CVE-2025-6017 — Exposure of Private Personal Information to an Unauthorized Actor in Redhat Advanced Cluster Management FOR Kubernetes

CWE-359 — Exposure of Private Personal Information to an Unauthorized Actor CWE-476 — NULL Pointer Dereference5 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 92.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Advanced Cluster Management FOR Kubernetes

Timeline

PublishedJul 2

Description

A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4. This vulnerability allows an unprivileged user to view confidential managed cluster credentials through the UI. This information should only be accessible to authorized users and may result in the loss of confidentiality of administrative information, which could be leaked to unauthorized actors.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages1 packages

▶NVDredhat/advanced_cluster_management2.10 — 2.10.7+2

🔴Vulnerability Details

GHSA

GHSA-g8pw-ch7g-q2vc: A flaw was found in Red Hat Advanced Cluster Management through versions 2↗2025-07-02

▶

CVEList

Rhacm: users with clusterreader role can see credentials from managed-clusters↗2025-07-02

▶

📋Vendor Advisories

Red Hat

rhacm: Users with ClusterReader Role can see credentials from Managed-clusters↗2025-07-02

▶