CVE-2023-2878 Overview
CVE-2023-2878 affects the Kubernetes secrets-store-csi-driver in versions prior to 1.3.3. The driver writes service account tokens to log files, exposing sensitive authentication material to anyone with log access. Service account tokens grant access to Kubernetes API resources and external secret stores such as cloud key vaults. An attacker with local log read access can harvest these tokens and impersonate workloads. The issue is categorized as Sensitive Data Exposure through Log Files [CWE-532].
Critical Impact
Service account tokens written to driver logs allow attackers with log access to impersonate workloads and retrieve secrets from connected backends.
Affected Products
- Kubernetes secrets-store-csi-driver versions before 1.3.3
- Deployments integrating the driver with external secret providers (AWS, Azure, GCP, Vault)
- NetApp products bundling the affected driver, per NetApp Security Advisory NTAP-20230814-0003
Discovery Timeline
- 2023-06-07 - CVE-2023-2878 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2023-2878
Vulnerability Analysis
The secrets-store-csi-driver mounts secrets from external providers into Kubernetes pods as ephemeral volumes. To authenticate to providers, the driver uses bound service account tokens issued by the kubelet. In affected versions, these tokens were included in log statements emitted by the driver during mount operations.
Log data in Kubernetes environments is often collected by sidecars, node agents, or centralized logging stacks. Any principal with read access to those streams could extract valid service account tokens. The tokens carry the audience and identity needed to request secrets from the configured provider, expanding the blast radius beyond the originating pod.
The vulnerability does not require network access. Exploitation requires local access to the node, container logs, or downstream log aggregation systems where driver output is retained.
Root Cause
The driver passed service account token values into log calls without redaction. The fix in version 1.3.3 removes token contents from log output. Insertion of secrets into logs is a recurring class of issue tracked under CWE-532: Insertion of Sensitive Information into Log File.
Attack Vector
An attacker with read access to kubelet logs, container runtime logs, or a SIEM ingesting driver output searches for token strings emitted during volume mount events. The attacker then replays the token against the corresponding secret provider API to retrieve cloud credentials, database passwords, or certificates that the workload was authorized to consume. See GitHub Issue #118419 for upstream tracking and the Kubernetes Security Announcement for advisory details.
Detection Methods for CVE-2023-2878
Indicators of Compromise
- Driver log entries containing JWT-formatted strings beginning with eyJ near mount operations
- Service account token usage from IP addresses or user agents inconsistent with the owning pod
- Unexpected secret provider API calls authenticated with workload service account tokens
Detection Strategies
- Search aggregated log stores for JWT patterns originating from secrets-store-csi-driver pods
- Correlate Kubernetes audit log TokenReview events with secret provider access logs to spot token reuse outside the originating pod
- Identify driver pods running container images with a version tag earlier than 1.3.3
Monitoring Recommendations
- Forward kubelet, container runtime, and CSI driver logs into a SIEM with retention sufficient for forensic review
- Alert on JWT regex matches in any log stream that should not contain authentication material
- Track service account token issuance and provider API calls per workload identity for anomaly baselining
How to Mitigate CVE-2023-2878
Immediate Actions Required
- Upgrade secrets-store-csi-driver to version 1.3.3 or later on every cluster node
- Rotate service account tokens and any secrets retrieved by affected workloads since deployment of vulnerable versions
- Purge or restrict access to historical log archives that may contain exposed tokens
- Review IAM bindings on secret providers and revoke unused permissions granted to workload identities
Patch Information
The issue is resolved in secrets-store-csi-driver v1.3.3. Refer to the Kubernetes Security Announcement for upgrade guidance. NetApp customers should follow NetApp Security Advisory NTAP-20230814-0003 for product-specific fixes.
Workarounds
- Restrict RBAC and node access so only cluster administrators can read driver and kubelet logs
- Drop or redact JWT patterns at the log collector before logs reach centralized storage
- Shorten service account token lifetimes using projected token expirationSeconds to limit replay windows
# Verify deployed driver version on all nodes
kubectl get pods -A -l app=secrets-store-csi-driver \
-o jsonpath='{range .items[*]}{.metadata.namespace}/{.metadata.name} {.spec.containers[*].image}{"\n"}{end}'
# Upgrade via Helm to a fixed release
helm repo update
helm upgrade -n kube-system csi-secrets-store \
secrets-store-csi-driver/secrets-store-csi-driver \
--version 1.3.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

