CVE-2020-8567 MEDIUM

CVE-2020-8567: Kubernetes Secrets Store CSI Driver plugin directory traversals

Vendor Kubernetes
Product Kubernetes Secrets Store CSI Driver
Weakness CWE-24
Published January 21, 2021
Last update September 16, 2024

CVSS base score

4.9/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L

What the vulnerability does

01Description

Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.

Key dates

02Disclosure timeline

January 21, 2021 CVE published
September 16, 2024 Record updated