Impact
When a cluster is configured to run only a single operator (either the Topic Operator or the User Operator), the Strimzi Cluster Operator still assigns the Entity Operator ServiceAccount full RBAC rights for both operators. This misconfiguration allows the ServiceAccount to read KafkaUser custom resources and associated Secrets even when the User Operator is absent, or to read KafkaTopic resources when only the Topic Operator is present, creating an unauthorized disclosure of sensitive information stored in KafkaSecrets. The weakness is an improper permission assignment (CWE-272) that violates the principle of least privilege.
Affected Systems
Affected product is the Strimzi Cluster Operator used in Kubernetes environments. Versions prior to Strimzi 1.0.1 and 1.1.0 are impacted; the bug is fixed in those releases. Any deployment that uses the default Entity Operator ServiceAccount while only one of the Topic or User Operators is enabled will be vulnerable.
Risk and Exploitability
The vulnerability scores a CVSS of 5.4, indicating moderate complexity. EPSS is not available and the vulnerability is not listed in CISA KEV, suggesting no widespread exploitation has been observed yet. The likely attack vector involves a pod or process within the same namespace that can acquire the Entity Operator ServiceAccount token, allowing it to read Kafka secrets and custom resources. An attacker with such access can extract sensitive configuration data, potentially compromising downstream applications.
OpenCVE Enrichment
Github GHSA