First published: Thu Jan 21 2021(Updated: )
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a `SecretProviderClassPodStatus/Status` resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under `var/lib/kubelet/pods` that contain other Kubernetes Secrets. ### Specific Go Packages Affected sigs.k8s.io/secrets-store-csi-driver/controllers sigs.k8s.io/secrets-store-csi-driver/pkg/rotation sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store
Credit: jordan@liggitt.net jordan@liggitt.net
Affected Software | Affected Version | How to fix |
---|---|---|
go/sigs.k8s.io/secrets-store-csi-driver | >=0.0.15<0.0.17 | 0.0.17 |
Kubernetes Secrets Store CSI Driver | =0.0.15 | |
Kubernetes Secrets Store CSI Driver | =0.0.16 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2020-8568.
The severity of CVE-2020-8568 is medium with a CVSS score of 6.5.
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 are affected by CVE-2020-8568.
An attacker who can modify a SecretProviderClassPodStatus/Status resource can exploit CVE-2020-8568 to write content to the host filesystem and sync file contents to Kubernetes Secrets.
The remedy for CVE-2020-8568 is to update to version 0.0.17 of Kubernetes Secrets Store CSI Driver.