CVE-2024-45041

216.73.217.98

· Published 09/09/2024 15:15 · Modified 18/09/2024 17:31

Labels: CVE-2024-45041 2024-09-09 CVE-2024-45041 CWE-269 CWE-732 [email protected]

Essential information

Published: 09/09/2024 15:15
Modified: 18/09/2024 17:31
Author: —
Creator: —
CVSS: 8.8 HIGH (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2.

NVD status

Status: Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
external-secrets / external secrets operator	`cpe:2.3:a:external-secrets:external_secrets_operator::::::::`