GHSA-5cgx-vhfp-6cf9

Source

https://github.com/advisories/GHSA-5cgx-vhfp-6cf9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-5cgx-vhfp-6cf9/GHSA-5cgx-vhfp-6cf9.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-5cgx-vhfp-6cf9

Aliases

Published

2022-02-15T01:57:18Z

Modified

2023-11-01T04:53:45.810002Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Directory traversal in Kubernetes Secrets Store CSI Driver

Details

Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.

Specific Go Packages Affected

sigs.k8s.io/secrets-store-csi-driver/controllers sigs.k8s.io/secrets-store-csi-driver/pkg/rotation sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-20",
        "CWE-22",
        "CWE-24"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-12T21:44:15Z"
}

References

Affected packages

Go / sigs.k8s.io/secrets-store-csi-driver

Package

Name: sigs.k8s.io/secrets-store-csi-driver; View open source insights on deps.dev
Purl: pkg:golang/sigs.k8s.io/secrets-store-csi-driver

Affected ranges

Type: SEMVER
Events: Introduced

0.0.15

Fixed

0.0.17