Bug 1211745 (CVE-2023-2878) - VUL-0: CVE-2023-2878: kubernetes1.23,kubernetes,kubernetes1.24,kubernetes1.18: secrets-store-csi-driver discloses service account tokens in logs
Summary: VUL-0: CVE-2023-2878: kubernetes1.23,kubernetes,kubernetes1.24,kubernetes1.18...
Status: RESOLVED INVALID
Alias: CVE-2023-2878
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/367509/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-05-26 08:21 UTC by Thomas Leroy
Modified: 2023-05-26 08:25 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2023-05-26 08:21:11 UTC 
CVE-2023-2878

Posted by Monis Khan on May 25Hello Kubernetes Community,

A security issue was discovered in secrets-store-csi-driver where an actor
with access to the driver logs could observe service account tokens.  These
tokens could then potentially be exchanged with external cloud providers to
access secrets stored in cloud vault solutions.  Tokens are only logged
when TokenRequests is configured in the CSIDriver object
<https://kubernetes-csi.github.io/docs/token-requests.html>...

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2878
https://seclists.org/oss-sec/2023/q2/198
Comment 1 Thomas Leroy 2023-05-26 08:25:31 UTC 
We don't embed secrets-store-csi-driver [0] in kubernetes packages, and we don't ship it standalone. Closing

[0] https://github.com/kubernetes-sigs/secrets-store-csi-driver/