CVE-2020-8568 MEDIUM

CVE-2020-8568: Kubernetes Secrets Store CSI Driver sync/rotate directory traversal

Vendor Kubernetes
Product Kubernetes Secrets Store CSI Driver
Weakness CWE-24
Published January 21, 2021
Last update September 17, 2024

CVSS base score

5.8/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.

Key dates

02Disclosure timeline

January 21, 2021 CVE published
September 17, 2024 Record updated