CVE-2020-8569
NULL Pointer Dereference in Kubernetes CSI snapshot-controller
描述
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, is automatically restarted by Kubernetes, and processes the same VolumeSnapshot custom resource after the restart, entering an endless crashloop. Only the volume snapshot feature is affected by this vulnerability. When exploited, users can’t take snapshots of their volumes or delete the snapshots. All other Kubernetes functionality is not affected.
如何修補 CVE-2020-8569
要修補 CVE-2020-8569,請將受影響套件升級到下列已修補版本。
- —升級至 2.1.3 或更新版本
- —升級至 3.0.2 或更新版本
CVE-2020-8569 正在被利用嗎?
低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。
受影響套件(2)
- >= 2.0.0, < 2.1.3
- >= 3.0.0, < 3.0.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |