x/vulndb: potential Go vuln in github.com/rhobs/observability-operator: GHSA-mj6p-p843-x5wc #4125
Description
Advisory GHSA-mj6p-p843-x5wc references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/rhobs/observability-operator |
Description:
A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with ClusterRole upon deployment of the Namespace-Scoped Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a namespace, to create a MonitorStack in the authorized namespace and then elevate permission to the cluster level by impersonating the ServiceAccount created by the Operator, resulting in privilege escalation and other issues.
References:
- ADVISORY: GHSA-mj6p-p843-x5wc
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-2843
- FIX: rhobs/observability-operator@98b927f
- WEB: https://access.redhat.com/errata/RHSA-2025:21146
- WEB: https://access.redhat.com/security/cve/CVE-2025-2843
- WEB: https://bugzilla.redhat.com/show_bug.cgi?id=2355222
- WEB: https://github.com/rhobs/observability-operator/releases/tag/v1.3.0
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/rhobs/observability-operator
versions:
- fixed: 1.3.0
vulnerable_at: 1.2.0
summary: |-
Observability Operator is vulnerable to Incorrect Privilege Assignment through
its Custom Resource MonitorStack in github.com/rhobs/observability-operator
cves:
- CVE-2025-2843
ghsas:
- GHSA-mj6p-p843-x5wc
references:
- advisory: https://github.com/advisories/GHSA-mj6p-p843-x5wc
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-2843
- fix: https://github.com/rhobs/observability-operator/commit/98b927fab755decd6e030ac6af5c005879bab020
- web: https://access.redhat.com/errata/RHSA-2025:21146
- web: https://access.redhat.com/security/cve/CVE-2025-2843
- web: https://bugzilla.redhat.com/show_bug.cgi?id=2355222
- web: https://github.com/rhobs/observability-operator/releases/tag/v1.3.0
source:
id: GHSA-mj6p-p843-x5wc
created: 2025-11-14T22:02:01.934729604Z
review_status: UNREVIEWED