Secret Leakage Vulnerability in Bare Metal Operator by Metal3
CVE-2025-29781

6.5MEDIUM

Key Information:

Vendor

Metal3-io

Status
Baremetal-operator
Vendor
CVE Published:
17 March 2025

What is CVE-2025-29781?

The Bare Metal Operator (BMO) for Kubernetes allows users to manage bare metal hosts but has a critical flaw where users with namespace-level roles can access Secrets from unauthorized namespaces. This issue arises when creating a BMCEventSubscription, which can load Secrets from unauthorized spaces, resulting in potential Secret leakage. Although the recent patch in versions 0.8.1 and 0.9.1 restricts access to Secrets within the authorized namespace, it is crucial to replicate existing Secrets to the corresponding namespaces before upgrading. Administrators are advised to implement strict RBAC controls and configuration options to prevent unauthorized access, safeguarding sensitive information in their environments.

Affected Version(s)

baremetal-operator = 0.9.0 = 0.9.0

baremetal-operator < 0.8.1 < 0.8.1

References

https://github.com/metal3-io/baremetal-operator/security/...
x_refsource_CONFIRM
https://github.com/metal3-io/baremetal-operator/pull/2321
x_refsource_MISC
https://github.com/metal3-io/baremetal-operator/pull/2322
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.