{}

{}

{}

{"acknowledgement": "Red Hat would like to thank Andong Chen (Lab for Internet and Security Technology) and Zhaoxuan Isaac Jin (Lab for Internet and Security Technology) for reporting this issue.", "bugzilla": {"description": "observability-operator: Observability Operator privilege escalation", "id": "2355222", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2355222"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-266", "details": ["A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with *ClusterRole* upon deployment of the *Namespace-Scoped* Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a namespace, to create a MonitorStack in the authorized namespace and then elevate permission to the cluster level by impersonating the ServiceAccount created by the Operator, resulting in privilege escalation and other issues."], "mitigation": {"lang": "en:us", "value": "Currently, no mitigation is available for this vulnerability."}, "name": "CVE-2025-2843", "public_date": "2025-06-12T20:04:24Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-2843"], "statement": "Red Hat rates this with an Important impact. Although the attacker may use a previously privileged account, the escalation may lead to broader cluster access.", "threat_severity": "Important"}

{}