SB2025121845 - Multiple vulnerabilities in Red Hat Advanced Cluster Management for Kubernetes 2.11

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025121845

SB2025121845 - Multiple vulnerabilities in Red Hat Advanced Cluster Management for Kubernetes 2.11

Published: December 18, 2025

Security Bulletin ID SB2025121845
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 20% Medium 60% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2023-44487)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improperly control of consumption for internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames and perform a denial of service (DoS) attack, a.k.a. "Rapid Reset".

Note, the vulnerability is being actively exploited in the wild.


2) Incorrect default permissions (CVE-ID: CVE-2025-7195)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due the user_setup script set insecure permissions for the /etc/passwd file. A local user with ability to execute commands within an affected container can escalate privileges on the system.


3) Use of insufficiently random values (CVE-ID: CVE-2025-7783)

The vulnerability allows a remote attacker to perform parameter injection attacks.

The vulnerability exists due to software uses a weak Math.random() method to generated random values for multipart form-encoded data. A remote attacker can observe values produced by Math.random in the target application and predict the random number used to generate form-data's boundary value and inject arbitrary parameters into requests. 


4) Input validation error (CVE-ID: CVE-2025-9287)

The vulnerability allows a remote attacker to manipulate data or perform a denial of service attack.

The vulnerability exists due to a missing type check of untrusted input. A remote attacker can manipulate data representation within the application, which can lead to denial of service conditions or various calculation errors when handling private keys or hashes. 


5) Input validation error (CVE-ID: CVE-2025-9288)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a missing type check when handling untrusted input that can lead to calculation of invalid values or rewinding the hash state. A remote attacker can pass specially crafted data to the application and bypass implemented security restrictions. 


Remediation

Install update from vendor's website.

References