Budimanjojo

**Name of the Vulnerable Software and Affected Versions** External Secrets Operator versions 0.20.2 through 1.2.0 **Description** The External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function could be used to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing security mechanisms. This function was removed in version 1.2.0. The issue allows cross-namespace secret access, potentially leading to privilege escalation, data exfiltration, or compromise of service accounts and credentials. The `getSecretKey` function takes parameters such as `a-secret-name`, `another-namespace`, and `a-key` to specify the secret to retrieve. **Recommendations** Upgrade to External Secrets Operator version 1.2.0 or later. As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource.