External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine

## Summary The v2 template engine in `runtime/template/v2/template.go` imports Sprig’s `TxtFuncMap()` and removes `env` and `expandenv`, but leaves `getHostByName` available to user-controlled templates. Because ESO executes templates inside the controller process, an attacker who can create or update templated ExternalSecret resources can trigger controller-side DNS lookups using secret-derived values, creating a DNS exfiltration primitive. ### Impact This is a confidentiality issue. In environments where untrusted or lower-trust users can author templated ExternalSecret resources and the controller can perform DNS resolution, fetched secret material can be exfiltrated through DNS without requiring direct outbound access from the attacker’s workload. Source Code Location: https://github.com/external-secrets/external-secrets Affected Packages: - go:github.com/external-secrets/external-secrets, affected < 1.3.3-0.20260331202714-6800989bdc12, patched in 1.3.3-0.20260331202714-6800989bdc12 - go:github.com/external-secrets/external-secrets, affected >= 2.0.0, <= 2.2.0 CWEs: - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CVSS: - CVSS_V4: score 7.1, CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N References: - https://github.com/external-secrets/external-secrets/security/advisories/GHSA-r2pg-r6h7-crf3 - https://github.com/external-secrets/external-secrets/commit/6800989bdc12782ca2605d3b8bf7f2876a16551a - https://github.com/external-secrets/external-secrets/releases/tag/v2.3.0 - https://github.com/advisories/GHSA-r2pg-r6h7-crf3