CVE-2019-11255

Name of the Vulnerable Software and Affected Versions Kubernetes CSI sidecar containers for external-provisioner versions prior to 0.4.3, prior to 1.0.2, 1.1, prior to 1.2.2, prior to 1.3.1 Kubernetes CSI sidecar containers for external-snapshotter versions prior to 0.4.2, prior to 1.0.2, 1.1, prior to 1.2.2 Kubernetes CSI sidecar containers for external-resizer versions 0.1, 0.2

Description The issue is caused by improper input validation in Kubernetes CSI sidecar containers, which could result in unauthorized access to PersistentVolume data or volume mutation during operations such as snapshot, restore from snapshot, cloning, and resizing. This could allow a remote attacker to impact the confidentiality and integrity of protected information.

Recommendations For external-provisioner versions prior to 0.4.3, prior to 1.0.2, 1.1, prior to 1.2.2, prior to 1.3.1, update to a version that includes the fix for this issue. For external-snapshotter versions prior to 0.4.2, prior to 1.0.2, 1.1, prior to 1.2.2, update to a version that includes the fix for this issue. For external-resizer versions 0.1, 0.2, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the vulnerable CSI sidecar containers until a patch is available.