Описание
MARIN3R: Cross-Namespace Vulnerability in the Operator
Summary
Cross-namespace Secret access vulnerability in DiscoveryServiceCertificate allows users to bypass RBAC and access Secrets in unauthorized namespaces.
Affected Versions
All versions prior to v0.13.4
Patched Versions
v0.13.4 and later
Impact
Users with permission to create DiscoveryServiceCertificate resources in one namespace can indirectly read Secrets from other namespaces, completely bypassing Kubernetes RBAC security boundaries.
Workarounds
Restrict DiscoveryServiceCertificate create permissions to cluster administrators only until patched version is deployed.
Credit
Thanks to @debuggerchen for the responsible disclosure.
Ссылки
- https://github.com/3scale-sre/marin3r/security/advisories/GHSA-gf93-xccm-5g6j
- https://nvd.nist.gov/vuln/detail/CVE-2025-64171
- https://github.com/3scale-sre/marin3r/pull/294
- https://github.com/3scale-sre/marin3r/commit/859b14115fde1d67620e645cd1b62e90e30d9981
- https://github.com/3scale-sre/marin3r/commit/c60246a43ae8c0c38dd7267f298d68a121a159fa
Пакеты
github.com/3scale-sre/marin3r
<= 0.13.3
0.13.4
Связанные уязвимости
MARIN3R is a lightweight, CRD based envoy control plane for kubernetes. In versions 0.13.3 and below, there is a cross-namespace secret access vulnerability in the project's DiscoveryServiceCertificate which allows users to bypass RBAC and access secrets in unauthorized namespaces. This issue is fixed in version 0.13.4.