CVE-2024-45041

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2.

CVSS v3 8.3 HIGH

8.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/external-secrets/external-secrets/commit/428a452fd2ad45935312f2c2c0d40bc37ce6e67c	Patch
https://github.com/external-secrets/external-secrets/security/advisories/GHSA-qwgc-rr35-h4x9	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:external-secrets:external_secrets_operator:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-09-09 15:15

Updated : 2024-09-18 17:31

NVD link : CVE-2024-45041

Mitre link : CVE-2024-45041

CVE.ORG link : CVE-2024-45041

JSON object : View

Products Affected

external-secrets

external_secrets_operator

CWE

CWE-269

Improper Privilege Management

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2024-45041", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.5, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-09-09T15:15:11.940", "references": [{"url": "https://github.com/external-secrets/external-secrets/commit/428a452fd2ad45935312f2c2c0d40bc37ce6e67c", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/external-secrets/external-secrets/security/advisories/GHSA-qwgc-rr35-h4x9", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-269"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has \"get/list\" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2."}, {"lang": "es", "value": "External Secrets Operator es un operador de Kubernetes que integra sistemas de administraci\u00f3n de secretos externos. external-secrets tiene una implementaci\u00f3n llamada default-external-secrets-cert-controller, que est\u00e1 vinculada con un ClusterRole del mismo nombre. Este ClusterRole tiene verbos de \"obtenci\u00f3n/enumeraci\u00f3n\" de recursos de secretos. Tambi\u00e9n tiene verbos de ruta/actualizaci\u00f3n de recursos de configuraci\u00f3n de webhook de validaci\u00f3n. Esto se puede usar para abusar del token SA de la implementaci\u00f3n para recuperar u obtener TODOS los secretos en todo el cl\u00faster, capturar y registrar todos los datos de las solicitudes que intentan actualizar secretos o hacer que un webhook deniegue todas las solicitudes de creaci\u00f3n y actualizaci\u00f3n de pods. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 0.10.2."}], "lastModified": "2024-09-18T17:31:53.903", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:external-secrets:external_secrets_operator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E9FE8A81-3B52-4ACB-A0C0-32008302E35A", "versionEndExcluding": "0.10.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}