External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2.
Metrics
Affected Vendors & Products
References
History
Wed, 18 Sep 2024 18:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
External-secrets external Secrets Operator
|
|
Weaknesses | CWE-732 | |
CPEs | cpe:2.3:a:external-secrets:external_secrets_operator:*:*:*:*:*:*:*:* | |
Vendors & Products |
External-secrets external Secrets Operator
|
Mon, 09 Sep 2024 17:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
External-secrets
External-secrets external-secrets |
|
CPEs | cpe:2.3:a:external-secrets:external-secrets:*:*:*:*:*:*:*:* | |
Vendors & Products |
External-secrets
External-secrets external-secrets |
|
Metrics |
ssvc
|
Mon, 09 Sep 2024 15:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2. | |
Title | External Secrets Operator vulnerable to privilege escalation | |
Weaknesses | CWE-269 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-09-09T14:54:31.066Z
Updated: 2024-09-09T17:11:22.575Z
Reserved: 2024-08-21T17:53:51.330Z
Link: CVE-2024-45041
Vulnrichment
Updated: 2024-09-09T17:11:13.148Z
NVD
Status : Analyzed
Published: 2024-09-09T15:15:11.940
Modified: 2024-09-18T17:31:53.903
Link: CVE-2024-45041
Redhat
No data.