CVE-2025-25209 Information

Description

The AuthPolicy metadata on Red Hat Connectivity Link contains an object which stores secretes however it assumes those secretes are already in the kuadrant-system instead of copying it to the referred namespace. This creates space for a malicious actor with a developer persona access to leak those secrets over HTTP connection as long the attacker knows the name of the targeted secrets and those secrets are limited to one line only.

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L

Reference

https://access.redhat.com/security/cve/CVE-2025-25209 https://bugzilla.redhat.com/show_bug.cgi?id=2347438

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

LOW

Base Score

LOW

Base Severity

5.7