x/vulndb: potential Go vuln in github.com/openshift/hive: GHSA-c339-mwfc-fmr2

[GoVulnBot]

Advisory GHSA-c339-mwfc-fmr2 references a vulnerability in the following Go modules:

Module
github.com/openshift/hive

Description:
A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.

References:

• ADVISORY: GHSA-c339-mwfc-fmr2
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-2241
• WEB: https://access.redhat.com/security/cve/CVE-2025-2241
• WEB: https://bugzilla.redhat.com/show_bug.cgi?id=2351350

Cross references:

• github.com/openshift/hive appears in 1 other report(s):
  • data/reports/GO-2024-3360.yaml (x/vulndb: potential Go vuln in github.com/openshift/hive: CVE-2024-25133 #3360)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/openshift/hive
      vulnerable_at: 1.1.16
summary: Openshift Hive Exposes VCenter Credentials via ClusterProvision in github.com/openshift/hive
cves:
    - CVE-2025-2241
ghsas:
    - GHSA-c339-mwfc-fmr2
references:
    - advisory: https://github.com/advisories/GHSA-c339-mwfc-fmr2
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-2241
    - web: https://access.redhat.com/security/cve/CVE-2025-2241
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=2351350
source:
    id: GHSA-c339-mwfc-fmr2
    created: 2025-03-17T22:01:11.974150879Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/658855 mentions this issue: data/reports: add 4 reports