Kubernetes CSI Driver for NFS Path Traversal Vulnerability Allowing Unintended Directory Deletion
Vulnerability
A path traversal vulnerability has been identified in the Kubernetes CSI Driver for NFS, affecting all versions prior to v4.13.1. The issue arises from inadequate validation of the subDir parameter in volume identifiers, allowing attackers to create PersistentVolumes with traversal sequences that could manipulate directories outside the intended path on the NFS server. This could result in unauthorized deletion or modification of directories within the NFS export.
Impact
Exploitation of this vulnerability could lead to the deletion or modification of unintended directories on the NFS server, potentially disrupting services or causing data loss.
Remediation
Users can upgrade to CSI Driver for NFS versions 4.13.1 or later, restrict PersistentVolume creation privileges to trusted administrators, and review NFS exports to ensure only intended directories are writable by the driver.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.