HIGH🇵🇱 Wersja polska

CVE-2026-34984

CVSS 7.1v4.0pub. 2026-04-14upd. 2026-04-22

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Versions 2.2.0 and below contain a vulnerability in runtime/template/v2/template.go where the v2 template engine removes env and expandenv from Sprig's TxtFuncMap() but leaves the getHostByName function accessible to user-controlled templates. Since ESO executes templates within the controller process, an attacker who can create or update templated ExternalSecret resources can invoke controller-side DNS lookups using secret-derived values. This creates a DNS exfiltration primitive, allowing fetched secret material to be leaked via DNS queries without requiring direct outbound network access from the attacker's workload. The impact is a confidentiality issue, particularly in environments where untrusted or lower-trust users can author templated ExternalSecret resources and the controller has DNS resolution capability. This issue has been fixed in version 2.3.0.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • External Secrets Operator

    APP
    External-Secrets
    < 2.3.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References

Related vulnerabilities

CVE-2026-22822CRITICAL9.3PL ✓ten sam produkt

External Secrets Operator: nieautoryzowany dostęp do sekretów między przestrzeniami nazw

CVE-2024-36540CRITICAL9.8PL ✓ten sam produkt

Nieprawidłowe uprawnienia w External Secrets Operator umożliwiają privilege escalation

CVE-2024-45041HIGH8.3ten sam produkt

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The ext...