Vulnerability Report: GO-2025-3530
- CVE-2025-29781, GHSA-c98h-7hp9-v9hq
- Affects: github.com/metal3-io/baremetal-operator/apis
- Published: Mar 18, 2025
- Unreviewed
Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD in github.com/metal3-io/baremetal-operator/apis
For detailed information about this vulnerability, visit https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-c98h-7hp9-v9hq.
Affected Modules
-
PathGo Versions
-
before v0.8.1, from v0.9.0 before v0.9.1
Aliases
References
- https://github.com/metal3-io/baremetal-operator/security/advisories/GHSA-c98h-7hp9-v9hq
- https://github.com/metal3-io/baremetal-operator/commit/19f8443b1fe182f76dd81b43122e8dd102f8b94c
- https://github.com/metal3-io/baremetal-operator/pull/2321
- https://github.com/metal3-io/baremetal-operator/pull/2322
- https://github.com/metal3-io/metal3-docs/blob/main/design/baremetal-operator/bmc-events.md
- https://vuln.go.dev/ID/GO-2025-3530.json
Feedback
This report is unreviewed. It was automatically generated from a third-party source and its details have not been verified by the Go team.
See anything missing or incorrect?
Suggest an edit to this report.