/
DirectorySecurity AdvisoriesPricing
Sign in
Security Advisories

CGA-w445-q5r8-mf48

Published

Last updated

https://images.chainguard.dev/security/CGA-w445-q5r8-mf48
Package

external-secrets-operator-0.17

Repository

Chainguard

Latest Update
Pending upstream fix
Aliases
  • CVE-2025-55196
  • GHSA-fcxq-v2r3-cc8h

Severity

Unknown

References

  • https://nvd.nist.gov/vuln/detail/CVE-2025-55196

Updates

Status

Pending upstream fix

Impact

The vulnerability in External Secrets Operator allows unauthorized secret access across namespaces through missing namespace restrictions in List() calls. The fix is available in version 0.19.2, however due to significant functional changes between 0.17.x and 0.19.x, upstream maintainers will need to backport the security fix to the 0.17.x release stream for this package to receive the fix. The vulnerability affects PushSecret and SecretStore controllers' List() operations which could allow attackers to exfiltrate sensitive data from arbitrary namespaces.

Status

Under investigation


Safe Source for Open Sourceâ„¢
Contact us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing