GO-2022-0629
- Source
- https://pkg.go.dev/vuln/GO-2022-0629
- Import Source
- https://vuln.go.dev/ID/GO-2022-0629.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GO-2022-0629
- Aliases
- Published
- 2022-02-15T01:57:18Z
- Modified
- 2024-05-20T16:03:47Z
- Summary
- Directory traversal in sigs.k8s.io/secrets-store-csi-driver
- Details
-
Modifying pod status allows host directory traversal.
Kubernetes Secrets Store CSI Driver allows an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.
- Database specific
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2022-0629" }- References
- Credits
-
-
- tam7t (Tommy Murphy)
-
Affected packages
Go / sigs.k8s.io/secrets-store-csi-driver
Package
- Name
- sigs.k8s.io/secrets-store-csi-driver
- View open source insights on deps.dev
- Purl
- pkg:golang/sigs.k8s.io/secrets-store-csi-driver
Ecosystem specific
{
"imports": [
{
"path": "sigs.k8s.io/secrets-store-csi-driver/controllers",
"symbols": [
"SecretProviderClassPodStatusReconciler.Reconcile"
]
},
{
"path": "sigs.k8s.io/secrets-store-csi-driver/pkg/rotation",
"symbols": [
"Reconciler.Run",
"Reconciler.reconcile"
]
},
{
"path": "sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store",
"symbols": [
"SecretsStore.Run",
"nodeServer.NodeUnpublishVolume"
]
}
]
}