Headline
GHSA-gf93-xccm-5g6j: MARIN3R: Cross-Namespace Vulnerability in the Operator
Summary
Cross-namespace Secret access vulnerability in DiscoveryServiceCertificate allows users to bypass RBAC and access Secrets in unauthorized namespaces.
Affected Versions
All versions prior to v0.13.4
Patched Versions
v0.13.4 and later
Impact
Users with permission to create DiscoveryServiceCertificate resources in one namespace can indirectly read Secrets from other namespaces, completely bypassing Kubernetes RBAC security boundaries.
Workarounds
Restrict DiscoveryServiceCertificate create permissions to cluster administrators only until patched version is deployed.
Credit
Thanks to @debuggerchen for the responsible disclosure.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-64171
MARIN3R: Cross-Namespace Vulnerability in the Operator
High severity GitHub Reviewed Published Nov 4, 2025 in 3scale-sre/marin3r • Updated Nov 4, 2025
Package
gomod github.com/3scale-sre/marin3r (Go)
Affected versions
<= 0.13.3
Summary
Cross-namespace Secret access vulnerability in DiscoveryServiceCertificate
allows users to bypass RBAC and access Secrets in unauthorized namespaces.
Affected Versions
All versions prior to v0.13.4
Patched Versions
v0.13.4 and later
Impact
Users with permission to create DiscoveryServiceCertificate resources in one
namespace can indirectly read Secrets from other namespaces, completely
bypassing Kubernetes RBAC security boundaries.
Workarounds
Restrict DiscoveryServiceCertificate create permissions to cluster administrators
only until patched version is deployed.
Credit
Thanks to @debuggerchen for the responsible disclosure.
References
- GHSA-gf93-xccm-5g6j
- 3scale-sre/marin3r#294
- 3scale-sre/marin3r@c60246a
Published to the GitHub Advisory Database
Nov 4, 2025