CVE-2024-45041

Published: Sep 9, 2024Modified: Sep 18, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2.

Affected (1)

Products: External Secrets: External Secrets Operator

External Secrets

1 product

External Secrets Operator

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
External Secrets External Secrets Operator	Before 0.10.2

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (2)

https://github.com/external-secrets/external-secrets/commit/428a452fd2ad45935312f2c2c0d40bc37ce6e67c

Source: security-advisories@github.com

Patch

https://github.com/external-secrets/external-secrets/security/advisories/GHSA-qwgc-rr35-h4x9

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.