102 matches found
CVE-2025-62159
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider previously...
EUVD-2025-33793
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider previously...
CVE-2025-62159 External Secrets Operator's BeyondTrust Provider has Insecure Secret Retrieval
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider previously...
CVE-2025-62159 External Secrets Operator's BeyondTrust Provider has Insecure Secret Retrieval
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider previously...
CVE-2025-62159
CVE-2025-62159 affects External Secrets Operator’s BeyondTrust provider (versions 0.10.1–0.19.2). The legacy code retrieved Kubernetes secrets directly without validating namespace context or secret store type, enabling cross‑namespace secret access and security boundary violations. In version 0....
CVE-2025-62159 External Secrets Operator's BeyondTrust Provider has Insecure Secret Retrieval
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider previously...
PT-2025-41614
Name of the Vulnerable Software and Affected Versions External Secrets Operator versions 0.10.1 through 0.19.2 Description The External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A flaw exists in the BeyondTrust provid...
EUVD-2025-24649
Malicious code in bioql PyPI...
CVE-2025-55196
External Secrets Operator is a Kubernetes operator that integrates external secret management systems. From version 0.15.0 to before 0.19.2, a vulnerability was discovered where the List calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a...
CVE-2025-55196
External Secrets Operator is a Kubernetes operator that integrates external secret management systems. From version 0.15.0 to before 0.19.2, a vulnerability was discovered where the List calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a...
CVE-2025-55196 External Secrets Operator Missing Namespace Restriction in PushSecret and SecretStore List() Calls Allows Unauthorized Secret Access
External Secrets Operator is a Kubernetes operator that integrates external secret management systems. From version 0.15.0 to before 0.19.2, a vulnerability was discovered where the List calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a...
CVE-2025-55196
External Secrets Operator (github.com/external-secrets/external-secrets) contains a vulnerability in versions 0.15.0–0.19.1 where PushSecret List() calls on Kubernetes Secret and SecretStore resources ignore namespace selectors. This allows an attacker who can create or update PushSecret resource...
GHSA-FCXQ-V2R3-CC8H External Secrets Operator's Missing Namespace Restriction Allows Unauthorized Secret Access
Summary A vulnerability was discovered in the External Secrets Operator where the List calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector. This flaw allowed an attacker to use label selectors to list and read...
External Secrets Operator's Missing Namespace Restriction Allows Unauthorized Secret Access
Summary A vulnerability was discovered in the External Secrets Operator where the List calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector. This flaw allowed an attacker to use label selectors to list and read...
PT-2025-33101 · External Secrets · External Secrets Operator
Name of the Vulnerable Software and Affected Versions: External Secrets Operator versions 0.15.0 through 0.19.1 Description: A flaw was discovered in the External Secrets Operator where List calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply...
GO-2024-3126 External Secrets Operator vulnerable to privilege escalation in github.com/external-secrets/external-secrets
External Secrets Operator vulnerable to privilege escalation in github.com/external-secrets/external-secrets...
External Secrets Operator vulnerable to privilege escalation
Details The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets...
CVE-2024-45041 External Secrets Operator vulnerable to privilege escalation
External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources. It...
CVE-2024-35255 vulnerabilities
Vulnerabilities for packages: restic, step, tempo, flux-source-controller, opentelemetry-collector, argo-events, prometheus-operator, buildkitd, thanos, external-dns, flux-kustomize-controller, argo-workflows, py3-cassandra-medusa, flux, boring-registry, chezmoi, rook, cluster-autoscaler,...
CVE-2024-28180 vulnerabilities
Vulnerabilities for packages: aactl, step, flux-source-controller, skopeo, vexctl, caddy, gitsign, gomplate, flux-kustomize-controller, argo-workflows, minio, rook, policy-controller, kargo, temporal, dex, apko, kots, melange, timestamp-authority, zarf, slsa-verifier, rekor, skaffold, tkn,...