CVE-2020-8567 – github.com/hashicorp/vault-csi-provider

Package

Manager: go
Name: github.com/hashicorp/vault-csi-provider
Vulnerable Version: >=0 <0.0.6

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L

EPSS: 0.00388 pctl0.59146

Details

Kubernetes Secrets Store CSI Driver plugins arbitrary file write Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including `/var/lib/kubelet/pods`.

Metadata

Created: 2022-05-24T17:40:02Z
Modified: 2024-11-18T16:26:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2v35-wj4r-rcmv/GHSA-2v35-wj4r-rcmv.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-2v35-wj4r-rcmv
Finding: F014
Auto approve: 1