{"id":"GO-2022-0629","summary":"Directory traversal in sigs.k8s.io/secrets-store-csi-driver","details":"Modifying pod status allows host directory traversal.\n\nKubernetes Secrets Store CSI Driver allows an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.","aliases":["CVE-2020-8568","GHSA-5cgx-vhfp-6cf9"],"modified":"2024-05-20T16:03:47Z","published":"2022-02-15T01:57:18Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2022-0629"},"references":[{"type":"FIX","url":"https://github.com/kubernetes-sigs/secrets-store-csi-driver/pull/371"},{"type":"FIX","url":"https://github.com/kubernetes-sigs/secrets-store-csi-driver/commit/c2cbb19e2eef16638fa0523383788a4bc22231fd"}],"affected":[{"package":{"name":"sigs.k8s.io/secrets-store-csi-driver","ecosystem":"Go","purl":"pkg:golang/sigs.k8s.io/secrets-store-csi-driver"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.15"},{"fixed":"0.0.17"}]}],"ecosystem_specific":{"imports":[{"path":"sigs.k8s.io/secrets-store-csi-driver/controllers","symbols":["SecretProviderClassPodStatusReconciler.Reconcile"]},{"path":"sigs.k8s.io/secrets-store-csi-driver/pkg/rotation","symbols":["Reconciler.Run","Reconciler.reconcile"]},{"path":"sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store","symbols":["SecretsStore.Run","nodeServer.NodeUnpublishVolume"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0629.json"}}],"schema_version":"1.7.3","credits":[{"name":"tam7t (Tommy Murphy)"}]}