Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
External Secrets Operator's BeyondTrust Provider has Insecure Secret Retrieval
Vulnerability Description
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider previously retrieved Kubernetes secrets directly, without validating the namespace context or the type of secret store. This allowed unauthorized cross-namespace secret access, violating security boundaries and potentially exposing sensitive credentials. In version 0.20.0, the provider code was updated to use the `resolvers.SecretKeyRef` utility, which enforces namespace validation and only allows cross-namespace access for `ClusterSecretStore` types. This ensures secrets are only retrieved from the correct namespace, mitigating the risk of unauthorized access. All users should upgrade to the latest version containing this fix. As a workaround, use a policy engine such as Kyverno or OPA to prevent using BeyondTrust provider and/or validate the `(Cluster)SecretStore` and ensure the namespace may only be set when using a `ClusterSecretStore`.
CVSS Information
N/A
Vulnerability Type
访问控制不恰当
Vulnerability Title
External Secrets 访问控制错误漏洞
Vulnerability Description
External Secrets是External Secrets开源的一个 Kubernetes 相关应用程序。 External Secrets 0.10.1版本至0.19.2版本存在访问控制错误漏洞,该漏洞源于未验证命名空间上下文或密钥存储类型,可能导致未经授权的跨命名空间密钥访问。
CVSS Information
N/A
Vulnerability Type
N/A