rhba-2025:16983
Vulnerability from csaf_redhat
Published
2025-09-29 17:16
Modified
2025-10-02 14:40
Summary
Red Hat Bug Fix Advisory: RHOAI 2.21.0 - Red Hat OpenShift AI
Notes
Topic
Updated images are now available for Red Hat OpenShift AI.
Details
Release of RHOAI 2.21.0 provides these changes:
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated images are now available for Red Hat OpenShift AI.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of RHOAI 2.21.0 provides these changes:",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHBA-2025:16983",
"url": "https://access.redhat.com/errata/RHBA-2025:16983"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"url": "https://docs.redhat.com/en/documentation/red_hat_openshift_ai/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2025-10725",
"url": "https://access.redhat.com/security/cve/cve-2025-10725"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/cve-2025-57852",
"url": "https://access.redhat.com/security/cve/cve-2025-57852"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhba-2025_16983.json"
}
],
"title": "Red Hat Bug Fix Advisory: RHOAI 2.21.0 - Red Hat OpenShift AI",
"tracking": {
"current_release_date": "2025-10-02T14:40:58+00:00",
"generator": {
"date": "2025-10-02T14:40:58+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.8"
}
},
"id": "RHBA-2025:16983",
"initial_release_date": "2025-09-29T17:16:12+00:00",
"revision_history": [
{
"date": "2025-09-29T17:16:12+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-09-30T16:12:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-10-02T14:40:58+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift AI 2.21",
"product": {
"name": "Red Hat OpenShift AI 2.21",
"product_id": "Red Hat OpenShift AI 2.21",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_ai:2.21::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift AI"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:0a4f139cdacd228206c5a5a6b34b57ea87b040a58a46534ebc5daeda7d70cb19_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:0a4f139cdacd228206c5a5a6b34b57ea87b040a58a46534ebc5daeda7d70cb19_amd64",
"product_id": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:0a4f139cdacd228206c5a5a6b34b57ea87b040a58a46534ebc5daeda7d70cb19_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-dashboard-rhel9@sha256%3A0a4f139cdacd228206c5a5a6b34b57ea87b040a58a46534ebc5daeda7d70cb19?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.21.1-1758709863"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-modelmesh-rhel9@sha256:687c8eeed55f021ecaab1307f0e88b5b16d91f72d63b3d7168d7bbee90e8947b_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-modelmesh-rhel9@sha256:687c8eeed55f021ecaab1307f0e88b5b16d91f72d63b3d7168d7bbee90e8947b_amd64",
"product_id": "registry.redhat.io/rhoai/odh-modelmesh-rhel9@sha256:687c8eeed55f021ecaab1307f0e88b5b16d91f72d63b3d7168d7bbee90e8947b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-modelmesh-rhel9@sha256%3A687c8eeed55f021ecaab1307f0e88b5b16d91f72d63b3d7168d7bbee90e8947b?arch=amd64\u0026repository_url=registry.redhat.io/rhoai"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:e9612ec99daa171c403b5ddf37788526e5375b83987e5de9b1ebe519198607b4_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:e9612ec99daa171c403b5ddf37788526e5375b83987e5de9b1ebe519198607b4_amd64",
"product_id": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:e9612ec99daa171c403b5ddf37788526e5375b83987e5de9b1ebe519198607b4_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-operator-bundle@sha256%3Ae9612ec99daa171c403b5ddf37788526e5375b83987e5de9b1ebe519198607b4?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.21.1-1758724953"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:9f7620cc36c23dbf8528ecc04742861a65e867b338c582b84055559ab553f857_amd64",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:9f7620cc36c23dbf8528ecc04742861a65e867b338c582b84055559ab553f857_amd64",
"product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:9f7620cc36c23dbf8528ecc04742861a65e867b338c582b84055559ab553f857_amd64",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel9-operator@sha256%3A9f7620cc36c23dbf8528ecc04742861a65e867b338c582b84055559ab553f857?arch=amd64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.21.1-1758715880"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:301a5939cc80923b789f9efaf96601b32d067472750afb22a7d001822b235ab0_ppc64le",
"product": {
"name": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:301a5939cc80923b789f9efaf96601b32d067472750afb22a7d001822b235ab0_ppc64le",
"product_id": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:301a5939cc80923b789f9efaf96601b32d067472750afb22a7d001822b235ab0_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/odh-dashboard-rhel9@sha256%3A301a5939cc80923b789f9efaf96601b32d067472750afb22a7d001822b235ab0?arch=ppc64le\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.21.1-1758709863"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:66e2c3916ae1cdb08edab90f0868965b26991ce43fb120db7f2d05311d90c9c8_ppc64le",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:66e2c3916ae1cdb08edab90f0868965b26991ce43fb120db7f2d05311d90c9c8_ppc64le",
"product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:66e2c3916ae1cdb08edab90f0868965b26991ce43fb120db7f2d05311d90c9c8_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel9-operator@sha256%3A66e2c3916ae1cdb08edab90f0868965b26991ce43fb120db7f2d05311d90c9c8?arch=ppc64le\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.21.1-1758715880"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:c25cf00dde02c342509a9617a3d1b55ec72236a6dacd2f38f9331ea4d8701fa5_s390x",
"product": {
"name": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:c25cf00dde02c342509a9617a3d1b55ec72236a6dacd2f38f9331ea4d8701fa5_s390x",
"product_id": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:c25cf00dde02c342509a9617a3d1b55ec72236a6dacd2f38f9331ea4d8701fa5_s390x",
"product_identification_helper": {
"purl": "pkg:oci/odh-dashboard-rhel9@sha256%3Ac25cf00dde02c342509a9617a3d1b55ec72236a6dacd2f38f9331ea4d8701fa5?arch=s390x\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.21.1-1758709863"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:799b0f8dc02e0e081582f5f6594f0a224aee1472c260f31058c78f54d005d7c6_s390x",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:799b0f8dc02e0e081582f5f6594f0a224aee1472c260f31058c78f54d005d7c6_s390x",
"product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:799b0f8dc02e0e081582f5f6594f0a224aee1472c260f31058c78f54d005d7c6_s390x",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel9-operator@sha256%3A799b0f8dc02e0e081582f5f6594f0a224aee1472c260f31058c78f54d005d7c6?arch=s390x\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.21.1-1758715880"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:dd32ff192490d1832df545699f66b80911f55d6ee36ead72b6a745dd7d4938e3_arm64",
"product": {
"name": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:dd32ff192490d1832df545699f66b80911f55d6ee36ead72b6a745dd7d4938e3_arm64",
"product_id": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:dd32ff192490d1832df545699f66b80911f55d6ee36ead72b6a745dd7d4938e3_arm64",
"product_identification_helper": {
"purl": "pkg:oci/odh-dashboard-rhel9@sha256%3Add32ff192490d1832df545699f66b80911f55d6ee36ead72b6a745dd7d4938e3?arch=arm64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.21.1-1758709863"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:db339d2d4f86af4efa695ef193d19e26b25fec80017fa2780833a4cd944e383b_arm64",
"product": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:db339d2d4f86af4efa695ef193d19e26b25fec80017fa2780833a4cd944e383b_arm64",
"product_id": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:db339d2d4f86af4efa695ef193d19e26b25fec80017fa2780833a4cd944e383b_arm64",
"product_identification_helper": {
"purl": "pkg:oci/odh-rhel9-operator@sha256%3Adb339d2d4f86af4efa695ef193d19e26b25fec80017fa2780833a4cd944e383b?arch=arm64\u0026repository_url=registry.redhat.io/rhoai\u0026tag=v2.21.1-1758715880"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:0a4f139cdacd228206c5a5a6b34b57ea87b040a58a46534ebc5daeda7d70cb19_amd64 as a component of Red Hat OpenShift AI 2.21",
"product_id": "Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:0a4f139cdacd228206c5a5a6b34b57ea87b040a58a46534ebc5daeda7d70cb19_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:0a4f139cdacd228206c5a5a6b34b57ea87b040a58a46534ebc5daeda7d70cb19_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:301a5939cc80923b789f9efaf96601b32d067472750afb22a7d001822b235ab0_ppc64le as a component of Red Hat OpenShift AI 2.21",
"product_id": "Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:301a5939cc80923b789f9efaf96601b32d067472750afb22a7d001822b235ab0_ppc64le"
},
"product_reference": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:301a5939cc80923b789f9efaf96601b32d067472750afb22a7d001822b235ab0_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift AI 2.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:c25cf00dde02c342509a9617a3d1b55ec72236a6dacd2f38f9331ea4d8701fa5_s390x as a component of Red Hat OpenShift AI 2.21",
"product_id": "Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:c25cf00dde02c342509a9617a3d1b55ec72236a6dacd2f38f9331ea4d8701fa5_s390x"
},
"product_reference": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:c25cf00dde02c342509a9617a3d1b55ec72236a6dacd2f38f9331ea4d8701fa5_s390x",
"relates_to_product_reference": "Red Hat OpenShift AI 2.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:dd32ff192490d1832df545699f66b80911f55d6ee36ead72b6a745dd7d4938e3_arm64 as a component of Red Hat OpenShift AI 2.21",
"product_id": "Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:dd32ff192490d1832df545699f66b80911f55d6ee36ead72b6a745dd7d4938e3_arm64"
},
"product_reference": "registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:dd32ff192490d1832df545699f66b80911f55d6ee36ead72b6a745dd7d4938e3_arm64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-modelmesh-rhel9@sha256:687c8eeed55f021ecaab1307f0e88b5b16d91f72d63b3d7168d7bbee90e8947b_amd64 as a component of Red Hat OpenShift AI 2.21",
"product_id": "Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-modelmesh-rhel9@sha256:687c8eeed55f021ecaab1307f0e88b5b16d91f72d63b3d7168d7bbee90e8947b_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-modelmesh-rhel9@sha256:687c8eeed55f021ecaab1307f0e88b5b16d91f72d63b3d7168d7bbee90e8947b_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:e9612ec99daa171c403b5ddf37788526e5375b83987e5de9b1ebe519198607b4_amd64 as a component of Red Hat OpenShift AI 2.21",
"product_id": "Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-operator-bundle@sha256:e9612ec99daa171c403b5ddf37788526e5375b83987e5de9b1ebe519198607b4_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-operator-bundle@sha256:e9612ec99daa171c403b5ddf37788526e5375b83987e5de9b1ebe519198607b4_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:66e2c3916ae1cdb08edab90f0868965b26991ce43fb120db7f2d05311d90c9c8_ppc64le as a component of Red Hat OpenShift AI 2.21",
"product_id": "Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:66e2c3916ae1cdb08edab90f0868965b26991ce43fb120db7f2d05311d90c9c8_ppc64le"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:66e2c3916ae1cdb08edab90f0868965b26991ce43fb120db7f2d05311d90c9c8_ppc64le",
"relates_to_product_reference": "Red Hat OpenShift AI 2.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:799b0f8dc02e0e081582f5f6594f0a224aee1472c260f31058c78f54d005d7c6_s390x as a component of Red Hat OpenShift AI 2.21",
"product_id": "Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:799b0f8dc02e0e081582f5f6594f0a224aee1472c260f31058c78f54d005d7c6_s390x"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:799b0f8dc02e0e081582f5f6594f0a224aee1472c260f31058c78f54d005d7c6_s390x",
"relates_to_product_reference": "Red Hat OpenShift AI 2.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:9f7620cc36c23dbf8528ecc04742861a65e867b338c582b84055559ab553f857_amd64 as a component of Red Hat OpenShift AI 2.21",
"product_id": "Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:9f7620cc36c23dbf8528ecc04742861a65e867b338c582b84055559ab553f857_amd64"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:9f7620cc36c23dbf8528ecc04742861a65e867b338c582b84055559ab553f857_amd64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:db339d2d4f86af4efa695ef193d19e26b25fec80017fa2780833a4cd944e383b_arm64 as a component of Red Hat OpenShift AI 2.21",
"product_id": "Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:db339d2d4f86af4efa695ef193d19e26b25fec80017fa2780833a4cd944e383b_arm64"
},
"product_reference": "registry.redhat.io/rhoai/odh-rhel9-operator@sha256:db339d2d4f86af4efa695ef193d19e26b25fec80017fa2780833a4cd944e383b_arm64",
"relates_to_product_reference": "Red Hat OpenShift AI 2.21"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-10725",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"discovery_date": "2025-09-19T08:42:33.326000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:0a4f139cdacd228206c5a5a6b34b57ea87b040a58a46534ebc5daeda7d70cb19_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:301a5939cc80923b789f9efaf96601b32d067472750afb22a7d001822b235ab0_ppc64le",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:c25cf00dde02c342509a9617a3d1b55ec72236a6dacd2f38f9331ea4d8701fa5_s390x",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:dd32ff192490d1832df545699f66b80911f55d6ee36ead72b6a745dd7d4938e3_arm64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-modelmesh-rhel9@sha256:687c8eeed55f021ecaab1307f0e88b5b16d91f72d63b3d7168d7bbee90e8947b_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-operator-bundle@sha256:e9612ec99daa171c403b5ddf37788526e5375b83987e5de9b1ebe519198607b4_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396641"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster\u0027s confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openshift-ai: Overly Permissive ClusterRole Allows Authenticated Users to Escalate Privileges to Cluster Admin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Security Ratings classify this as an Important and not Critical because it requires minimal authentication for the remote attacker to Jeopardize an environment. Following https://access.redhat.com/security/updates/classification",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:66e2c3916ae1cdb08edab90f0868965b26991ce43fb120db7f2d05311d90c9c8_ppc64le",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:799b0f8dc02e0e081582f5f6594f0a224aee1472c260f31058c78f54d005d7c6_s390x",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:9f7620cc36c23dbf8528ecc04742861a65e867b338c582b84055559ab553f857_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:db339d2d4f86af4efa695ef193d19e26b25fec80017fa2780833a4cd944e383b_arm64"
],
"known_not_affected": [
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:0a4f139cdacd228206c5a5a6b34b57ea87b040a58a46534ebc5daeda7d70cb19_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:301a5939cc80923b789f9efaf96601b32d067472750afb22a7d001822b235ab0_ppc64le",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:c25cf00dde02c342509a9617a3d1b55ec72236a6dacd2f38f9331ea4d8701fa5_s390x",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:dd32ff192490d1832df545699f66b80911f55d6ee36ead72b6a745dd7d4938e3_arm64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-modelmesh-rhel9@sha256:687c8eeed55f021ecaab1307f0e88b5b16d91f72d63b3d7168d7bbee90e8947b_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-operator-bundle@sha256:e9612ec99daa171c403b5ddf37788526e5375b83987e5de9b1ebe519198607b4_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-10725"
},
{
"category": "external",
"summary": "RHBZ#2396641",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396641"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-10725",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-10725"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-10725",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10725"
}
],
"release_date": "2025-09-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-29T17:16:12+00:00",
"details": "For Red Hat OpenShift AI 2.21.0 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"product_ids": [
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:66e2c3916ae1cdb08edab90f0868965b26991ce43fb120db7f2d05311d90c9c8_ppc64le",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:799b0f8dc02e0e081582f5f6594f0a224aee1472c260f31058c78f54d005d7c6_s390x",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:9f7620cc36c23dbf8528ecc04742861a65e867b338c582b84055559ab553f857_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:db339d2d4f86af4efa695ef193d19e26b25fec80017fa2780833a4cd944e383b_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2025:16983"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:0a4f139cdacd228206c5a5a6b34b57ea87b040a58a46534ebc5daeda7d70cb19_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:301a5939cc80923b789f9efaf96601b32d067472750afb22a7d001822b235ab0_ppc64le",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:c25cf00dde02c342509a9617a3d1b55ec72236a6dacd2f38f9331ea4d8701fa5_s390x",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:dd32ff192490d1832df545699f66b80911f55d6ee36ead72b6a745dd7d4938e3_arm64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-modelmesh-rhel9@sha256:687c8eeed55f021ecaab1307f0e88b5b16d91f72d63b3d7168d7bbee90e8947b_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-operator-bundle@sha256:e9612ec99daa171c403b5ddf37788526e5375b83987e5de9b1ebe519198607b4_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:66e2c3916ae1cdb08edab90f0868965b26991ce43fb120db7f2d05311d90c9c8_ppc64le",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:799b0f8dc02e0e081582f5f6594f0a224aee1472c260f31058c78f54d005d7c6_s390x",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:9f7620cc36c23dbf8528ecc04742861a65e867b338c582b84055559ab553f857_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:db339d2d4f86af4efa695ef193d19e26b25fec80017fa2780833a4cd944e383b_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:0a4f139cdacd228206c5a5a6b34b57ea87b040a58a46534ebc5daeda7d70cb19_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:301a5939cc80923b789f9efaf96601b32d067472750afb22a7d001822b235ab0_ppc64le",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:c25cf00dde02c342509a9617a3d1b55ec72236a6dacd2f38f9331ea4d8701fa5_s390x",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:dd32ff192490d1832df545699f66b80911f55d6ee36ead72b6a745dd7d4938e3_arm64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-modelmesh-rhel9@sha256:687c8eeed55f021ecaab1307f0e88b5b16d91f72d63b3d7168d7bbee90e8947b_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-operator-bundle@sha256:e9612ec99daa171c403b5ddf37788526e5375b83987e5de9b1ebe519198607b4_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:66e2c3916ae1cdb08edab90f0868965b26991ce43fb120db7f2d05311d90c9c8_ppc64le",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:799b0f8dc02e0e081582f5f6594f0a224aee1472c260f31058c78f54d005d7c6_s390x",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:9f7620cc36c23dbf8528ecc04742861a65e867b338c582b84055559ab553f857_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:db339d2d4f86af4efa695ef193d19e26b25fec80017fa2780833a4cd944e383b_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "openshift-ai: Overly Permissive ClusterRole Allows Authenticated Users to Escalate Privileges to Cluster Admin"
},
{
"acknowledgments": [
{
"names": [
"Michael Whale",
"Antony Di Scala"
]
}
],
"cve": "CVE-2025-57852",
"cwe": {
"id": "CWE-276",
"name": "Incorrect Default Permissions"
},
"discovery_date": "2025-08-26T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:0a4f139cdacd228206c5a5a6b34b57ea87b040a58a46534ebc5daeda7d70cb19_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:301a5939cc80923b789f9efaf96601b32d067472750afb22a7d001822b235ab0_ppc64le",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:c25cf00dde02c342509a9617a3d1b55ec72236a6dacd2f38f9331ea4d8701fa5_s390x",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:dd32ff192490d1832df545699f66b80911f55d6ee36ead72b6a745dd7d4938e3_arm64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-operator-bundle@sha256:e9612ec99daa171c403b5ddf37788526e5375b83987e5de9b1ebe519198607b4_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:66e2c3916ae1cdb08edab90f0868965b26991ce43fb120db7f2d05311d90c9c8_ppc64le",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:799b0f8dc02e0e081582f5f6594f0a224aee1472c260f31058c78f54d005d7c6_s390x",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:9f7620cc36c23dbf8528ecc04742861a65e867b338c582b84055559ab553f857_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:db339d2d4f86af4efa695ef193d19e26b25fec80017fa2780833a4cd944e383b_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2391105"
}
],
"notes": [
{
"category": "description",
"text": "A container privilege escalation flaw was found in KServe ModelMesh container images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openshift-ai: privilege escalation via excessive /etc/passwd permissions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Security Ratings classify this as a Low and not Moderate in Red Hat OpenShift AI due to the restrictive SCC profile used for the ModelMesh containers. The restricted-v2 profile fully mitigates this vulnerability by dropping the SETUID and SETGID privileges, blocking the two system calls from processes within the container and preventing privilege escalation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-modelmesh-rhel9@sha256:687c8eeed55f021ecaab1307f0e88b5b16d91f72d63b3d7168d7bbee90e8947b_amd64"
],
"known_not_affected": [
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:0a4f139cdacd228206c5a5a6b34b57ea87b040a58a46534ebc5daeda7d70cb19_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:301a5939cc80923b789f9efaf96601b32d067472750afb22a7d001822b235ab0_ppc64le",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:c25cf00dde02c342509a9617a3d1b55ec72236a6dacd2f38f9331ea4d8701fa5_s390x",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:dd32ff192490d1832df545699f66b80911f55d6ee36ead72b6a745dd7d4938e3_arm64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-operator-bundle@sha256:e9612ec99daa171c403b5ddf37788526e5375b83987e5de9b1ebe519198607b4_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:66e2c3916ae1cdb08edab90f0868965b26991ce43fb120db7f2d05311d90c9c8_ppc64le",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:799b0f8dc02e0e081582f5f6594f0a224aee1472c260f31058c78f54d005d7c6_s390x",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:9f7620cc36c23dbf8528ecc04742861a65e867b338c582b84055559ab553f857_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:db339d2d4f86af4efa695ef193d19e26b25fec80017fa2780833a4cd944e383b_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-57852"
},
{
"category": "external",
"summary": "RHBZ#2391105",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391105"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-57852",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-57852"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-57852",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57852"
}
],
"release_date": "2025-09-30T14:25:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-29T17:16:12+00:00",
"details": "For Red Hat OpenShift AI 2.21.0 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.redhat.com/en/documentation/red_hat_openshift_ai/",
"product_ids": [
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-modelmesh-rhel9@sha256:687c8eeed55f021ecaab1307f0e88b5b16d91f72d63b3d7168d7bbee90e8947b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2025:16983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:0a4f139cdacd228206c5a5a6b34b57ea87b040a58a46534ebc5daeda7d70cb19_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:301a5939cc80923b789f9efaf96601b32d067472750afb22a7d001822b235ab0_ppc64le",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:c25cf00dde02c342509a9617a3d1b55ec72236a6dacd2f38f9331ea4d8701fa5_s390x",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-dashboard-rhel9@sha256:dd32ff192490d1832df545699f66b80911f55d6ee36ead72b6a745dd7d4938e3_arm64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-modelmesh-rhel9@sha256:687c8eeed55f021ecaab1307f0e88b5b16d91f72d63b3d7168d7bbee90e8947b_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-operator-bundle@sha256:e9612ec99daa171c403b5ddf37788526e5375b83987e5de9b1ebe519198607b4_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:66e2c3916ae1cdb08edab90f0868965b26991ce43fb120db7f2d05311d90c9c8_ppc64le",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:799b0f8dc02e0e081582f5f6594f0a224aee1472c260f31058c78f54d005d7c6_s390x",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:9f7620cc36c23dbf8528ecc04742861a65e867b338c582b84055559ab553f857_amd64",
"Red Hat OpenShift AI 2.21:registry.redhat.io/rhoai/odh-rhel9-operator@sha256:db339d2d4f86af4efa695ef193d19e26b25fec80017fa2780833a4cd944e383b_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "openshift-ai: privilege escalation via excessive /etc/passwd permissions"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…