CVE-2020-8568: Secrets sync/rotate directory traversal

[tam7t]

CVSS Rating: Medium(5.8) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

Modification of SecretProviderClassPodStatus/Status resource could result in writing content to the host filesystem and syncing file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.

Am I vulnerable?

The attacker must have permissions to update or patch the secretproviderclasspodstatuses/status resources which is not granted by default and the auto rotations feature must be enabled which is also not enabled by default.

Affected Versions

v0.0.16
v0.0.15

How do I mitigate this vulnerability?

Do not grant users or workloads permissions to modify secretproviderclasspodstatuses/status resources. Upgrade the driver to v0.0.17 or above which include additional verifications on the targetPath field.

Fixed Versions

v0.0.17 - fixed by #371

Detection

N/A

[aramase]

This CVE has been fixed with v0.0.17 release of the driver.

/close

[k8s-ci-robot]

@aramase: Closing this issue.

In response to this:

This CVE has been fixed with v0.0.17 release of the driver.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.