| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Arbitrary filesystem access |
|
| Description |
| + |
A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. |
|
| References |
| + |
https://github.com/kubernetes/kubernetes/issues/104980 |
|
| Notes |
| + |
Workaround |
| + |
========== |
| + |
|
| + |
To mitigate this vulnerability without upgrading kubelet, you can disable the VolumeSubpath feature gate on kubelet and kube-apiserver, and remove any existing Pods making use of the feature. |
| + |
|
| + |
You can also use admission control to prevent less-trusted users from running containers as root to reduce the impact of successful exploitation. |
|