GHSA-c339-mwfc-fmr2

Suggest an improvement
Source
https://github.com/advisories/GHSA-c339-mwfc-fmr2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-c339-mwfc-fmr2/GHSA-c339-mwfc-fmr2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-c339-mwfc-fmr2
Aliases
Published
2025-03-17T18:31:53Z
Modified
2025-03-18T18:41:57.253218Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Openshift Hive Exposes VCenter Credentials via ClusterProvision
Details

A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.

Database specific
{
    "nvd_published_at": "2025-03-17T17:15:40Z",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-17T21:27:56Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-922"
    ]
}
References

Affected packages

Go / github.com/openshift/hive

Package

Name
github.com/openshift/hive
View open source insights on deps.dev
Purl
pkg:golang/github.com/openshift/hive

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.1.16