CVE-2024-45041

Name of the Vulnerable Software and Affected Versions External Secrets Operator versions prior to 0.10.2

Description The External Secrets Operator is a Kubernetes operator that integrates external secret management systems. It has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources and path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get all secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests.

Recommendations For versions prior to 0.10.2, update to version 0.10.2 to address this vulnerability. As a temporary workaround, consider restricting access to the default-external-secrets-cert-controller deployment and the associated ClusterRole to minimize the risk of exploitation. Avoid using the get/list verbs of secrets resources and the path/update verb of validatingwebhookconfigurations resources in the affected ClusterRole until the issue is resolved.