Bug 2412992 (CVE-2025-64171)
| Summary: | CVE-2025-64171 marin3r: MARIN3R: Cross-Namespace Vulnerability in the Operator | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ahrabovs, aucunnin, mstoklus |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A cross-namespace authorization flaw has been identified in the MARIN3R operator’s DiscoveryServiceCertificate resource. The flaw occurs because the operator mistakenly treats certain inputs as valid, bypassing Kubernetes Role-Based Access Control (RBAC). When a user has permission to create DiscoveryServiceCertificate objects in one Kubernetes namespace, they could exploit the vulnerability to indirectly read Secret objects in other namespaces that they should not have access to.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2025-11-06 01:01:35 UTC
|