Kubernetes Secrets Store CSI Driver plugins arbitrary file write
Low severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Description
Published by the National Vulnerability Database
Jan 21, 2021
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Apr 24, 2024
Last updated
Nov 18, 2024
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including
/var/lib/kubelet/pods
.References