Hello all,
A vulnerability in Velero was found that could result in a PersistentVolume being bound to the wrong PersistentVolumeClaim at restore time. Details about this issue can be found at
our security advisory for CVE-2020-3996.
Updated versions of Velero fixing this vulnerability are now available at
Docker images are available at
We urge all Velero users to upgrade as soon as possible to mitigate the effects of this race condition and ensure the integrity of their data.
Additionally, both v1.4.3 and v1.5.2 fix an issue with restoring CustomResourceDefinitions (thank you to Scott Seago of Red Hat for providing the fix) and v1.5.2 provides a fix for initializing ObjectStore plugins too
often (thank you to Antony Bett of Dell EMC).
Full changelogs can be found below:
Special thanks to Arianit Uka for reporting the security issue and working with us to reproduce and understand it.
Thank you,
Nolan and the Velero team