CVE-2025-11393— Insights-runtimes-tech-preview/runtimes-inventory-rhel8-operator: improper proxy configuration allows unauthorized administrative commands
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-11393
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Insights-runtimes-tech-preview/runtimes-inventory-rhel8-operator: improper proxy configuration allows unauthorized administrative commands
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle. This allows a standard user within the cluster to send unauthorized commands to the management platform, effectively acting with the full permissions of the cluster administrator. This could lead to unauthorized changes to the cluster's configuration or status on the Red Hat platform.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
未有动机的代理或中间人(混淆代理)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Red Hat Runtimes Inventory Operator 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Red Hat Runtimes Inventory Operator是美国红帽(Red Hat)公司的一个程序运行时环境管理软件。 Red Hat Runtimes Inventory Operator存在安全漏洞,该漏洞源于内部代理组件配置不当,可能导致标准用户以集群管理员权限执行未授权命令。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat Lightspeed (formerly Insights) for Runtimes 1 | sha256:08f473dec97e110a73e1c9886ee31512bb6937f87bdb95fbe77cb2d85695b936 ~ * | cpe:/a:redhat:lightspeed_for_runtimes:1.0::el9 | |
| Red Hat | Red Hat Runtimes Inventory Operator | - | cpe:/a:redhat:insights-runtimes:1 |
II. Public POCs for CVE-2025-11393
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-11393
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: Red Hat
- CVE-2026-42011
Gnutls: gnutls: security bypass due to incorrect name constr - CVE-2026-42010
Gnutls: gnutls: authentication bypass via nul character in u - CVE-2026-6420
Keylime: keylime: security bypass due to hardcoded tpm quote - CVE-2026-34956
Openvswitch: open vswitch: denial of service via malformed f - CVE-2026-34002
Xorg: xwayland: x.org x server: information disclosure or de
Same weakness: CWE-441
- CVE-2026-45182
GrapheneOS 20260504前IP泄露漏洞 - CVE-2026-41365
OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API - CVE-2026-6993
go-kratos http.DefaultServeMux Fallback server.go NewServer - CVE-2026-39906
Unisys WebPerfect Image Suite 3.0 NTLMv2 Hash Leakage via .N - CVE-2025-62718
Axios has a NO_PROXY Hostname Normalization Bypass that Lead
V. Comments for CVE-2025-11393
No comments yet