External Secrets Operator's Missing Namespace Restriction Allows Unauthorized Secret Access

Summary A vulnerability was discovered in the External Secrets Operator where the List calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector. This flaw allowed an attacker to use label selectors to list and read...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the List calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller, which does not apply a namespace selector. An attacker can access sensitive information from arbitrary...