Red Hat ACM/MCE InfraEnv Pull-Secret Leak Vulnerability

A vulnerability exists in the Red Hat ACM/MCE assisted-service, where raw pull-secret contents are written into the InfraEnv status message when pull-secret validation fails. This issue allows a namespace principal with the default view ClusterRole to indirectly access Secret data, specifically the .dockerconfigjson information, by reading InfraEnv objects. The vulnerability bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In a reproduced scenario, a ServiceAccount was denied access to read Secrets but was able to retrieve synthetic pull-secret credentials through the InfraEnv status.

Impact

Exploitation of this vulnerability leads to unauthorized disclosure of pull-secret contents, including sensitive information such as usernames, passwords, emails, and base64-encoded authentication data. This leakage occurs through the InfraEnv status, circumventing the intended RBAC restrictions that prevent view users from accessing Secrets.

Reproduction

To reproduce this vulnerability, a namespace view user must be in a namespace where an InfraEnv object references a pull secret that has failed validation. When an administrator creates or updates the InfraEnv, the invalid pull secret triggers the leak, allowing the view user to access the sensitive data through the InfraEnv status conditions.