external-secrets-operator-0.17
Chainguard
Status
Impact
The vulnerability in External Secrets Operator allows unauthorized secret access across namespaces through missing namespace restrictions in List() calls. The fix is available in version 0.19.2, however due to significant functional changes between 0.17.x and 0.19.x, upstream maintainers will need to backport the security fix to the 0.17.x release stream for this package to receive the fix. The vulnerability affects PushSecret and SecretStore controllers' List() operations which could allow attackers to exfiltrate sensitive data from arbitrary namespaces.
Status