{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-6017", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-06-11T21:09:21.420Z", "datePublished": "2025-07-02T06:36:47.171Z", "dateUpdated": "2025-08-11T08:51:03.813Z"}, "containers": {"cna": {"title": "Rhacm: users with clusterreader role can see credentials from managed-clusters", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4. This vulnerability allows an unprivileged user to view confidential managed cluster credentials through the UI. This information should only be accessible to authorized users and may result in the loss of confidentiality of administrative information, which could be leaked to unauthorized actors."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Advanced Cluster Management for Kubernetes 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhacm2/console-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:acm:2"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-6017", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372362", "name": "RHBZ#2372362", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2025-07-02T06:33:03.003Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-359", "description": "Exposure of Private Personal Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor", "timeline": [{"lang": "en", "time": "2025-06-11T21:09:13.313000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-07-02T06:33:03.003000+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-08-11T08:51:03.813Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-02T13:13:28.618310Z", "id": "CVE-2025-6017", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:13:39.278Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6017", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-02T13:13:28.618310Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:13:33.871Z"}}], "cna": {"title": "Rhacm: users with clusterreader role can see credentials from managed-clusters", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:acm:2"], "vendor": "Red Hat", "product": "Red Hat Advanced Cluster Management for Kubernetes 2", "packageName": "rhacm2/console-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2025-06-11T21:09:13.313000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-07-02T06:33:03.003000+00:00", "value": "Made public."}], "datePublic": "2025-07-02T06:33:03.003Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-6017", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372362", "name": "RHBZ#2372362", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4. This vulnerability allows an unprivileged user to view confidential managed cluster credentials through the UI. This information should only be accessible to authorized users and may result in the loss of confidentiality of administrative information, which could be leaked to unauthorized actors."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-359", "description": "Exposure of Private Personal Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-08-11T08:51:03.813Z"}, "x_redhatCweChain": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor"}}, "cveMetadata": {"cveId": "CVE-2025-6017", "state": "PUBLISHED", "dateUpdated": "2025-08-11T08:51:03.813Z", "dateReserved": "2025-06-11T21:09:21.420Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-07-02T06:36:47.171Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "344CF216-2E92-488D-A2A7-46AB75008880", "versionEndExcluding": "2.10.7", "versionStartIncluding": "2.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "B150B262-DB86-41D1-90D5-55E5C3C64B37", "versionEndExcluding": "2.11.4", "versionStartIncluding": "2.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "25378F99-5C58-4CEF-ABC4-0D61842CA8BA", "versionEndExcluding": "2.12.4", "versionStartIncluding": "2.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4. This vulnerability allows an unprivileged user to view confidential managed cluster credentials through the UI. This information should only be accessible to authorized users and may result in the loss of confidentiality of administrative information, which could be leaked to unauthorized actors."}, {"lang": "es", "value": "Se detect\u00f3 una falla en Red Hat Advanced Cluster Management en las versiones 2.10 (anteriores a la 2.10.7), 2.11 (anteriores a la 2.11.4) y 2.12 (anteriores a la 2.12.4). Esta vulnerabilidad permite a un usuario sin privilegios acceder a las credenciales confidenciales del cl\u00faster administrado a trav\u00e9s de la interfaz de usuario. Esta informaci\u00f3n solo deber\u00eda ser accesible para usuarios autorizados y puede provocar la p\u00e9rdida de confidencialidad de la informaci\u00f3n administrativa, que podr\u00eda filtrarse a usuarios no autorizados."}], "id": "CVE-2025-6017", "lastModified": "2025-08-20T16:33:58.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2025-07-02T07:15:23.293", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2025-6017"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372362"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-359"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"bugzilla": {"description": "rhacm: Users with ClusterReader Role can see credentials from Managed-clusters", "id": "2372362", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372362"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-359", "details": ["A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4. This vulnerability allows an unprivileged user to view confidential managed cluster credentials through the UI. This information should only be accessible to authorized users and may result in the loss of confidentiality of administrative information, which could be leaked to unauthorized actors.", "A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4. This vulnerability allows an unprivileged user to view confidential managed cluster credentials through the UI. This information should only be accessible to authorized users and may result in the loss of confidentiality of administrative information, which could be leaked to unauthorized actors."], "name": "CVE-2025-6017", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Under investigation", "package_name": "rhacm2/console-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}], "public_date": "2025-07-02T06:33:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-6017\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-6017"], "statement": "Red Hat Advanced Cluster Management 2.13 is not affected by this issue as it was already fixed when this product version was released.", "threat_severity": "Moderate"}