Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an…
kubernetes·CWE-24·Published 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
Kubernetes Secrets Store CSI Driver plugins arbitrary file write in github.com/Azure/secrets-store-csi-driver-provider-azure. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/Azure/secrets-store-csi-driver-provider-azure before v0.0.10; github.com/hashicorp/vault-csi-provider before v0.0.6.
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including `/var/lib/kubelet/pods`.
Kubernetes Secrets Store CSI Driver Vault Plugin anterior a versión v0.0.6, Azure Plugin anterior a versión v0.0.10 y GCP Plugin anterior a versión v0.2.0, permiten a un atacante que puede crear objetos SecretProviderClass especialmente diseñados para escribir en rutas de archivo arbitrarias en el sistema de archivos host , incluyendo la biblioteca /var/lib/kubelet/pods
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 4.0 | 8.0 | 2.9 | AV:N/AC:L/Au:S/C:N/I:P/A:N |
| 3.1 | Primary | NVD | 6.5 | 2.8 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | Primary | cve.org | 4.9 | — | — | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L |
| 3.1 | Primary | cve.org | 4.9 | — | — | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L |
| 3.1 | Secondary | NVD | 4.9 | 1.8 | 2.7 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L |
| 3.1 | Secondary | GHSA | 4.9 | — | — | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L |
| 4.0 | Secondary | GHSA | 2.3 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L |