CVE-2020-8567

MEDIUM

Google Secret Manager Provider For Secret Store Csi Driver < 0.2.0 - Path Traversal

Title source: rule
STIX 2.1

Description

Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.

References (2)

Core 2
Core References
Mailing List, Third Party Advisory x_refsource_misc
https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/BI2qisiNXHY
Patch, Third Party Advisory x_refsource_misc
https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/384

Scores

CVSS v3 4.9
EPSS 0.0137
EPSS Percentile 68.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L

Details

CWE
CWE-22 CWE-24
Status published
Products (6)
Azure/secrets-store-csi-driver-provider-azure 0 - 0.0.10Go
google/secret_manager_provider_for_secret_store_csi_driver < 0.2.0
GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp 0 - 0.2.0Go
hashicorp/vault-csi-provider 0 - 0.0.6Go
hashicorp/vault_provider_for_secrets_store_csi_driver < 0.0.6
microsoft/azure_key_vault_provider_for_secrets_store_csi_driver < 0.0.10
Published Jan 21, 2021
Tracked Since Feb 18, 2026