Missing Authorization in github.com/3scale-sre/marin3r/internal/pkg/reconcilers/operator/discoveryservicecertificate/providers/marin3r | CVE-2025-64171

Q: How to fix?

Upgrade github.com/3scale-sre/marin3r/internal/pkg/reconcilers/operator/discoveryservicecertificate/providers/marin3r to version 0.13.4 or higher.

Introduced: 4 Nov 2025

NewCVE-2025-64171 (opens in a new tab) CWE-862 (opens in a new tab)

How to fix?

Upgrade github.com/3scale-sre/marin3r/internal/pkg/reconcilers/operator/discoveryservicecertificate/providers/marin3r to version 0.13.4 or higher.

Overview

Affected versions of this package are vulnerable to Missing Authorization via the getIssuerCertificate function. An attacker can gain unauthorized access to Secrets in other namespaces by bypassing RBAC restrictions. This is only exploitable if the attacker has permission to create DiscoveryServiceCertificate resources in at least one namespace.

Workaround

This vulnerability can be mitigated by restricting DiscoveryServiceCertificate create permissions to cluster administrators only.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Missing Authorization Affecting github.com/3scale-sre/marin3r/internal/pkg/reconcilers/operator/discoveryservicecertificate/providers/marin3r package, versions <0.13.4

Severity

Do your applications use this vulnerable package?

Snyk Learn