2351350 – (CVE-2025-2241) CVE-2025-2241 hive: Exposure of VCenter Credentials via ClusterProvision in Hive / MCE / ACM

Bug 2351350 (CVE-2025-2241) - CVE-2025-2241 hive: Exposure of VCenter Credentials via ClusterProvision in Hive / MCE / ACM

Summary: CVE-2025-2241 hive: Exposure of VCenter Credentials via ClusterProvision in H...

Keywords:
Status:	NEW
Alias:	CVE-2025-2241
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-03-11 12:50 UTC by OSIDB Bzimport
Modified:	2025-03-17 15:57 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-03-11 12:50:30 UTC

Using hive (including via MCE or ACM) to provision a VSphere cluster requires supplying VCenter credentials via a Secret in the same namespace as the ClusterDeployment that declares the desired configuration of the cluster. These credentials are echoed back once the cluster is provisioned via the ClusterProvision object that hive creates in the same namespace. It is likely that customers don't realize this, and may have RBAC allowing
ClusterProvision read access to users who would otherwise not be trusted with VCenter credentials.

Note You need to log in before you can comment on or make changes to this bug.