DirectorySecurity Advisories
Sign In
Security Advisories

CGA-9cm4-vcjv-4v2c

Published

Last updated

https://images.chainguard.dev/security/CGA-9cm4-vcjv-4v2c
Package

vault-csi-provider

Latest Update
Fixed
Fixed Version

1.4.0-r9

Aliases
  • CVE-2023-2878
  • GHSA-g82w-58jf-gcxx

Severity

6.5

Medium

CVSS V3

Summary

secrets-store-csi-driver discloses service account tokens in logs

Description

A security issue was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

This issue has been rated MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (6.5), and assigned CVE-2023-2878

Am I vulnerable?

You may be vulnerable if TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.

To check if token requests are configured, run the following command:

kubectl get csidriver secrets-store.csi.k8s.io -o jsonpath="{.spec.tokenRequests}"

To check if tokens are being logged, examine the secrets-store container log:

kubectl logs -l app=secrets-store-csi-driver -c secrets-store -f | grep --line-buffered "csi.storage.k8s.io/serviceAccount.tokens"

Affected Versions

  • secrets-store-csi-driver < 1.3.3

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by running secrets-store-csi-driver at log level 0 or 1 via the -v flag.

Fixed Versions

  • secrets-store-csi-driver >= 1.3.3

To upgrade, refer to the documentation: https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#upgrades

Detection

Examine cloud provider logs for unexpected token exchanges, as well as unexpected access to cloud vault secrets.

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

References

Updates


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images