A flaw was found in the OpenShift Lightspeed Service, which is vulnerable to unauthenticated API request flooding. Repeated queries to non-existent endpoints inflate metrics storage and processing, consuming excessive resources. This issue can lead to monitoring system degradation, increased disk usage, and potential service unavailability. Since the issue does not require authentication, an external attacker can exhaust CPU, RAM, and disk space, impacting both application and cluster stability.
History

Wed, 02 Apr 2025 02:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Mon, 31 Mar 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 31 Mar 2025 11:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in the OpenShift Lightspeed Service, which is vulnerable to unauthenticated API request flooding. Repeated queries to non-existent endpoints inflate metrics storage and processing, consuming excessive resources. This issue can lead to monitoring system degradation, increased disk usage, and potential service unavailability. Since the issue does not require authentication, an external attacker can exhaust CPU, RAM, and disk space, impacting both application and cluster stability.
Title Ols: unauthenticated metrics flooding in openshift lightspeed service leading to resource exhaustion
First Time appeared Redhat
Redhat openshift Lightspeed
Weaknesses CWE-400
CPEs cpe:/a:redhat:openshift_lightspeed
Vendors & Products Redhat
Redhat openshift Lightspeed
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-03-31T11:33:24.980Z

Updated: 2025-05-21T22:13:57.078Z

Reserved: 2025-03-21T05:56:36.705Z

Link: CVE-2025-2586

cve-icon Vulnrichment

Updated: 2025-03-31T11:58:34.853Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-03-31T12:15:15.073

Modified: 2025-04-01T20:26:30.593

Link: CVE-2025-2586

cve-icon Redhat

Severity : Important

Publid Date: 2025-03-31T08:00:00Z

Links: CVE-2025-2586 - Bugzilla