CVE-2025-2843
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-2843, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-12

Last updated on: 2025-11-12

Assigner: Red Hat, Inc.

Description

A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with *ClusterRole* upon deployment of the *Namespace-Scoped* Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a namespace, to create a MonitorStack in the authorized namespace and then elevate permission to the cluster level by impersonating the ServiceAccount created by the Operator, resulting in privilege escalation and other issues.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-12
Last Modified
2025-11-12
Generated
2026-07-06
AI Q&A
2025-11-13
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
redhat observability_operator *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Observability Operator, where it creates a ServiceAccount with ClusterRole when deploying a Namespace-Scoped Custom Resource called MonitorStack. An attacker with only namespaced-level permissions can create a MonitorStack in an authorized namespace and then impersonate the ServiceAccount created by the Operator. This allows the attacker to escalate their privileges from namespace-level to cluster-level, leading to privilege escalation and other security issues.

Impact Analysis

The vulnerability can allow an attacker who has limited permissions within a namespace to escalate their privileges to the cluster level. This means they could gain unauthorized access to cluster-wide resources and perform actions beyond their original scope, potentially compromising the entire Kubernetes cluster's security and integrity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-2843. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart