External Secrets Operator Cross-Namespace Secret Retrieval Vulnerability

A vulnerability exists in External Secrets Operator versions 0.20.2 prior to 1.2.0, specifically within the `getSecretKey` template function designed for the senhasegura Devops Secrets Management (DSM) provider. This function can fetch secrets from different namespaces using the roleBinding of the external-secrets controller, bypassing security mechanisms. The issue could lead to unauthorized access to sensitive data, allowing for privilege escalation or data exfiltration. The vulnerability has been addressed by removing the `getSecretKey` function in version 1.2.0, as its functionality can be replicated through other means that adhere to the operator's security safeguards.

Impact

Exploitation of this vulnerability allows for cross-namespace secret access, where an attacker could retrieve secrets from unintended namespaces. This could lead to privilege escalation, unauthorized access to sensitive data, and potential compromise of service accounts and credentials.

Reproduction

To reproduce this vulnerability, create an `ExternalSecret` resource that uses the `getSecretKey` function to fetch a secret from a different namespace. This can be done by referencing a secret key from another namespace in the `data` section of the `ExternalSecret` specification. Once the `ExternalSecret` is applied, the fetched secret will be available in the namespace where the `ExternalSecret` was created, demonstrating the cross-namespace access capability of the `getSecretKey` function.

Remediation

Users should upgrade to External Secrets Operator version 1.2.0 or later, where this vulnerability has been patched. Additionally, as a temporary workaround, a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA can be used to prevent the use of `getSecretKey` in any `ExternalSecret` resource.