Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-yqjd-yq3c-vbhy
SummaryExternal Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider previously retrieved Kubernetes secrets directly, without validating the namespace context or the type of secret store. This allowed unauthorized cross-namespace secret access, violating security boundaries and potentially exposing sensitive credentials. In version 0.20.0, the provider code was updated to use the `resolvers.SecretKeyRef` utility, which enforces namespace validation and only allows cross-namespace access for `ClusterSecretStore` types. This ensures secrets are only retrieved from the correct namespace, mitigating the risk of unauthorized access. All users should upgrade to the latest version containing this fix. As a workaround, use a policy engine such as Kyverno or OPA to prevent using BeyondTrust provider and/or validate the `(Cluster)SecretStore` and ensure the namespace may only be set when using a `ClusterSecretStore`.
Aliases
0
alias CVE-2025-62159
Fixed_packages
Affected_packages
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-62159
reference_id
reference_type
scores
0
value 0.00071
scoring_system epss
scoring_elements 0.21926
published_at 2026-06-11T12:55:00Z
1
value 0.00071
scoring_system epss
scoring_elements 0.22114
published_at 2026-06-12T12:55:00Z
2
value 0.00071
scoring_system epss
scoring_elements 0.22126
published_at 2026-06-13T12:55:00Z
3
value 0.00071
scoring_system epss
scoring_elements 0.221
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-62159
1
reference_url https://github.com/external-secrets/external-secrets/security/advisories/GHSA-vf79-2pjx-phpp
reference_id GHSA-vf79-2pjx-phpp
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-14T15:01:00Z/
url https://github.com/external-secrets/external-secrets/security/advisories/GHSA-vf79-2pjx-phpp
Weaknesses
0
cwe_id 284
name Improper Access Control
description The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Exploits
Severity_range_score8.7 - 8.7
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-yqjd-yq3c-vbhy