CVE-2024-45041

HIGH

External Secrets Operator - Privilege Escalation

Title source: llm

Description

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2.

References (2)

[Vendor Advisory] https://github.com/external-secrets/external-secrets/security/advisories/GHSA-qwgc-rr35-h4x9

[Patch] https://github.com/external-secrets/external-secrets/commit/428a452fd2ad45935312f2c2c0d40bc37ce6e67c

View Patch ZIP pw:eip

Scores

CVSS v3 8.3

EPSS 0.0040

EPSS Percentile 60.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-269 CWE-732

Status published

Products (2)

external-secrets/external-secrets 0 - 0.10.2Go

external-secrets/external_secrets_operator < 0.10.2

Published Sep 09, 2024

Tracked Since Feb 18, 2026