CVE-2020-8569

Published: Jan 21, 2021

Modified: Sep 17, 2024

PUBLISHED

CVSS v3.1

4.3

MEDIUM

Description

Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, is automatically restarted by Kubernetes, and processes the same VolumeSnapshot custom resource after the restart, entering an endless crashloop. Only the volume snapshot feature is affected by this vulnerability. When exploited, users can’t take snapshots of their volumes or delete the snapshots. All other Kubernetes functionality is not affected.

Vendor	Product	Versions
Kubernetes	CSI Snapshotter	affected `snapshot-controller v3.0 - <= v3.0.1` affected `snapshot-controller v2.1 - <= v2.1.2`

Weaknesses (CWE)

CWE-476

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

References

https://groups.google.com/g/kubernetes-security-announce/c/1EzCr1qUxxU

x_refsource_MISC

https://github.com/kubernetes-csi/external-snapshotter/issues/380

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-8569

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References