version_name": "Azure Plugin",
"version_value": "v0.0.10"
},
{
"version_affected": "\u003c",
"version_name": "GCP Plugin",
"version_value": "v0.2.0"
}
]
}
}
]
},
"vendor_name": "Kubernetes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Tommy Murphy of Google"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-24 Path Traversal: \u0027../filedir\u0027"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY",
"refsource": "MISC",
"url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY"
},
{
"name": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384",
"refsource": "MISC",
"url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
}
]
},
"source": {
"defect": [
"https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2020-8567",
"datePublished": "2021-01-21T17:09:21.322492Z",
"dateReserved": "2020-02-03T00:00:00",
"dateUpdated": "2024-09-16T18:23:40.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}