CVE-2020-8568

Name of the Vulnerable Software and Affected Versions: Kubernetes Secrets Store CSI Driver versions v0.0.15 through v0.0.16

Description: The issue allows an attacker who can modify a SecretProviderClassPodStatus/Status resource to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets. Modifying pod status enables host directory traversal.

Recommendations: For versions v0.0.15 and v0.0.16, consider restricting access to the SecretProviderClassPodStatus/Status resource to prevent modification by unauthorized parties. As a temporary workaround, consider disabling the ability to modify SecretProviderClassPodStatus/Status resources until a patch is available. Restrict access to paths under var/lib/kubelet/pods to minimize the risk of exploitation.