Bug 2369602 (CVE-2025-5417)

Summary:	CVE-2025-5417 rhdh: Red Hat Developer Hub user permissions
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	abarbaro, jchui, jhe, ktsao, nboldt, psrna, security-response-team
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	An insufficient access control vulnerability was found in the Red Hat Developer Hub rhdh/rhdh-hub-rhel9 container image. The Red Hat Developer Hub cluster admin/user, who has standard user access to the cluster, and the Red Hat Developer Hub namespace, can access the rhdh/rhdh-hub-rhel9 container image and modify the image's content. This issue affects the confidentiality and integrity of the data, and any changes made are not permanent, as they reset after the pod restarts.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Deadline:	2025-08-20

Description OSIDB Bzimport 2025-05-31 22:39:32 UTC

Insufficient access control vulnerability has been detected in the Red Hat
Developer Hub rhdh/rhdh-hub-rhel9 container image. The Red Hat Developer
Hub cluster admin/user, who has standard user access to the cluster and the
Red Hat Developer Hub namespace, is able to get access to the
rhdh/rhdh-hub-rhel9 container image and modify the content of the image,
which impacts the Confidentiality and Integrity of the data. Made changes
are not permanent and are reset after the pod restart.