Observability-operator: observability operator privilege escalation_CVE-2025-2843

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with *ClusterRole* upon deployment of the *Namespace-Scoped* Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a namespace, to create a MonitorStack in the authorized namespace and then elevate permission to the cluster level by impersonating the ServiceAccount created by the Operator, resulting in privilege escalation and other issues.

AI Analysis

Privilege escalation vulnerability in Observability Operator allowing adversarial Kubernetes accounts to elevate permissions to cluster level

Basic Information

ID CVE-2025-2843

Source redhat

Published Nov 12, 2025 at 16:36

Modified Nov 12, 2025 at 21:05

Affected Product

Vendor Red Hat

Product Cluster Observability Operator 1.3.0

Version sha256:efff0f5b6835286172ae99dd368dcc48aca98398c382cb4c38d02533afee8670

CWE Classification

CWE-266

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Red Hat

Product Cluster Observability Operator

Version 1.3.0

References

{
    "lastseen": "",
    "description": "A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with *ClusterRole* upon deployment of the *Namespace-Scoped* Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a namespace, to create a MonitorStack in the authorized namespace and then elevate permission to the cluster level by impersonating the ServiceAccount created by the Operator, resulting in privilege escalation and other issues.",
    "published": "2025-11-12T16:36:04.735Z",
    "modified": "2025-11-12T21:05:01.616Z",
    "type": "cve",
    "title": "Observability-operator: observability operator privilege escalation",
    "source": "redhat",
    "references": "https://access.redhat.com/errata/RHSA-2025:21146\nhttps://access.redhat.com/security/cve/CVE-2025-2843\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2355222",
    "id": "CVE-2025-2843",
    "bulletinFamily": "",
    "cwe": [
        "CWE-266"
    ],
    "cvelist": null,
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Cluster Observability Operator 1.3.0",
    "version": "sha256:efff0f5b6835286172ae99dd368dcc48aca98398c382cb4c38d02533afee8670",
    "vendor": "Red Hat",
    "ai_description": "Privilege escalation vulnerability in Observability Operator allowing adversarial Kubernetes accounts to elevate permissions to cluster level",
    "ai_severity": "High",
    "ai_vendor": "Red Hat",
    "ai_product": "Cluster Observability Operator",
    "ai_version": "1.3.0",
    "ai_score": 8.8
}