Red Hat Acm

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Red Hat Acm.

By the Year

In 2025 there have been 6 vulnerabilities in Red Hat Acm with an average score of 6.3 out of ten. Last year, in 2024 Acm had 4 security vulnerabilities published. That is, 2 more vulnerabilities have already been reported in 2025 as compared to last year. Last year, the average CVE base score was greater by 0.71

Year	Vulnerabilities	Average Score
2025	6	6.27
2024	4	6.98

It may take a day or so for new Acm vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Acm Security Vulnerabilities

Nx npm package tampering: FS scan and credential exfil to GitHub
CVE-2025-10894 9.6 - Critical - September 24, 2025

Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.

Embedded Malicious Code

Operator SDK <0.15.2 RCE via insecure user_setup /etc/passwd
CVE-2025-7195 5.2 - Medium - August 07, 2025

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

Incorrect Default Permissions

CIRCL FourQ RCE via Low-Order Point Injection in Diffie-Hellman
CVE-2025-8556 3.7 - Low - August 06, 2025

A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.

Improper Verification of Cryptographic Signature

Red Hat RHACM v2.10-2.12 UI Credential Leakage (CVE-2025-6017)
CVE-2025-6017 5.5 - Medium - July 02, 2025

A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4. This vulnerability allows an unprivileged user to view confidential managed cluster credentials through the UI. This information should only be accessible to authorized users and may result in the loss of confidentiality of administrative information, which could be leaked to unauthorized actors.

Privacy violation

Hive in MCE/ACM Exposes VCenter Credentials via ClusterProvision
CVE-2025-2241 8.2 - High - March 17, 2025

A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.

Insecure Storage of Sensitive Information

serialize-javascript XSS via unsanitized regex input
CVE-2024-11831 5.4 - Medium - February 10, 2025

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

XSS

Privileged Container Exec via RBAC in Submariner (CVE-2024-5042)
CVE-2024-5042 6.6 - Medium - May 17, 2024

A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster.

Execution with Unnecessary Privileges

Authenticated Registry Access Path Traversal in containers/image
CVE-2024-3727 8.3 - High - May 14, 2024

A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.

Improper Validation of Integrity Check Value

CVE-2024-1139: Credentials Leak in OCP Cluster Monitor Op
CVE-2024-1139 7.7 - High - April 25, 2024

A credentials leak vulnerability was found in the cluster monitoring operator in OCP. This issue may allow a remote attacker who has basic login credentials to check the pod manifest to discover a repository pull secret.

Information Disclosure

CoreDNS invalid cache entries due to flawed caching mechanism
CVE-2024-0874 5.3 - Medium - April 25, 2024

A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching.

Use of Cache Containing Sensitive Information

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Acm or by Red Hat? Click the Watch button to subscribe.

Red Hat
Vendor

Red Hat Acm
Product

Red Hat Acm

Don't miss out!

By the Year

Recent Red Hat Acm Security Vulnerabilities

Nx npm package tampering: FS scan and credential exfil to GitHub CVE-2025-10894 9.6 - Critical - September 24, 2025

Operator SDK <0.15.2 RCE via insecure user_setup /etc/passwd CVE-2025-7195 5.2 - Medium - August 07, 2025

CIRCL FourQ RCE via Low-Order Point Injection in Diffie-Hellman CVE-2025-8556 3.7 - Low - August 06, 2025

Red Hat RHACM v2.10-2.12 UI Credential Leakage (CVE-2025-6017) CVE-2025-6017 5.5 - Medium - July 02, 2025

Hive in MCE/ACM Exposes VCenter Credentials via ClusterProvision CVE-2025-2241 8.2 - High - March 17, 2025

serialize-javascript XSS via unsanitized regex input CVE-2024-11831 5.4 - Medium - February 10, 2025

Privileged Container Exec via RBAC in Submariner (CVE-2024-5042) CVE-2024-5042 6.6 - Medium - May 17, 2024

Authenticated Registry Access Path Traversal in containers/image CVE-2024-3727 8.3 - High - May 14, 2024

CVE-2024-1139: Credentials Leak in OCP Cluster Monitor Op CVE-2024-1139 7.7 - High - April 25, 2024

CoreDNS invalid cache entries due to flawed caching mechanism CVE-2024-0874 5.3 - Medium - April 25, 2024