GHSA-5cgx-vhfp-6cf9
GitHub Security Advisory
Directory traversal in Kubernetes Secrets Store CSI Driver
✓ GitHub Reviewed
MODERATE
Has CVE
Advisory Details
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a `SecretProviderClassPodStatus/Status` resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under `var/lib/kubelet/pods` that contain other Kubernetes Secrets.
### Specific Go Packages Affected
sigs.k8s.io/secrets-store-csi-driver/controllers
sigs.k8s.io/secrets-store-csi-driver/pkg/rotation
sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store
Affected Packages
Go
sigs.k8s.io/secrets-store-csi-driver
Affected versions:
0.0.15
(fixed in 0.0.17)
Related CVEs
Key Information
5.0
/10
Dataset
Last updated: September 15, 2025 6:32 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.