CVE-2020-8567
Last modified
CVE-2020-8567 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.. EPSS estimates a 1.37% chance of exploitation in the next 30 days.
Description
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Secret Manager Provider For Secret Store Csi Driver | < 0.2.0 | |
| Hashicorp | Vault Provider For Secrets Store Csi Driver | < 0.0.6 |
| Microsoft | Azure Key Vault Provider For Secrets Store Csi Driver | < 0.0.10 |
References
- https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384Patch, Third Party Advisory
- https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHYMailing List, Third Party Advisory
- https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384Patch, Third Party Advisory
- https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHYMailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-8567?
How severe is CVE-2020-8567?
How do I fix CVE-2020-8567?
Are you affected by CVE-2020-8567?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST