CVE-2020-8567: Kubernetes Secrets Store CSI Driver plugins arbitrary file write
(updated )
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods
.
References
- github.com/Azure/secrets-store-csi-driver-provider-azure/pull/298
- github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp/pull/74
- github.com/advisories/GHSA-2v35-wj4r-rcmv
- github.com/hashicorp/secrets-store-csi-driver-provider-vault/pull/50
- github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384
- groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY
- nvd.nist.gov/vuln/detail/CVE-2020-8567
Detect and mitigate CVE-2020-8567 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →