8.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-11393

CVE-2025-11393: Misconfigured Internal Proxy in runtimes-inventory-rhel8-operator Grants Standard Users Full Cluster Administrator Access

A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle.

This allows a standard user within the cluster to send unauthorized commands to the management platform, effectively acting with the full permissions of the cluster administrator. This could lead to unauthorized changes to the cluster's configuration or status on the Red Hat platform.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-11393

CVE-2025-11393:

8.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/RedHatInsights/runtimes-inventory-operator	go	<= 0.0.0-20251211184433-5123422abee1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in a misconfigured internal proxy within the runtimes-inventory-rhel8-operator. This proxy incorrectly attaches cluster administrator credentials to all commands it processes, allowing any user who can access it to perform administrative actions. The analysis of the patch commit 5123422abee1 reveals that the vulnerability is mitigated by making the creation of a mutating webhook optional and disabling it by default. This webhook is responsible for setting up the vulnerable proxy.

The vulnerable functions are those involved in the unconditional creation of this webhook prior to the patch. The main function serves as the operator's entrypoint, which calls NewInsightsIntegration and then InsightsIntegration.Setup. The Setup function contained the core logic flaw: it always called createInsightsWebhook, which established the misconfigured proxy. The patch introduces an enable-webhook flag to control this behavior, effectively disabling the vulnerable component by default. Therefore, during exploitation on a vulnerable version, the main and InsightsIntegration.Setup functions would be present in the execution profile leading to the creation of the exploitable proxy.

Vulnerable functions

main

cmd/main.go

This is the main entrypoint function for the operator. It calls the `Setup` function which, prior to the patch, would unconditionally create the vulnerable webhook and proxy. The patch modifies the call to pass a flag that disables this behavior by default.

InsightsIntegration.Setup

pkg/insights/setup.go

This function is responsible for setting up the Insights integration. Before the patch, it unconditionally called `createInsightsWebhook` to create a proxy. The vulnerability description indicates this proxy was misconfigured to attach administrator credentials to all requests. The patch makes the creation of this webhook conditional and disabled by default, thus mitigating the vulnerability.

NewInsightsIntegration

pkg/insights/setup.go

This function is the constructor for the `InsightsIntegration` struct. It was modified to accept the `enableWebhook` flag, which is used by the `Setup` method to determine whether to create the vulnerable webhook. This function is part of the chain that leads to the vulnerability.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-11393: Misconfigured Internal Proxy in runtimes-inventory-rhel8-operator Grants Standard Users Full Cluster Administrator Access

CVE-2025-11393:

8.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.7

8.7

CVE-2025-11393: Misconfigured Internal Proxy in runtimes-inventory-rhel8-operator Grants Standard Users Full Cluster Administrator Access

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI