CRITICAL🇵🇱 Wersja polska

CVE-2024-36540

CVSS 9.8v3.1pub. 2024-07-24upd. 2025-06-27

Insecure permissions in external-secrets v0.9.16 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

🤖 AI Analysis
How it works

The External Secrets Operator manages synchronization of secrets from external systems (e.g., Vault, AWS Secrets Manager) to Kubernetes. In version v0.9.16, the permissions assigned to the operator's service account are excessively broad or misconfigured (CWE-277 — improperly preserved privileges). An attacker who gains access to the environment can retrieve the service account token and then use it to gain access to sensitive data and escalate privileges in the Kubernetes cluster.

Impact

An attacker can gain access to sensitive data stored in secrets and perform privilege escalation — potentially taking full control of the Kubernetes cluster or managed cloud resources.

Mitigation & patch

Apply patches available from the vendor according to the references. Additionally, it is recommended to audit the permissions of service accounts in the Kubernetes cluster and restrict access to service account tokens in accordance with the principle of least privilege.

Who is affected

External Secrets Operator version v0.9.16

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • External Secrets Operator

    APP
    External-Secrets
    0.9.16
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2026-22822CRITICAL9.3PL ✓ten sam produkt

External Secrets Operator: nieautoryzowany dostęp do sekretów między przestrzeniami nazw

CVE-2026-34984HIGH7.1ten sam produkt

External Secrets Operator reads information from a third-party service and automatically injects the values as...

CVE-2024-45041HIGH8.3ten sam produkt

External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The ext...