Nick Carboni

**Name of the Vulnerable Software and Affected Versions** Multicluster Engine (affected versions not specified) Red Hat Advanced Cluster Management (affected versions not specified) **Description** A flaw in the assisted-service REST API, an optional Assisted Installer component in the Multicluster Engine, enables an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for any cluster provisioned through the hub. In on-premises deployments using local authentication mode, the authenticator grants full administrative access to any request with a valid JSON Web Token (JWT) without per-endpoint restrictions. A valid local JWT is stored as a plaintext query parameter in `InfraEnvStatus.ISODownloadURL`, which is accessible to any user with read permissions for an `InfraEnv` object in their namespace. This allows attackers to access the credentials download endpoint "GET /v2/clusters/{cluster id}/credentials" to retrieve the `kubeadmin` password and the kubeconfig download endpoint, resulting in unrestricted root-level administrative access to spoke clusters. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.