Insecure permissions in external-secrets v0.9.16 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
The External Secrets Operator manages synchronization of secrets from external systems (e.g., Vault, AWS Secrets Manager) to Kubernetes. In version v0.9.16, the permissions assigned to the operator's service account are excessively broad or misconfigured (CWE-277 β improperly preserved privileges). An attacker who gains access to the environment can retrieve the service account token and then use it to gain access to sensitive data and escalate privileges in the Kubernetes cluster.
An attacker can gain access to sensitive data stored in secrets and perform privilege escalation β potentially taking full control of the Kubernetes cluster or managed cloud resources.
Apply patches available from the vendor according to the references. Additionally, it is recommended to audit the permissions of service accounts in the Kubernetes cluster and restrict access to service account tokens in accordance with the principle of least privilege.
External Secrets Operator version v0.9.16
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExternal Secrets Operator
APPExternal-Secrets0.9.16
Related vulnerabilities
External Secrets Operator: nieautoryzowany dostΔp do sekretΓ³w miΔdzy przestrzeniami nazw
External Secrets Operator reads information from a third-party service and automatically injects the values as...
External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The ext...