MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh3cnItcmhtbS12Y3Zm

Moderate EPSS: 0.00184% (0.40647 Percentile) EPSS:

Permalink JSON

NULL Pointer Dereference in Kubernetes CSI snapshot-controller

Affected Packages	Affected Versions	Fixed Versions
go:github.com/kubernetes-csi/external-snapshotter/v3 PURL: `pkg:go/github.com%2Fkubernetes-csi%2Fexternal-snapshotter%2Fv3`	>= 3.0.0, < 3.0.2	3.0.2
0 Dependent packages 1 Dependent repositories Affected Version Ranges All affected versions v3.0.0, v3.0.1 All unaffected versions v3.0.2, v3.0.3
go:github.com/kubernetes-csi/external-snapshotter/v2 PURL: `pkg:go/github.com%2Fkubernetes-csi%2Fexternal-snapshotter%2Fv2`	>= 2.0.0, < 2.1.3	2.1.3
226 Dependent packages 365 Dependent repositories Affected Version Ranges All affected versions v2.0.0, v2.0.0-rc1, v2.0.0-rc2, v2.0.0-rc3, v2.0.0-rc4, v2.0.1, v2.0.2-rc1, v2.1.0, v2.1.1, v2.1.2 All unaffected versions v2.1.3, v2.1.4, v2.1.5

Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when:

The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass.
The snapshot-controller crashes, is automatically restarted by Kubernetes, and processes the same VolumeSnapshot custom resource after the restart, entering an endless crashloop.

Only the volume snapshot feature is affected by this vulnerability. When exploited, users canâ€™t take snapshots of their volumes or delete the snapshots. All other Kubernetes functionality is not affected.

References:

Identifiers

GHSA-hwrr-rhmm-vcvf

CVE-2020-8569

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00184

EPSS Percentile: 0.40647

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/kubernetes-csi/external-snapshotter

Date and time

Published

over 3 years ago

Updated

almost 3 years ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories