CVE-2024-45041

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

xternal Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It also has path/update verb of validatingwebhookconfigurations resources. This can be used to abuse the SA token of the deployment to retrieve or get ALL secrets in the whole cluster, capture and log all data from requests attempting to update Secrets, or make a webhook deny all Pod create and update requests. This vulnerability is fixed in 0.10.2.

References

Link	Resource
https://github.com/external-secrets/external-secrets/commit/428a452fd2ad45935312f2c2c0d40bc37ce6e67c	Patch
https://github.com/external-secrets/external-secrets/security/advisories/GHSA-qwgc-rr35-h4x9	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:external-secrets:external_secrets_operator:*:*:*:*:*:*:*:*

History

18 Sep 2024, 17:31

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~8.3~~	v2 : unknown v3 : 8.8
CPE		cpe:2.3:a:external-secrets:external_secrets_operator::::::::
CWE		CWE-732
References	~~() https://github.com/external-secrets/external-secrets/commit/428a452fd2ad45935312f2c2c0d40bc37ce6e67c -~~	() https://github.com/external-secrets/external-secrets/commit/428a452fd2ad45935312f2c2c0d40bc37ce6e67c - Patch
References	~~() https://github.com/external-secrets/external-secrets/security/advisories/GHSA-qwgc-rr35-h4x9 -~~	() https://github.com/external-secrets/external-secrets/security/advisories/GHSA-qwgc-rr35-h4x9 - Vendor Advisory
First Time		External-secrets External-secrets external Secrets Operator
Summary		(es) External Secrets Operator es un operador de Kubernetes que integra sistemas de administración de secretos externos. external-secrets tiene una implementación llamada default-external-secrets-cert-controller, que está vinculada con un ClusterRole del mismo nombre. Este ClusterRole tiene verbos de "obtención/enumeración" de recursos de secretos. También tiene verbos de ruta/actualización de recursos de configuración de webhook de validación. Esto se puede usar para abusar del token SA de la implementación para recuperar u obtener TODOS los secretos en todo el clúster, capturar y registrar todos los datos de las solicitudes que intentan actualizar secretos o hacer que un webhook deniegue todas las solicitudes de creación y actualización de pods. Esta vulnerabilidad se corrigió en la versión 0.10.2.

09 Sep 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-09 15:15

Updated : 2024-09-18 17:31

NVD link : CVE-2024-45041

Mitre link : CVE-2024-45041

CVE.ORG link : CVE-2024-45041

JSON object : View

Products Affected

external-secrets

external_secrets_operator

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

CWE-269

Improper Privilege Management

8.8 /10