External Secrets Operator PushSecret Namespace Bypass Vulnerability Allowing Unauthorized Secret Access

A vulnerability exists in External Secrets Operator for Kubernetes, specifically in versions 0.15.0 prior to 0.19.2. The issue arises because the PushSecret controller's List() calls for Kubernetes Secret and SecretStore resources did not include a namespace selector. This oversight allowed attackers to use label selectors to list and access secrets and SecretStores across the entire cluster, circumventing namespace restrictions. An attacker with the ability to create or update PushSecret resources and manage SecretStore configurations could exploit this vulnerability to exfiltrate sensitive data from any namespace, potentially leading to the unauthorized disclosure of Kubernetes secrets, including credentials and tokens.

Impact

Exploitation of this vulnerability could result in the unauthorized access and exfiltration of Kubernetes secrets from any namespace, including sensitive data such as credentials and tokens.

Reproduction

To reproduce this vulnerability, create a PushSecret resource that includes a label selector. The PushSecret controller will attempt to list and access Secrets and SecretStores using the label selector, but without applying the necessary namespace restrictions. This will allow for the listing and reading of secrets from other namespaces, bypassing the intended isolation.

Remediation

Users can upgrade to External Secrets Operator version 0.19.2 or later, where this vulnerability has been patched. If an immediate upgrade is not possible, it is recommended to restrict RBAC permissions to ensure that only trusted service accounts can create or update PushSecret and SecretStore resources.