Excessive privileges In github.com/external-secrets/external-secrets/apis
Description
ExternalSecrets vulnerable to privilege escalation with secret overwriting ExternalSecrets allows users to craft Service Account tokens for misconfigured Service Accounts in namespaces the users have access to.
Impact
A user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate with a long-lived token for the sepcified service account. This effectively allows the user to impersonate any service account in the namespace without needing direct create permissions on TokenRequest or Secrets of that type.
The problem is mitigated in severity by the fact that the user must have pre-existing permissions already at almost the same level as the escalation later gives. The attacker cannot use this method to gain access to more information without other things also being misconfigured in the ESO installation.
Patches
Disallow this combination including the bootstrap token secret type.
Workarounds
Add admission control logic to prevent the use of Templates targeting undesired Types
Remove Service Account Token generation via kube-controller-manager flags
Restrict User RBAC on production clusters and sensitive namespaces
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | github.com/external-secrets/external-secrets/apis | 2.4.1 |
Aliases
References