CVE-2025-64171

Description

MARIN3R is a lightweight, CRD based envoy control plane for kubernetes. In versions 0.13.3 and below, there is a cross-namespace secret access vulnerability in the project's DiscoveryServiceCertificate which allows users to bypass RBAC and access secrets in unauthorized namespaces. This issue is fixed in version 0.13.4.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Confidentiality (Vulnerable System)

High

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

3scale-sre / marin3r< 0.13.4 – < 0.13.4

References

VENDOR_ADVISORYhttps://github.com/3scale-sre/marin3r/security/advisories/GHSA-gf93-xccm-5g6j
PATCHhttps://github.com/3scale-sre/marin3r/commit/859b14115fde1d67620e645cd1b62e90e30d9981