GHSA-cc8c-28gj-px38

Source

https://github.com/advisories/GHSA-cc8c-28gj-px38

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-cc8c-28gj-px38/GHSA-cc8c-28gj-px38.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cc8c-28gj-px38

Aliases

CVE-2025-11393
GO-2025-4241

Published

2025-12-15T18:30:40Z

Modified

2025-12-22T18:41:55.008305Z

Severity

8.7 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator

Summary

Misconfigured Internal Proxy in runtimes-inventory-rhel8-operator Grants Standard Users Full Cluster Administrator Access

Details

A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle.

This allows a standard user within the cluster to send unauthorized commands to the management platform, effectively acting with the full permissions of the cluster administrator. This could lead to unauthorized changes to the cluster's configuration or status on the Red Hat platform.

Database specific

{
    "cwe_ids": [
        "CWE-441"
    ],
    "severity": "HIGH",
    "nvd_published_at": "2025-12-15T17:15:51Z",
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-16T20:40:12Z"
}

References

Affected packages

Go / github.com/RedHatInsights/runtimes-inventory-operator

Package

Name: github.com/RedHatInsights/runtimes-inventory-operator; View open source insights on deps.dev
Purl: pkg:golang/github.com/RedHatInsights/runtimes-inventory-operator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.0.0-20251211184433-5123422abee1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-cc8c-28gj-px38/GHSA-cc8c-28gj-px38.json"