Rancher Local Path Provisioner Path Traversal Vulnerability Allowing Arbitrary PersistentVolume Creation

A path traversal vulnerability has been identified in Rancher Local Path Provisioner versions prior to 0.0.34. This vulnerability allows a malicious user to manipulate the 'parameters.pathPattern' to create PersistentVolumes in arbitrary locations on the host node. Such actions could overwrite sensitive files or provide access to unintended directories. The issue arises because the provisioner does not properly validate or normalize path patterns, allowing relative path elements to escape the base directory and target critical system locations.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files or directories on the host node, with the potential to overwrite important system files.

Reproduction

To reproduce this vulnerability, create a StorageClass that uses the 'rancher.io/local-path' provisioner. In the 'parameters.pathPattern', include relative path elements that traverse up the directory structure, such as '..'. This will create a PersistentVolume that points to a location outside the intended base directory, effectively exploiting the path traversal flaw.

Remediation

Users should upgrade to Rancher Local Path Provisioner version 0.0.34 or later, where this vulnerability has been patched by implementing proper path validation and normalization. For versions prior to 0.0.34, no patches are available, so an upgrade is necessary to mitigate the vulnerability.