GHSA-gf93-xccm-5g6j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gf93-xccm-5g6j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-gf93-xccm-5g6j/GHSA-gf93-xccm-5g6j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gf93-xccm-5g6j
- Aliases
- Published
- 2025-11-04T15:43:52Z
- Modified
- 2025-11-06T15:30:15Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- MARIN3R: Cross-Namespace Vulnerability in the Operator
- Details
-
Summary
Cross-namespace Secret access vulnerability in DiscoveryServiceCertificate allows users to bypass RBAC and access Secrets in unauthorized namespaces.
Affected Versions
All versions prior to v0.13.4
Patched Versions
v0.13.4 and later
Impact
Users with permission to create DiscoveryServiceCertificate resources in one namespace can indirectly read Secrets from other namespaces, completely bypassing Kubernetes RBAC security boundaries.
Workarounds
Restrict DiscoveryServiceCertificate create permissions to cluster administrators only until patched version is deployed.
Credit
Thanks to @debuggerchen for the responsible disclosure.
- Database specific
{ "github_reviewed": true, "severity": "HIGH", "cwe_ids": [ "CWE-862" ], "nvd_published_at": "2025-11-06T01:15:38Z", "github_reviewed_at": "2025-11-04T15:43:52Z" }- References
-
- https://github.com/3scale-sre/marin3r/security/advisories/GHSA-gf93-xccm-5g6j
- https://nvd.nist.gov/vuln/detail/CVE-2025-64171
- https://github.com/3scale-sre/marin3r/pull/294
- https://github.com/3scale-sre/marin3r/commit/859b14115fde1d67620e645cd1b62e90e30d9981
- https://github.com/3scale-sre/marin3r/commit/c60246a43ae8c0c38dd7267f298d68a121a159fa
- https://github.com/3scale-sre/marin3r
Affected packages
Go / github.com/3scale-sre/marin3r
Package
- Name
- github.com/3scale-sre/marin3r
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/3scale-sre/marin3r