Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images.

In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00004.

Exploitation none

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
operator-framework operator-sdk unaffected
Version Status Constraints
0 affected < 0.15.2
Red Hat RHEL-9-CNV-4.17 affected
Version Status Constraints
v4.17.39-2 unaffected < *
Red Hat RHEL-9-CNV-4.18 affected
Version Status Constraints
v4.18.25-3 unaffected < *
Red Hat RHEL-9-CNV-4.20 affected
Version Status Constraints
v4.20.3-3 unaffected < *
Red Hat Compliance Operator 1 affected
Version Status Constraints
sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520 unaffected < *
Red Hat Compliance Operator 1 affected
Version Status Constraints
sha256:74010cf229f6fa17a927e56f63db06f9fe4ce61dce5e8bece77d05a082c49e3b unaffected < *
Red Hat File Integrity Operator 1 affected
Version Status Constraints
sha256:822fc16687164f666df5e498030bec3d3ab1e07d0a0576cc133a468e4ea01cf2 unaffected < *
Red Hat multicluster engine for Kubernetes 2.6 affected
Version Status Constraints
sha256:6575a549657eb7a0c51235fa9ce1ce4b601cd532e5a5e6e6a5a9513eda3215a3 unaffected < *
Red Hat multicluster engine for Kubernetes 2.6 affected
Version Status Constraints
sha256:99a16c7798169c4de9e3c3df560b102003f03c94cd1327796ac4a6ca3c7d4f24 unaffected < *
Red Hat multicluster engine for Kubernetes 2.6 affected
Version Status Constraints
sha256:6ff440b0fb6b959b2279db0513abfc88e464dd093fbc79c027da98eabe74d9c0 unaffected < *
Red Hat multicluster engine for Kubernetes 2.6 affected
Version Status Constraints
sha256:b3570ec2a487b8cfde96dc5eb8c1b1652d085af60ee5bdbdbcf20395520633e5 unaffected < *
Red Hat multicluster engine for Kubernetes 2.6 affected
Version Status Constraints
sha256:cb526dd6bd0473d4bc13f174698ea619c5e5dbe5cf465c2c2193679232b0ae4c unaffected < *
Red Hat multicluster engine for Kubernetes 2.6 affected
Version Status Constraints
sha256:c46f71fd1c155408171643cf823e5af50f425eef10d883819156d044f8158361 unaffected < *
Red Hat multicluster engine for Kubernetes 2.6 affected
Version Status Constraints
sha256:280833b0f16b7c4906710244b1fb121c8aa554e641c507d594667e9620573386 unaffected < *
Red Hat multicluster engine for Kubernetes 2.7 affected
Version Status Constraints
sha256:d64f8dd4bc9c3c9cd4cde0d9c824a5554d3e3bad10cc45259f0cae1b49d60d72 unaffected < *
Red Hat multicluster engine for Kubernetes 2.7 affected
Version Status Constraints
sha256:4c60d0415004cc994bc68aae4e38bfa17bb0b67df3213a670dcd1ab7dbfd55af unaffected < *
Red Hat multicluster engine for Kubernetes 2.7 affected
Version Status Constraints
sha256:f33b87fa6e230bcea8a1ee1a8818aafb3ffb929fe728a62ee6d4a32a4bd45176 unaffected < *
Red Hat multicluster engine for Kubernetes 2.7 affected
Version Status Constraints
sha256:af41dc511a4fba130590c8528e555fa331d0fea3c617a3f942e98216900d6773 unaffected < *
Red Hat multicluster engine for Kubernetes 2.7 affected
Version Status Constraints
sha256:4e0d8a47e840f27038d6290dab730d7115dc1b1a5fe2c2fe7c2307211253a96a unaffected < *
Red Hat multicluster engine for Kubernetes 2.7 affected
Version Status Constraints
sha256:abaf77e6b461da4ae52774dfc2816c619c0bb9a2199024742ec173f3401c9981 unaffected < *
Red Hat multicluster engine for Kubernetes 2.7 affected
Version Status Constraints
sha256:295cce4181249098c7903b70ef34afe257731e062c9cb944845663929ca8075c unaffected < *
Red Hat multicluster engine for Kubernetes 2.7 affected
Version Status Constraints
sha256:17ff83445d5f6c2296f1b5c5061734a7866c84f6951e140f194bb5a1b2c981a2 unaffected < *
Red Hat multicluster engine for Kubernetes 2.7 affected
Version Status Constraints
sha256:d64f8dd4bc9c3c9cd4cde0d9c824a5554d3e3bad10cc45259f0cae1b49d60d72 unaffected < *
Red Hat multicluster engine for Kubernetes 2.7 affected
Version Status Constraints
sha256:4c60d0415004cc994bc68aae4e38bfa17bb0b67df3213a670dcd1ab7dbfd55af unaffected < *
Red Hat multicluster engine for Kubernetes 2.7 affected
Version Status Constraints
sha256:f33b87fa6e230bcea8a1ee1a8818aafb3ffb929fe728a62ee6d4a32a4bd45176 unaffected < *
Red Hat multicluster engine for Kubernetes 2.7 affected
Version Status Constraints
sha256:c82fe71551720c0af6d8d209842aaea41eb6fba1a5651ea13dc4c6fcfddc66a3 unaffected < *
Red Hat multicluster engine for Kubernetes 2.7 affected
Version Status Constraints
sha256:4e0d8a47e840f27038d6290dab730d7115dc1b1a5fe2c2fe7c2307211253a96a unaffected < *
Red Hat multicluster engine for Kubernetes 2.7 affected
Version Status Constraints
sha256:abaf77e6b461da4ae52774dfc2816c619c0bb9a2199024742ec173f3401c9981 unaffected < *
Red Hat multicluster engine for Kubernetes 2.7 affected
Version Status Constraints
sha256:295cce4181249098c7903b70ef34afe257731e062c9cb944845663929ca8075c unaffected < *
Red Hat multicluster engine for Kubernetes 2.7 affected
Version Status Constraints
sha256:17ff83445d5f6c2296f1b5c5061734a7866c84f6951e140f194bb5a1b2c981a2 unaffected < *
Red Hat multicluster engine for Kubernetes 2.8 affected
Version Status Constraints
sha256:4730066d796726424abb881b2564bb7e313237ac877284c206c8aee3e3843b2e unaffected < *
Red Hat multicluster engine for Kubernetes 2.8 affected
Version Status Constraints
sha256:17ce360bc53af9054c8b1f09d5f62061e449298e471bd0a7cc022dc2b8c402db unaffected < *
Red Hat multicluster engine for Kubernetes 2.8 affected
Version Status Constraints
sha256:89a9e49213426355fb85f5c67f6d27f4cf2e51d55010a33039fafbceb196f838 unaffected < *
Red Hat multicluster engine for Kubernetes 2.8 affected
Version Status Constraints
sha256:98e1c337e9a5a7b012d0cb49b2c6eb3366e4026cfbd8666453b4a1e1ee0e8904 unaffected < *
Red Hat multicluster engine for Kubernetes 2.8 affected
Version Status Constraints
sha256:b58b9c3a7f55e640756439369f091398614fdf78b4de83454672968be976d6fd unaffected < *
Red Hat multicluster engine for Kubernetes 2.8 affected
Version Status Constraints
sha256:e5493d82f31621b9d265341106dedfab372878342163a4357c3554bcff0f8624 unaffected < *
Red Hat multicluster engine for Kubernetes 2.8 affected
Version Status Constraints
sha256:9ed27c8a1d6775d0d80f8595ec1a0a20e4fe24c41872eee2350cc5f269e22960 unaffected < *
Red Hat multicluster engine for Kubernetes 2.8 affected
Version Status Constraints
sha256:9eb31a2d6f8cc479b72f5b20a144c2fcf1e9db20c86c1ea52e648c08c633bc2c unaffected < *
Red Hat multicluster engine for Kubernetes 2.9 affected
Version Status Constraints
sha256:4f7a00583f8fe10b6fb076c75123c3fa49d9cfa0c89081d3bb39ed347f4c0993 unaffected < *
Red Hat multicluster engine for Kubernetes 2.9 affected
Version Status Constraints
sha256:f4ca2e5bc681d665e6234a1713ac02ea7460ed8fc5204c363a93eb758521189a unaffected < *
Red Hat multicluster engine for Kubernetes 2.9 affected
Version Status Constraints
sha256:6ea6ea4f6425b574d708dabec4dc9f42e39b9553d4969b91663e2ffd866d8bb7 unaffected < *
Red Hat multicluster engine for Kubernetes 2.9 affected
Version Status Constraints
sha256:88c20a3db23ec8edb463c9aba6340522118967db2a220b95d86a7fcc8c6462cb unaffected < *
Red Hat multicluster engine for Kubernetes 2.9 affected
Version Status Constraints
sha256:2e11b27b9d6884dcb846865d632c141a038f85163b0c4db63a1f29cb8d277125 unaffected < *
Red Hat multicluster engine for Kubernetes 2.9 affected
Version Status Constraints
sha256:4280a31c94268bb421798385104196fcbf69d6821344601af246fd087e93ca63 unaffected < *
Red Hat multicluster engine for Kubernetes 2.9 affected
Version Status Constraints
sha256:8bd6b32078b7aceea003fdcd90f51a963e056a16dbe5ea54d56cbdfc6de029d5 unaffected < *
Red Hat multicluster engine for Kubernetes 2.9 affected
Version Status Constraints
sha256:ddd7acae1c7918ec983e18cb6000a6050fd80eb5e57d2f3b9754de3713ba877b unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.11 affected
Version Status Constraints
sha256:dc57216ee72653b47f144eaec5673ace76df32a1178f98edf999578b3a467971 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.11 affected
Version Status Constraints
sha256:37a2e996d6c951d40a301e24c0bcc0decf1079e85759d6b8fd529cc6e672d9d1 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.11 affected
Version Status Constraints
sha256:06d861b23cf7f8622e14d577d87ab1da07b1ebe7caaa51f4ebb7216f9435ada4 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.11 affected
Version Status Constraints
sha256:a01b582bf6eb19385e30a2c74957b111f71242059500c3c568c8e0dd1d6683a9 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.12 affected
Version Status Constraints
sha256:37c6415ccd9a7a41d99d67ebe5ffd33c54d723c23e9cb744ea0626a9ab5b7854 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.12 affected
Version Status Constraints
sha256:ba2a04ce8cd5cc8221049896d4e1a46b4912e6f8213316020b3f40dfdacd7954 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.12 affected
Version Status Constraints
sha256:48de325c8fb17bdc9bac28da64ad7238278a736106340d9effbc83ed35cf42b5 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.12 affected
Version Status Constraints
sha256:7c33e076b440b8bc1a5d722b21094997585d4ae2f50a5230df788e61c283445c unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.12 affected
Version Status Constraints
sha256:e53d09785f1417554adef6952e32638c0ece003228e125d4a0dc4f9bb59ee979 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.12 affected
Version Status Constraints
sha256:c489f3ea58cdf0e90221041a8b99b4d072c1d925c87262d03bbae790ddb118fa unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.12 affected
Version Status Constraints
sha256:dbb96a4e7584a48e7a61a00485ccbcb23919dcbdd47af01cec452bd4f0fd0bdc unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.13 affected
Version Status Constraints
sha256:6cc312032def2c245b43e6af8d57b319616a2713a6bd4f865ee99be6309e5846 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.13 affected
Version Status Constraints
sha256:bf1433c1b724907496c3ffbe697e1ae3b1c92cdfd1e2836a652eba80c335cb54 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.13 affected
Version Status Constraints
sha256:6cc312032def2c245b43e6af8d57b319616a2713a6bd4f865ee99be6309e5846 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.13 affected
Version Status Constraints
sha256:4e61bb2cc124f37ec9c009e9ee92bfa638ff608f2b28962abbe1ff5614b99155 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.13 affected
Version Status Constraints
sha256:bf1433c1b724907496c3ffbe697e1ae3b1c92cdfd1e2836a652eba80c335cb54 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.14 affected
Version Status Constraints
sha256:4f03df7f0ee87ce88f225e193f03e6471e26808e8a5224bd75828740cf5e42b4 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.14 affected
Version Status Constraints
sha256:c13595e478ea28b6ba8d146d5a93c6f271babf253653d914139000e5af34d022 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.14 affected
Version Status Constraints
sha256:b2bf3ec7254afae3ff1fb0713e336cd4b58fc734f6439ccdc0bb659e939db885 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.14 affected
Version Status Constraints
sha256:e11fa23f27e11118273b98b57137f42dbbea9b18df0a55e674662cb12522bae5 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.14 affected
Version Status Constraints
sha256:9dc8efe7f5e8e7b1ccacdd9e2feddf4fb90432e61f8fa9f7229e320ab0ee800d unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.14 affected
Version Status Constraints
sha256:e5e7d3e715c21d58322704974d82acd21bf33b87ad4218d32a7c478e1efc8bf8 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.14 affected
Version Status Constraints
sha256:b7c30d0c5e9255d6b10fc625206faf87e2a783cc34d16686245213a105462902 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.14 affected
Version Status Constraints
sha256:55094fc781f35867d298ae9ee006113c78b086ce1263ccee2f0a94ec581c837b unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.14 affected
Version Status Constraints
sha256:930e2fc73ea1a5076dfcfeaee276706e56ec7ff5702796eae37f60b1e479f201 unaffected < *
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.14 affected
Version Status Constraints
sha256:b8d389436f0ac6d75dfcd0b203f2f5b0e1b0e2e24285b9a5bedf9f74f1a14028 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:931fcca9e7cb6f6c7454a72b533cbe4d767438e374848b846f079a3c2d323901 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:13b0299a3e045cc02e6d864398e3676b1dc038504fab8993a92b8b8fdff252c6 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:152c336c76cc69fc11cd6d3957c781c8d1c733a3cbead2448efd202b35d034e2 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:f6bb9ef4fdc334383afeb77f5db81543ed3657186402912c374cefdf4e90588e unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:0a0e70953d2217d929b55a7a7a4c1e49c7e5f6b196b693312c252bfec2dc3843 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:846f481d6d57e4306f4c53d9ae90c6e9e6d0af1006b7f999c4bc392b25b0183d unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:daed8221087db9480c473be7564d9cd327ff9f958971301cc6229dc4079005f9 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:a73d74c5aad19c476d2f6be7bde6763675d68342021e9654dffe4303cf8d2a2c unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:10de7f45e7adf11c48fd3311bfdf50c80af2c15b36d54d2565e9115dbe74747b unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:8d131c609dea271df0cf754e7d28cdb79ad45012c5359f61b13713f9467c8e32 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:f011d15924cc17887a92b01285d253add0b738c1551ee6c9efef88e123e607ef unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:7a22735b61f1ac887f6d08a4af1bf55f18feddf520da107d0de5df6740ae5c3c unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:d10840f73008b75bd8550baa67ce453e27ae44bfdb4515fe53752078d460edfb unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:0fda299fc4af5af2365f1bc7b2155e6a109196218443a03e65eb1b117cbdeeae unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:b637addd2433a802522b7d3fdb48edde41a42192ba467cad24df7fa09d9df16d unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:ad289441b35f194fe3920d2ec534421c266dcf9cbfe191821ef43669d94853a8 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:4f9c2643f80a37b042a4ffdc1bd68e06a18b9077daec7d4b4cb566adee26ba03 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.14 affected
Version Status Constraints
sha256:70eeb29f70f8d78e702fad26d13875cd36bfcf6aea7d2b9415dded2b526a73ef unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:1d75f5d047a30a5d80df63d6201cd5550c8aad5d000c079f9d8c9a5c62ae45ce unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:308cd8acade8e07b3183bbe8735b724b866a7337491afc78967eecd2c812d5e3 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:471378c4190b89eabe298a7fb4b77ddfd8fa1497b68a64bd178e6eb9467f8717 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:2012c48688b519ce45f08e1392fd886400a1782ea4bf942e434b4281cebca64e unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:e180ab9a046e9a14f8c537d387879a96c5013aa784221eb976b0b08fb9e1f7f8 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:d79168a44c5789d77d249f5ec981d36345cfbd834ee6cef2de0eb8d90e8bf308 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:2afaf7feceda2596f257888a5cc5dd19293252da973d4988e00a21c50aa601c4 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:7b82430d91bd92f7103b73f39e1eeee300b036cf2dcd24bba4d8a6c73585636e unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:02e2e6d8f4037d66a951af24d72a02cb1e41bce6a5c1f184fc6797c49f60fc75 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:22c95138c3ca3d086227da3181548a73e86eb244670e0f6acf8ed9011883fdb2 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:2a3861eeb69808eea9cd1848e770a9f3b6e65ef44c8add47675a51e4d35edbfe unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:d48fa8a0cd66c90236cdd2a826f75d78e12814f4383f059171038c36dc96595d unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:3b5d7efdc37addbcfe93f01d80e7c8cf35a0167d6cee67532604c5a08326f978 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:2823b76f7f6ab7583fbf6ef79520eaa6d3875cb569bd5d30e662cc3c06bfc68c unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:12451b0a143da79ef8012629abdf852c94a2388e0fc35cf0d550493a430b5d67 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:42bf30dbe0a237936719b62aa1087075e7b387998d2143c2a16a7b7c9960e9fc unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:61acc4a0fae3f3a706ef70a08f7bf10b2773299c0fdd546705028483a02cd241 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.15 affected
Version Status Constraints
sha256:f4a5e16ed21a930a510b5f695a645be2cb6bff1487f5865650fe3c0759e25689 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:90e1182faf9159afda95183b6e38b7c6b85135ba1f42cae017a2e3bb79ba577c unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:f1c8c40ee99ee53c66bba5a4d81c87f1396097316f31dec48a1646701f41f232 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:cca27409fe4da2aa3a6502df29727b023091ef8570934396ee05dd6cb8aa21d6 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:2157276d6715734095eccf19ee2a3b8ee2610831e6db28db4d1549a45ef1226f unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:12de253d776c8a2b72966403179650aeee0ea3a4100be45a93b240fcf23ccc17 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:57f81dbdd41c7ffba5d245a3cfff9192051443da9e77da67a54df4459f472a5a unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:e4bf6d76d50ba119227780b6dd86947c760d6195da3bed49b0f6f99a43ea0501 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:b4b85e7dcb3fd751c6a8efe6fe43bf5b588850c1e8586f41fffe4f396c2dba54 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:8c03adf5bf39500da25a90054356ea16d1c7ec4ecd5d76784af6792db256cd9b unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:0569ea1b4783e21b056242d9f2a40a548ff560a5ab957245444cc3770ed664db unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:271c19cfd3fa7295781909453024996f81d21cab5d875a8ce04c04e14ec78fb4 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:f1461bb91214c8fce0a143e00353c7e61abd374e31476dc71beaa6d75a2d0847 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:5f7a8b18679ae4b05476081de296a1bdb5428b8baf12186095ebae336ef47d74 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:6ba203d77b6755eb3824e86e8c88178e131c3e5254ea9b0a920085439fe9f510 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:0d7aed32d3447e3a3571b82f45a190221f48e224e70dcbb8ebc97b0172ca8544 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:c71e293e5df634dbe9610e2458b4b0eddd7d7e98c1e9c14f1d42c3bca9d347e1 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:e7a14646b06cc234948536dccd1741c0a07124923e0195a403bec100c5d796d9 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.16 affected
Version Status Constraints
sha256:875e86d19b02583156eb12fc726b5089a377403088389997383c0c986e3b2fc1 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:4732e19283a907e1a987590a0815e4c7b95c80218864eb6ae7f0393867a28e2e unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:8644ff17cdb6427db074a2c5d1aa3ec2168524fa2b0a2cc86095321cdd7e116e unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:2a9ecf79a8209fb80fc189c2a05b68ebb3874dd2e1c404361f3b26533188e6a1 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:a8135ff473a1f8fa10a7e58258a6e355e58d6df2a89caf9c15d7c2c437d5cb8f unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:166573d2a6d90fe041bccb6ccb867e487131fce54ddf6e52bfaf79859bcd9cb7 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:b2ec7b94fa8e3e95fbe9195f0ae886d85fa6edc592949b6d28eb67e5e5cd1654 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:e661ba3760dbd154ca7fcac8ceb39a50403664e712f43a93c4732b7e078de7aa unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:e42ee66ee537d9f11b2e0d8bccf6bd35208b222bb586b9b2a08cfd37750cfa60 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:8903e0bced0e11a54fcba807bda0e5e4a4ca3072c62b3e1a8262df657e5de955 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:0c3219a8065376f68178b94273c691afa37d5b2ab49f26e1f8167624a1487965 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:2cc37571ac6b16b0f64917fd0724f1b9551cbf3b0fcd6974d8290d2a72a38a82 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:f1ffce4025a69919c719a68acc3947920a232dcfa1d7b5987aadcaf3f88e0481 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:05662182c4c1d373d36066294c7f927d63ef85c6f0922ced8612a2eb8bd7d925 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:ce4d79d310a644286872f9026bab2fe0725b4fc9baf230b407bc5eb5326c8136 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:6336c817d1bcbce9677ca5d525ceedd28789cbde1384cf7a606608168f4e0f10 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:2d44d2a7b7524c431ff8176599bb1b72a682c0911e026fb086e4aeabc3bd1e8f unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:b5c2f9936dee5d3a61215b9745b6204963213399a087e1e2502d79de8d2b7194 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:fe2f268a94607d73be5e1f1a9d575cdf5e4805dc1049bd0d0e09e52303920c4b unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.17 affected
Version Status Constraints
sha256:a319b25a6d5deef4d0a0f365734d6be96fdd863962e36b306e9946521aec724c unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:b251e7b26d4a6f3443d6d795a4d92992b5f79d56e5561477648eabae286d7641 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:5ee6284d6354e4e55f1ee7eb5a79b833aae6e31bf42bf185c4192e5d373f06e7 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:87f5569806a8960520bab78d69514f2e2061b2ad69040cf7c164a5037c27e6bf unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:00bdcca61bc8765fbbc838deeb86392ce25c72f0170241c270484ec9b77bd263 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:e9f1e2743fe9930ccb470c6eb8d9e9577640fe6a9ab7a013648e513b6216fa74 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:a492d94ceced107b6b8dc7339cca181875d2245c5f8ac9ecc51979160a341d76 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:5aad1d226292a42c700e97575eec56040108869acdcb720a9c5b32d02a0035b3 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:2abd2d479416e66c6f85e4e883d5e4987bc38f476f907766374784107b89de9a unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:0a5ac166f5ebddae21dcf2ce8a5932494209533ac4a92ff5551a402291f27ff9 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:b14c3a7c4cc6531ed0d9701fe1b07ddc8c85e702ef8b058f0eaaadb1e8852a04 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:173a4998c70c4c8ff9d0d4f90fb48e8e3d3f8fbc4deeb4f742cbaa38dda61215 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:b2fbb75c7054d13ff54575b398d6d70b5f0348c9777fcb88611b95c0dc18db4e unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:40f8584e7ed0be1742fc3d40ee639dfd5323e38c55c7fcae4146d4246abf6cf0 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:7c5b233911109f0a218b634d8d317229a3949b2ea5936b7ec91ebfcdd6f15060 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:d72bc2058e6fe68d79add2423d6ec95baf531f4d3e6a542f6e9d9a07f52bd9c9 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:eb4386e6dfb4a2277085dbc44190243c40d973b80e9985fe42378098eb35e6e7 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:1d10099e7b5e3a3c4444569f6af365f90494c71b758aad1dad53f5aecf788ca5 unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:74b1659b62a5d75ef62f8fc46701445a51a1e78e8d7d96ccccab47cdd67acacb unaffected < *
Red Hat Red Hat Openshift Data Foundation 4.18 affected
Version Status Constraints
sha256:f0fc8196ffce6f355f06c0157a38e36109eaa9be1f3e91ad71fdd72bc33ee509 unaffected < *
Red Hat Multicluster Engine for Kubernetes unknown —
Red Hat Multicluster Engine for Kubernetes unaffected —
Red Hat Multicluster Engine for Kubernetes unaffected —
Red Hat Multicluster Engine for Kubernetes unknown —
Red Hat Multicluster Engine for Kubernetes affected —
Red Hat Multicluster Engine for Kubernetes unaffected —
Red Hat Multicluster Engine for Kubernetes unknown —
Red Hat Multicluster Engine for Kubernetes unknown —
Red Hat Multicluster Engine for Kubernetes unknown —
Red Hat Multicluster Engine for Kubernetes unknown —
Red Hat Multicluster Global Hub unaffected —
Red Hat Multicluster Global Hub unaffected —
Red Hat Multicluster Global Hub unaffected —
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2 unknown —
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2 unaffected —
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2 unaffected —
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2 unaffected —
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2 unaffected —
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2 unaffected —
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2 unaffected —
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2 unaffected —
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2 unknown —
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2 unaffected —
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2 unknown —
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2 unaffected —
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2 unknown —
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2 unknown —
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2 unaffected —
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2 unaffected —
Red Hat Red Hat Advanced Cluster Security 4 unaffected —
Red Hat Red Hat build of Apicurio Registry 2 unknown —
Red Hat Red Hat build of Apicurio Registry 3 unaffected —
Red Hat Red Hat Fuse 7 affected —
Red Hat Red Hat OpenShift Container Platform 4 affected —
Red Hat Red Hat OpenShift Container Platform 4 affected —
Red Hat Red Hat OpenShift Container Platform 4 affected —
Red Hat Red Hat OpenShift Container Platform 4 unaffected —
Red Hat Red Hat OpenShift Container Platform 4 unaffected —
Red Hat Red Hat OpenShift Container Platform 4 affected —
Red Hat Red Hat OpenShift Virtualization 4 affected —
Red Hat Red Hat OpenShift Virtualization 4 unaffected —
Red Hat Red Hat OpenShift Virtualization 4 unaffected —
Red Hat Red Hat OpenShift Virtualization 4 unaffected —
Red Hat Red Hat OpenShift Virtualization 4 unaffected —
Red Hat Red Hat OpenShift Virtualization 4 unaffected —
Red Hat Red Hat OpenShift Virtualization 4 unaffected —
Red Hat Red Hat Web Terminal unaffected —
Red Hat Red Hat Web Terminal unaffected —

No data.

No data.

No data.

Project Subscriptions

Vendors Products
Redhat Subscribe
Acm Subscribe
Advanced Cluster Security Subscribe
Apicurio Registry Subscribe
Container Native Virtualization Subscribe
Jboss Fuse Subscribe
Multicluster Engine Subscribe
Multicluster Globalhub Subscribe
Openshift Subscribe
Openshift Compliance Operator Subscribe
Openshift Data Foundation Subscribe
Openshift File Integrity Operator Subscribe
Service Registry Subscribe
Webterminal Subscribe
Advisories
Source ID Title
EUVD EUVD EUVD-2025-23951 Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Github GHSA Github GHSA GHSA-856v-8qm2-9wjv operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd
Fixes

Solution

No solution given by the vendor.

Workaround

In Red Hat OpenShift Container Platform, the following default configurations reduce the impact of this vulnerability. Security Context Constraints (SCCs): The default SCC, Restricted-v2, applies several crucial security settings to containers. Capabilities: drop: ALL removes all Linux capabilities, including SETUID and SETGID. This prevents a process from changing its user or group ID, a common step in privilege escalation attacks. The SETUID and SETGID capabilities can also be dropped explicitly if other capabilities are still required. allowPrivilegeEscalation: false ensures that a process cannot gain more privileges than its parent process. This blocks attempts by a compromised container process to grant itself additional capabilities. SELinux Mandatory Access Control (MAC): Pods are required to run with a pre-allocated Multi-Category Security (MCS) label. This SELinux feature provides a strong layer of isolation between containers and from the host system. A properly configured SELinux policy can prevent a container escape, even if an attacker gains elevated permissions within the container itself. Filesystem Hardening: While not a default setting, a common security practice is to set readOnlyRootFilesystem: true in a container's security context. In this specific scenario, this configuration would prevent an attacker from modifying critical files like /etc/passwd, even if they managed to gain file-level write permissions.

References
Link Providers
https://access.redhat.com/errata/RHEA-2025:23406 cve-icon cve-icon
https://access.redhat.com/errata/RHEA-2025:23478 cve-icon cve-icon
https://access.redhat.com/errata/RHEA-2026:0129 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:19332 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:19335 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:19958 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:19961 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:21368 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:21885 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:22415 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:22416 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:22418 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:22420 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:22683 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:22684 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:23528 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:23529 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:23542 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:0627 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:0718 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:0722 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:0737 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:2572 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2025-7195 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2376300 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-7195 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-7195 cve-icon
History

Wed, 11 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
References

Fri, 16 Jan 2026 00:00:00 +0000

Type Values Removed Values Added
References

Thu, 15 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:multicluster_engine:2.8::el9
References

Thu, 15 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
References

Wed, 14 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.13::el9
References

Thu, 08 Jan 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:container_native_virtualization:4.17::el9
cpe:/a:redhat:container_native_virtualization:4.20::el9
References

Tue, 06 Jan 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:container_native_virtualization:4.18::el9
References

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.11::el9
References

Wed, 17 Dec 2025 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_file_integrity_operator:1 cpe:/a:redhat:openshift_file_integrity_operator:1::el9
References

Wed, 17 Dec 2025 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:multicluster_engine:2.6::el9
References

Tue, 09 Dec 2025 16:30:00 +0000

Type Values Removed Values Added
References

Tue, 09 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhosemc:1.0::el8
Vendors & Products Redhat rhosemc

Mon, 08 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat service Registry
CPEs cpe:/a:redhat:service_registry:2
Vendors & Products Redhat service Registry

Mon, 08 Dec 2025 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhosemc
CPEs cpe:/a:redhat:rhosemc:1.0::el8
Vendors & Products Redhat rhosemc
References

Fri, 05 Dec 2025 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:devworkspace
Vendors & Products Redhat devworkspace

Thu, 04 Dec 2025 00:00:00 +0000

Type Values Removed Values Added
References

Wed, 03 Dec 2025 23:00:00 +0000

Type Values Removed Values Added
References

Mon, 01 Dec 2025 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_data_foundation:4.15::el9
cpe:/a:redhat:openshift_data_foundation:4.17::el9
References

Mon, 01 Dec 2025 12:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_data_foundation:4.14::el9
References

Mon, 01 Dec 2025 12:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_data_foundation:4.16::el9
References

Thu, 20 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Compliance Operator
CPEs cpe:/a:redhat:openshift_compliance_operator:1::el9
Vendors & Products Redhat openshift Compliance Operator
References

Thu, 13 Nov 2025 22:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_data_foundation:4 cpe:/a:redhat:openshift_data_foundation:4.18::el9
References

Mon, 10 Nov 2025 01:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.12::el9
cpe:/a:redhat:multicluster_engine:2.7::el9
References

Thu, 06 Nov 2025 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:multicluster_engine:2.9::el9
References

Thu, 30 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.14::el9
References

Sun, 31 Aug 2025 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat apicurio Registry
Redhat container Native Virtualization
Redhat devworkspace
Redhat jboss Fuse
Redhat webterminal
CPEs cpe:/a:redhat:apicurio_registry:3
cpe:/a:redhat:container_native_virtualization:4
cpe:/a:redhat:devworkspace
cpe:/a:redhat:jboss_fuse:7
cpe:/a:redhat:webterminal:1
Vendors & Products Redhat apicurio Registry
Redhat container Native Virtualization
Redhat devworkspace
Redhat jboss Fuse
Redhat webterminal

Fri, 08 Aug 2025 19:45:00 +0000

Type Values Removed Values Added
Description Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

Fri, 08 Aug 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 07 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Description Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Title Operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd
First Time appeared Redhat
Redhat acm
Redhat advanced Cluster Security
Redhat multicluster Engine
Redhat multicluster Globalhub
Redhat openshift
Redhat openshift Data Foundation
Redhat openshift File Integrity Operator
Weaknesses CWE-276
CPEs cpe:/a:redhat:acm:2
cpe:/a:redhat:advanced_cluster_security:4
cpe:/a:redhat:multicluster_engine
cpe:/a:redhat:multicluster_globalhub
cpe:/a:redhat:openshift:4
cpe:/a:redhat:openshift_data_foundation:4
cpe:/a:redhat:openshift_file_integrity_operator:1
Vendors & Products Redhat
Redhat acm
Redhat advanced Cluster Security
Redhat multicluster Engine
Redhat multicluster Globalhub
Redhat openshift
Redhat openshift Data Foundation
Redhat openshift File Integrity Operator
References
Metrics cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-02-19T00:43:23.459Z

Reserved: 2025-07-07T08:45:21.278Z

Link: CVE-2025-7195

cve-icon Vulnrichment

Updated: 2025-08-07T19:23:17.337Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-07T19:15:29.367

Modified: 2026-02-11T17:16:08.057

Link: CVE-2025-7195

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-08-07T18:59:00Z

Links: CVE-2025-7195 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses