Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for Kubernetes Secrets Store CSI Driver by Kubernetes

    CVE-2020-8568 (GCVE-0-2020-8568)

    Vulnerability from nvd – Published: 2021-01-21 17:09 – Updated: 2024-09-17 03:28
    VLAI
    Title
    Kubernetes Secrets Store CSI Driver sync/rotate directory traversal
    Summary
    Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.
    CWE
    • CWE-24 - Path Traversal: '../filedir'
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Kubernetes Kubernetes Secrets Store CSI Driver Affected: Kubernetes Secrets Store CSI Driver v0.0.15
    Affected: Kubernetes Secrets Store CSI Driver v0.0.16
    Create a notification for this product.
    Date Public
    2020-11-10 00:00
    Credits
    Tommy Murphy of Google
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:03:46.239Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Kubernetes Secrets Store CSI Driver",
              "vendor": "Kubernetes",
              "versions": [
                {
                  "status": "affected",
                  "version": "Kubernetes Secrets Store CSI Driver v0.0.15"
                },
                {
                  "status": "affected",
                  "version": "Kubernetes Secrets Store CSI Driver v0.0.16"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Tommy Murphy of Google"
            }
          ],
          "datePublic": "2020-11-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-24",
                  "description": "CWE-24 Path Traversal: \u0027../filedir\u0027",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-21T17:09:21.000Z",
            "orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
            "shortName": "kubernetes"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
            }
          ],
          "source": {
            "defect": [
              "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
            ],
            "discovery": "INTERNAL"
          },
          "title": "Kubernetes Secrets Store CSI Driver sync/rotate directory traversal",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@kubernetes.io",
              "DATE_PUBLIC": "2020-11-10T21:00:00.000Z",
              "ID": "CVE-2020-8568",
              "STATE": "PUBLIC",
              "TITLE": "Kubernetes Secrets Store CSI Driver sync/rotate directory traversal"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Kubernetes Secrets Store CSI Driver",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_name": "Kubernetes Secrets Store CSI Driver",
                                "version_value": "v0.0.15"
                              },
                              {
                                "version_affected": "=",
                                "version_name": "Kubernetes Secrets Store CSI Driver",
                                "version_value": "v0.0.16"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Kubernetes"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Tommy Murphy of Google"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-24 Path Traversal: \u0027../filedir\u0027"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4",
                  "refsource": "MISC",
                  "url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4"
                },
                {
                  "name": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378",
                  "refsource": "MISC",
                  "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
                }
              ]
            },
            "source": {
              "defect": [
                "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
              ],
              "discovery": "INTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
        "assignerShortName": "kubernetes",
        "cveId": "CVE-2020-8568",
        "datePublished": "2021-01-21T17:09:21.450Z",
        "dateReserved": "2020-02-03T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:28:40.493Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-8567 (GCVE-0-2020-8567)

    Vulnerability from nvd – Published: 2021-01-21 17:09 – Updated: 2024-09-16 18:23
    VLAI
    Title
    Kubernetes Secrets Store CSI Driver plugin directory traversals
    Summary
    Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
    CWE
    • CWE-24 - Path Traversal: '../filedir'
    Assigner
    References
    Impacted products
    Vendor Product Version
    Kubernetes Kubernetes Secrets Store CSI Driver Affected: Vault Plugin , < v0.0.6 (custom)
    Affected: Azure Plugin , < v0.0.10 (custom)
    Affected: GCP Plugin , < v0.2.0 (custom)
    Create a notification for this product.
    Date Public
    2020-11-16 00:00
    Credits
    Tommy Murphy of Google
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:03:46.223Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Kubernetes Secrets Store CSI Driver",
              "vendor": "Kubernetes",
              "versions": [
                {
                  "lessThan": "v0.0.6",
                  "status": "affected",
                  "version": "Vault Plugin",
                  "versionType": "custom"
                },
                {
                  "lessThan": "v0.0.10",
                  "status": "affected",
                  "version": "Azure Plugin",
                  "versionType": "custom"
                },
                {
                  "lessThan": "v0.2.0",
                  "status": "affected",
                  "version": "GCP Plugin",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Tommy Murphy of Google"
            }
          ],
          "datePublic": "2020-11-16T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-24",
                  "description": "CWE-24 Path Traversal: \u0027../filedir\u0027",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-21T17:09:21.000Z",
            "orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
            "shortName": "kubernetes"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
            }
          ],
          "source": {
            "defect": [
              "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
            ],
            "discovery": "INTERNAL"
          },
          "title": "Kubernetes Secrets Store CSI Driver plugin directory traversals",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@kubernetes.io",
              "DATE_PUBLIC": "2020-11-16T21:00:00.000Z",
              "ID": "CVE-2020-8567",
              "STATE": "PUBLIC",
              "TITLE": "Kubernetes Secrets Store CSI Driver plugin directory traversals"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Kubernetes Secrets Store CSI Driver",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "Vault Plugin",
                                "version_value": "v0.0.6"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "Azure Plugin",
                                "version_value": "v0.0.10"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "GCP Plugin",
                                "version_value": "v0.2.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Kubernetes"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Tommy Murphy of Google"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-24 Path Traversal: \u0027../filedir\u0027"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY",
                  "refsource": "MISC",
                  "url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY"
                },
                {
                  "name": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384",
                  "refsource": "MISC",
                  "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
                }
              ]
            },
            "source": {
              "defect": [
                "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
              ],
              "discovery": "INTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
        "assignerShortName": "kubernetes",
        "cveId": "CVE-2020-8567",
        "datePublished": "2021-01-21T17:09:21.322Z",
        "dateReserved": "2020-02-03T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:23:40.732Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-8568 (GCVE-0-2020-8568)

    Vulnerability from cvelistv5 – Published: 2021-01-21 17:09 – Updated: 2024-09-17 03:28
    VLAI
    Title
    Kubernetes Secrets Store CSI Driver sync/rotate directory traversal
    Summary
    Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.
    CWE
    • CWE-24 - Path Traversal: '../filedir'
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Kubernetes Kubernetes Secrets Store CSI Driver Affected: Kubernetes Secrets Store CSI Driver v0.0.15
    Affected: Kubernetes Secrets Store CSI Driver v0.0.16
    Create a notification for this product.
    Date Public
    2020-11-10 00:00
    Credits
    Tommy Murphy of Google
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:03:46.239Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Kubernetes Secrets Store CSI Driver",
              "vendor": "Kubernetes",
              "versions": [
                {
                  "status": "affected",
                  "version": "Kubernetes Secrets Store CSI Driver v0.0.15"
                },
                {
                  "status": "affected",
                  "version": "Kubernetes Secrets Store CSI Driver v0.0.16"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Tommy Murphy of Google"
            }
          ],
          "datePublic": "2020-11-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-24",
                  "description": "CWE-24 Path Traversal: \u0027../filedir\u0027",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-21T17:09:21.000Z",
            "orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
            "shortName": "kubernetes"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
            }
          ],
          "source": {
            "defect": [
              "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
            ],
            "discovery": "INTERNAL"
          },
          "title": "Kubernetes Secrets Store CSI Driver sync/rotate directory traversal",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@kubernetes.io",
              "DATE_PUBLIC": "2020-11-10T21:00:00.000Z",
              "ID": "CVE-2020-8568",
              "STATE": "PUBLIC",
              "TITLE": "Kubernetes Secrets Store CSI Driver sync/rotate directory traversal"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Kubernetes Secrets Store CSI Driver",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_name": "Kubernetes Secrets Store CSI Driver",
                                "version_value": "v0.0.15"
                              },
                              {
                                "version_affected": "=",
                                "version_name": "Kubernetes Secrets Store CSI Driver",
                                "version_value": "v0.0.16"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Kubernetes"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Tommy Murphy of Google"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-24 Path Traversal: \u0027../filedir\u0027"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4",
                  "refsource": "MISC",
                  "url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4"
                },
                {
                  "name": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378",
                  "refsource": "MISC",
                  "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
                }
              ]
            },
            "source": {
              "defect": [
                "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
              ],
              "discovery": "INTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
        "assignerShortName": "kubernetes",
        "cveId": "CVE-2020-8568",
        "datePublished": "2021-01-21T17:09:21.450Z",
        "dateReserved": "2020-02-03T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:28:40.493Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-8567 (GCVE-0-2020-8567)

    Vulnerability from cvelistv5 – Published: 2021-01-21 17:09 – Updated: 2024-09-16 18:23
    VLAI
    Title
    Kubernetes Secrets Store CSI Driver plugin directory traversals
    Summary
    Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
    CWE
    • CWE-24 - Path Traversal: '../filedir'
    Assigner
    References
    Impacted products
    Vendor Product Version
    Kubernetes Kubernetes Secrets Store CSI Driver Affected: Vault Plugin , < v0.0.6 (custom)
    Affected: Azure Plugin , < v0.0.10 (custom)
    Affected: GCP Plugin , < v0.2.0 (custom)
    Create a notification for this product.
    Date Public
    2020-11-16 00:00
    Credits
    Tommy Murphy of Google
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:03:46.223Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Kubernetes Secrets Store CSI Driver",
              "vendor": "Kubernetes",
              "versions": [
                {
                  "lessThan": "v0.0.6",
                  "status": "affected",
                  "version": "Vault Plugin",
                  "versionType": "custom"
                },
                {
                  "lessThan": "v0.0.10",
                  "status": "affected",
                  "version": "Azure Plugin",
                  "versionType": "custom"
                },
                {
                  "lessThan": "v0.2.0",
                  "status": "affected",
                  "version": "GCP Plugin",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Tommy Murphy of Google"
            }
          ],
          "datePublic": "2020-11-16T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-24",
                  "description": "CWE-24 Path Traversal: \u0027../filedir\u0027",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-21T17:09:21.000Z",
            "orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
            "shortName": "kubernetes"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
            }
          ],
          "source": {
            "defect": [
              "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
            ],
            "discovery": "INTERNAL"
          },
          "title": "Kubernetes Secrets Store CSI Driver plugin directory traversals",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@kubernetes.io",
              "DATE_PUBLIC": "2020-11-16T21:00:00.000Z",
              "ID": "CVE-2020-8567",
              "STATE": "PUBLIC",
              "TITLE": "Kubernetes Secrets Store CSI Driver plugin directory traversals"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Kubernetes Secrets Store CSI Driver",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "Vault Plugin",
                                "version_value": "v0.0.6"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "Azure Plugin",
                                "version_value": "v0.0.10"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "GCP Plugin",
                                "version_value": "v0.2.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Kubernetes"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Tommy Murphy of Google"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-24 Path Traversal: \u0027../filedir\u0027"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY",
                  "refsource": "MISC",
                  "url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY"
                },
                {
                  "name": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384",
                  "refsource": "MISC",
                  "url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
                }
              ]
            },
            "source": {
              "defect": [
                "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384"
              ],
              "discovery": "INTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
        "assignerShortName": "kubernetes",
        "cveId": "CVE-2020-8567",
        "datePublished": "2021-01-21T17:09:21.322Z",
        "dateReserved": "2020-02-03T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:23:40.732Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }