CVE-2025-29781Sensitive Information Exposure in Baremetal-operator

CWE-200Sensitive Information ExposureCWE-653Improper Isolation or Compartmentalization5 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 83.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Metal3-io Baremetal-operatorGithub.com Metal3-io Baremetal-operator Apis
Timeline
PublishedMar 17
Latest updateMar 18

Description

The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. Baremetal Operator enables users to load Secret from arbitrary namespaces upon deployment of the namespace scoped Custom Resource `BMCEventSubscription`. Prior to versions 0.8.1 and 0.9.1, an adversary Kubernetes account with only namespace level roles (e.g. a tenant controlling a namespace) may create a `BMCEventSubscription` in his authorized namespace and then load Secrets from his unauthorized

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 2.0 | Impact: 4.0

Affected Packages2 packages

CVEListV5metal3-io/baremetal-operator< 0.8.1+1

🔴Vulnerability Details

3
OSV
Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD in github.com/metal3-io/baremetal-operator/apis2025-03-18
GHSA
Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD2025-03-17
OSV
Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD2025-03-17

📋Vendor Advisories

1
Red Hat
baremetal-operator/apis: Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD2025-03-17