Vulnerability Description
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Secret Manager Provider For Secret Store Csi Driver | < 0.2.0 | |
| Hashicorp | Vault Provider For Secrets Store Csi Driver | < 0.0.6 |
| Microsoft | Azure Key Vault Provider For Secrets Store Csi Driver | < 0.0.10 |
Related Weaknesses (CWE)
References
- https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384PatchThird Party Advisory
- https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHYMailing ListThird Party Advisory
- https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384PatchThird Party Advisory
- https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHYMailing ListThird Party Advisory
FAQ
What is CVE-2020-8567?
CVE-2020-8567 is a vulnerability with a CVSS score of 4.9 (MEDIUM). Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass o...
How severe is CVE-2020-8567?
CVE-2020-8567 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-8567?
Check the references section above for vendor advisories and patch information. Affected products include: Google Secret Manager Provider For Secret Store Csi Driver, Hashicorp Vault Provider For Secrets Store Csi Driver, Microsoft Azure Key Vault Provider For Secrets Store Csi Driver.