External Secrets Operator BeyondTrust Provider Cross-Namespace Secret Access Vulnerability

A vulnerability in the BeyondTrust provider for External Secrets Operator, affecting versions 0.10.1 prior to 0.19.2, allowed unauthorized cross-namespace access to Kubernetes secrets. The provider retrieved secrets without validating namespace context or secret store type, potentially exposing sensitive credentials. This issue violated security boundaries by enabling access to secrets from unintended namespaces, unless the store was a 'ClusterSecretStore'.

Impact

The vulnerability allowed cross-namespace secret access, enabling retrieval of secrets from other namespaces, violating security boundaries and potentially exposing sensitive credentials. This could lead to privilege escalation, data exfiltration, or compromise of service accounts and credentials.

Remediation

Users are advised to upgrade to External Secrets Operator version 0.20.0 or later, which includes the necessary fix. As an additional measure, a policy engine like Kyverno or OPA can be used to prevent the use of the BeyondTrust provider or to validate the '(Cluster)SecretStore', ensuring that the namespace is only set when using a 'ClusterSecretStore'.