Bug 2396641 (CVE-2025-10725)

Summary: CVE-2025-10725 openshift-ai: Overly Permissive ClusterRole Allows Authenticated Users to Escalate Privileges to Cluster Admin
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: fduthill, jkoehler, lphiri, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster's confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2025-10-31   

Description OSIDB Bzimport 2025-09-19 08:46:11 UTC 
OpenShift AI includes a ClusterRole named kueue-batch-user-role that is
incorrectly bound to the system:authenticated group. This grants any
authenticated entity, including low-privileged service accounts for user
workbenches, the permission to create OpenShift Jobs in any namespace. An
attacker can abuse this permission to schedule a malicious Job in a
privileged namespace (e.g., openshift-apiserver-operator), configuring it
to run with a high-privilege ServiceAccount. The Job can then exfiltrate
the ServiceAccount token, allowing the attacker to progressively pivot and
compromise more powerful accounts, ultimately achieving root access on
cluster master nodes and leading to a full cluster takeover.
Impact

A low-privileged attacker with access to an authenticated account, such as
a data scientist using a standard Jupyter notebook, can escalate their
privileges to a full cluster administrator. This allows for the complete
compromise of the cluster's confidentiality, integrity, and availability.
The attacker can steal sensitive data, disrupt all services, and take
control of the underlying infrastructure, leading to a total breach of the
platform and all applications hosted on it.
Recommendations

Remove the ClusterRoleBinding that associates the kueue-batch-user-role
with the system:authenticated group. The permission to create jobs should
be granted on a more granular, as-needed basis to specific users or groups,
adhering to the principle of least privilege. Avoid granting broad
permissions to system-level groups.
References

* OWASP Top 10: A01:2021 – Broken Access Control:
https://owasp.org/Top10/A01_2021-Broken_Access_Control/

* OpenShift Documentation: Using RBAC to define and apply permissions:
https://docs.openshift.com/container-platform/latest/authentication/using-rbac.html