Modification of SecretProviderClassPodStatus/Status resource could result in writing content to the host filesystem and syncing file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.
Am I vulnerable?
The attacker must have permissions to update or patch the secretproviderclasspodstatuses/status resources which is not granted by default and the auto rotations feature must be enabled which is also not enabled by default.
Affected Versions
v0.0.16
v0.0.15
How do I mitigate this vulnerability?
Do not grant users or workloads permissions to modify secretproviderclasspodstatuses/status resources. Upgrade the driver to v0.0.17 or above which include additional verifications on the targetPath field.
This CVE has been fixed with v0.0.17 release of the driver.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
CVSS Rating: Medium(5.8) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
Modification of
SecretProviderClassPodStatus/Statusresource could result in writing content to the host filesystem and syncing file contents to Kubernetes Secrets. This includes paths undervar/lib/kubelet/podsthat contain other Kubernetes Secrets.Am I vulnerable?
The attacker must have permissions to update or patch the
secretproviderclasspodstatuses/statusresources which is not granted by default and the auto rotations feature must be enabled which is also not enabled by default.Affected Versions
v0.0.16
v0.0.15
How do I mitigate this vulnerability?
Do not grant users or workloads permissions to modify
secretproviderclasspodstatuses/statusresources. Upgrade the driver to v0.0.17 or above which include additional verifications on thetargetPathfield.Fixed Versions
v0.0.17 - fixed by #371
Detection
N/A
The text was updated successfully, but these errors were encountered: