Listen to this Post
The vulnerability arises from a misconfigured internal proxy within the runtimes-inventory-rhel8-operator. This proxy is intended to handle specific inventory reports for the Red Hat cluster management platform. Due to incorrect configuration, the proxy attaches the cluster’s main administrative service account credentials to any command it processes. Normally, these credentials should only be used for authorized report transmission. The flaw allows the proxy to apply full admin privileges indiscriminately. Any standard user with access to the cluster can interact with this proxy component. By sending crafted commands to the proxy’s endpoint, the user’s requests are forwarded with elevated credentials. The management platform then executes these commands as if from a cluster administrator. This bypasses all intended permission checks. The proxy does not validate the command source or restrict actions. It effectively becomes a privilege escalation vector. The misconfiguration likely exists in the operator’s deployment manifests or proxy setup scripts. The operator runs in the openshift-operators namespace. The internal proxy communicates with external Red Hat services. When a user sends a request, the proxy erroneously injects the cluster-admin service account token. This token grants unlimited permissions across the entire cluster. Attackers can exploit this to run arbitrary kubectl or oc commands. They can deploy malicious workloads, exfiltrate secrets, or modify cluster settings. The vulnerability requires only standard user credentials, which are often easily obtained. Remediation involves reconfiguring the proxy to use least-privilege credentials.
Platform: runtimes-inventory-rhel8-operator
Version: <= 0.0.0-20251211184433-5123422abee1
Vulnerability: Misconfigured Internal Proxy
Severity: High
Date: Dec 15 2025
Prediction: Patch date TBD
What Undercode Say:
Analytics:
kubectl get pods
kubectl describe operator runtimes-inventory-rhel8-operator
kubectl logs deployment/runtimes-inventory-proxy
curl -X POST proxy-service:port
cat /var/run/secrets/kubernetes.io/serviceaccount/token
oc whoami –show-token
kubectl auth can-i –list
netstat -tulpn | grep proxy
ps aux | grep inventory-proxy
env | grep KUBERNETES
How Exploit:
Obtain standard user credentials.
Discover proxy service endpoint.
Craft HTTP POST request.
Inject malicious Kubernetes commands.
Use admin token forwarded.
Execute cluster-admin operations.
Protection from this CVE:
Update operator when patched.
Restrict proxy network access.
Apply least-privilege service accounts.
Audit cluster role bindings.
Monitor proxy logs.
Use network policies.
Impact:
Full cluster compromise.
Unauthorized configuration changes.
Sensitive data exposure.
Service disruption possible.
Privilege escalation achieved.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
