Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function
Vulnerability Description
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource.
CVSS Information
N/A
Vulnerability Type
授权机制不正确
Vulnerability Title
External Secrets 安全漏洞
Vulnerability Description
External Secrets是External Secrets开源的一个 Kubernetes 相关应用程序。 External Secrets 0.20.2版本至1.2.0之前版本存在安全漏洞,该漏洞源于getSecretKey模板函数能够跨命名空间获取密钥并绕过安全机制,可能导致权限提升。
CVSS Information
N/A
Vulnerability Type
N/A