The Cost Management Metrics Operator component in Red Hat's OpenShift environment has been found to contain multiple security vulnerabilities, including CVE-2025-11187 and 14 additional CVEs. These vulnerabilities affect the operator that queries Prometheus for usage data and uploads metrics to the Red Hat Cost Management service. The advisory references a new operator release (version 4.3.1) but explicitly states no fixes are included in this update. The operator runs on the latest supported OpenShift versions and is distributed via Red Hat container registries. The vulnerabilities span various CWE categories, indicating a range of potential issues, but detailed technical impact or exploitation methods are not provided.

The vulnerabilities are rated as high severity but no specific details on exploitation or impact are provided. The operator's role in querying Prometheus and uploading data suggests potential risks around data integrity, availability, or confidentiality of usage metrics. However, no known exploits in the wild have been reported. The absence of fixes in the current update implies that these vulnerabilities remain unmitigated in the released operator version. Users relying on this operator may be exposed to these security issues until further patches are released.

The vendor advisory does not indicate any fixes are currently available for these vulnerabilities. Users should ensure that all previously released errata relevant to their systems are applied before updating to the new operator version 4.3.1. Monitor Red Hat's official advisories for future updates that address these issues. Follow the documented procedures for upgrading operators in OpenShift as per Red Hat's guidance. No specific workaround or temporary fix is provided in the advisory.