Kubernetes Secrets-Store-Sync-Controller Service Account Token Disclosure Vulnerability
Vulnerability
A vulnerability exists in the Kubernetes secrets-store-sync-controller in versions prior to 0.0.2, where service account tokens are inadvertently logged. This logging could allow an actor with access to the controller logs to see these tokens, which might be exchanged with external cloud providers to access secrets stored in cloud vaults. The tokens are only logged when specific errors occur while processing the parameters sent to the providers.
Impact
Exploitation of this vulnerability could lead to unauthorized access to cloud vault secrets, using exchanged service account tokens.
Reproduction
To reproduce this vulnerability, deploy the secrets-store-sync-controller version prior to 0.0.2. Then, induce an error that causes the controller to log service account tokens. This can be done by sending parameters that trigger a marshaling error, which will result in the tokens being logged.
Remediation
Upgrade to secrets-store-sync-controller version 0.0.2 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.