Marin3r Cross-Namespace Secret Access Vulnerability in DiscoveryServiceCertificate

A cross-namespace secret access vulnerability has been identified in Marin3r versions through 0.13.3. This issue allows users to bypass Kubernetes Role-Based Access Control (RBAC) and access secrets in unauthorized namespaces via the DiscoveryServiceCertificate resource. The vulnerability arises because the certificate provider does not enforce namespace restrictions, enabling unauthorized access to sensitive data.

Impact

Exploitation of this vulnerability allows users to read secrets from other namespaces, completely bypassing Kubernetes RBAC security boundaries. This could lead to unauthorized access to sensitive information or credentials stored in those secrets.

Reproduction

To reproduce this vulnerability, create a DiscoveryServiceCertificate resource in a namespace different from the one containing the referenced secret. The certificate provider will not enforce the same-namespace requirement, allowing access to the secret in the unauthorized namespace.

Remediation

Users should update to Marin3r version 0.13.4 or later, which addresses this vulnerability by enforcing namespace restrictions. Until the update is applied, restrict permissions to create DiscoveryServiceCertificate resources to cluster administrators only.