CVE-2025-2843
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-12

Last updated on: 2025-11-12

Assigner: Red Hat, Inc.

Description
A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with *ClusterRole* upon deployment of the *Namespace-Scoped* Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a namespace, to create a MonitorStack in the authorized namespace and then elevate permission to the cluster level by impersonating the ServiceAccount created by the Operator, resulting in privilege escalation and other issues.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-12
Last Modified
2025-11-12
Generated
2026-06-16
AI Q&A
2025-11-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-2843
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat observability_operator *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Observability Operator, where it creates a ServiceAccount with ClusterRole when deploying a Namespace-Scoped Custom Resource called MonitorStack. An attacker with only namespaced-level permissions can create a MonitorStack in an authorized namespace and then impersonate the ServiceAccount created by the Operator. This allows the attacker to escalate their privileges from namespace-level to cluster-level, leading to privilege escalation and other security issues.

Impact Analysis

The vulnerability can allow an attacker who has limited permissions within a namespace to escalate their privileges to the cluster level. This means they could gain unauthorized access to cluster-wide resources and perform actions beyond their original scope, potentially compromising the entire Kubernetes cluster's security and integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-2843. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart