Primary

Context

Red Hat OpenShift GitOps Operator Namespace Isolation Vulnerability

Vulnerability

Patched

A vulnerability exists in the OpenShift GitOps operator container, where the label 'openshift.io/cluster-monitoring' is automatically applied to all namespaces with an ArgoCD custom resource instance. This label allows the creation of a potentially harmful PrometheusRule that impacts the entire platform monitoring stack, as the rule is distributed cluster-wide. This vulnerability breaks namespace isolation, enabling broader effects on the cluster.

Impact

Exploitation of this vulnerability can lead to a namespace isolation breach, allowing a user to affect the entire cluster from their namespace.

Remediation

Users can update to Red Hat OpenShift GitOps version 1.15.2 or 1.14.4, depending on their current version. Instructions for applying this update are available on the Red Hat Customer Portal.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

4.8

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

4.8

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Red Hat OpenShift GitOps Operator Namespace Isolation Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Red Hat OpenShift GitOps

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating