fkie_nvd - fkie_cve-2025-7195

fkie_cve-2025-7195

Vulnerability from fkie_nvd

Published

2025-08-07 19:15

Modified

2025-11-20 21:16

Severity ?

5.2 (Medium) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L

Summary

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

References

	URL	Tags
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2025:19332
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2025:19335
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2025:19958
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2025:19961
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2025:21368
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2025:21885
	secalert@redhat.com	https://access.redhat.com/security/cve/CVE-2025-7195
	secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=2376300

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. \n\nIn affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container."
    }
  ],
  "id": "CVE-2025-7195",
  "lastModified": "2025-11-20T21:16:07.237",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "LOW",
          "baseScore": 5.2,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 0.5,
        "impactScore": 4.7,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-08-07T19:15:29.367",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:19332"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:19335"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:19958"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:19961"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:21368"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:21885"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/security/cve/CVE-2025-7195"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376300"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-276"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    }
  ]
}

CVE-2025-7195 (GCVE-0-2025-7195)

Vulnerability from cvelistv5

Published

2025-08-07 19:05

Modified

2025-11-21 08:06

Severity ?

5.2 (Medium) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L

CWE

CWE-276 - Incorrect Default Permissions

Summary

References

URL

Tags

	https://access.redhat.com/errata/RHSA-2025:19332	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:19335	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:19958	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:19961	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:21368	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:21885	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2025-7195	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2376300	issue-tracking, x_refsource_REDHAT

Impacted products

Vendor

Product

Version

Red Hat

Compliance Operator 1

Unaffected: sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83 < *
cpe:/a:redhat:openshift_compliance_operator:1::el9

Red Hat	multicluster engine for Kubernetes 2.7	Unaffected: sha256:dd99548b21e36ba637fbf8e44f6062d2fec98abd536dba16e10475648664984e < * cpe:/a:redhat:multicluster_engine:2.7::el9
Red Hat	multicluster engine for Kubernetes 2.7	Unaffected: sha256:4364624686c53f5996960296f8ce496ee819d500eab396f35f7bf417dfdf08b9 < * cpe:/a:redhat:multicluster_engine:2.7::el9
Red Hat	multicluster engine for Kubernetes 2.7	Unaffected: sha256:0488dca3cb2db097732fe153483af7c4b2acdb7b0bc241f30e78cdb0474d11bb < * cpe:/a:redhat:multicluster_engine:2.7::el9
Red Hat	multicluster engine for Kubernetes 2.7	Unaffected: sha256:d6daba3c061a1405e127105d9cd8d719bf793c3c375bdbdd839f0d0ae5517fe9 < * cpe:/a:redhat:multicluster_engine:2.7::el9
Red Hat	multicluster engine for Kubernetes 2.7	Unaffected: sha256:ff0c848b18b366afbe60b4fe97c876c0f71999262c9b92eae89db03b1158496f < * cpe:/a:redhat:multicluster_engine:2.7::el9
Red Hat	multicluster engine for Kubernetes 2.7	Unaffected: sha256:abaf77e6b461da4ae52774dfc2816c619c0bb9a2199024742ec173f3401c9981 < * cpe:/a:redhat:multicluster_engine:2.7::el9
Red Hat	multicluster engine for Kubernetes 2.7	Unaffected: sha256:295cce4181249098c7903b70ef34afe257731e062c9cb944845663929ca8075c < * cpe:/a:redhat:multicluster_engine:2.7::el9
Red Hat	multicluster engine for Kubernetes 2.7	Unaffected: sha256:7ef2d434ff3b461181f4fbead426143e21524bf70e42efb2e5f945f1a4b64b51 < * cpe:/a:redhat:multicluster_engine:2.7::el9
Red Hat	multicluster engine for Kubernetes 2.9	Unaffected: sha256:92dcf853dee08f8f68d43d6928df81e0e03cb95ed1c7b9035de089ec831ac12f < * cpe:/a:redhat:multicluster_engine:2.9::el9
Red Hat	multicluster engine for Kubernetes 2.9	Unaffected: sha256:487d5f2fae53dde288db6981d2e6373d0be4ac440abc7683147d64fce28976de < * cpe:/a:redhat:multicluster_engine:2.9::el9
Red Hat	multicluster engine for Kubernetes 2.9	Unaffected: sha256:3d3c96fd84e118f8236161bf16f22e2456a84fb38b0cd80406e97ada5149d30f < * cpe:/a:redhat:multicluster_engine:2.9::el9
Red Hat	multicluster engine for Kubernetes 2.9	Unaffected: sha256:495c95d1a2df101e0bf9c0eaa3caeb575f596d6098782c3a0a1dcb0342589886 < * cpe:/a:redhat:multicluster_engine:2.9::el9
Red Hat	multicluster engine for Kubernetes 2.9	Unaffected: sha256:3a315a6e64edc354b066358fb29a64e9c7661d1ee9e634c084cb972d87329dc9 < * cpe:/a:redhat:multicluster_engine:2.9::el9
Red Hat	multicluster engine for Kubernetes 2.9	Unaffected: sha256:36c26ae9529d584fbd4ed24376ff8a83fd583190d4b13461a484e8f49c3ac3b3 < * cpe:/a:redhat:multicluster_engine:2.9::el9
Red Hat	multicluster engine for Kubernetes 2.9	Unaffected: sha256:8bd6b32078b7aceea003fdcd90f51a963e056a16dbe5ea54d56cbdfc6de029d5 < * cpe:/a:redhat:multicluster_engine:2.9::el9
Red Hat	multicluster engine for Kubernetes 2.9	Unaffected: sha256:ae7818eab65947f74badec716268053224a27b53d704d89c455380d54009c10c < * cpe:/a:redhat:multicluster_engine:2.9::el9
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2.12	Unaffected: sha256:dbb96a4e7584a48e7a61a00485ccbcb23919dcbdd47af01cec452bd4f0fd0bdc < * cpe:/a:redhat:acm:2.12::el9
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2.14	Unaffected: sha256:c13595e478ea28b6ba8d146d5a93c6f271babf253653d914139000e5af34d022 < * cpe:/a:redhat:acm:2.14::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:b251e7b26d4a6f3443d6d795a4d92992b5f79d56e5561477648eabae286d7641 < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:f4615211c16cc89f94043e2588400957b8fd225f233c86096542ac1364678cf4 < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:c8dce4a25f10645edc649576e995b2b6619c8bc39c2c30d3cffbe3a3c3a86b35 < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:ac8d47727a66b68185bf77848b27b8e5a9c41a023cb6f424a75369b6e4b500a7 < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:e9f1e2743fe9930ccb470c6eb8d9e9577640fe6a9ab7a013648e513b6216fa74 < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:f588f9517ac72fb92989f929ad6e643440f709cb4d311974d0e201bfd6b17958 < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:ecc54bc4e8be6f3bfade15c23827e84445acc12c63b4e133cee73e57ac5a42aa < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:2abd2d479416e66c6f85e4e883d5e4987bc38f476f907766374784107b89de9a < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:c786effa06598ecb80690644d1c9075588e123ad200db05686568a80a1feeb56 < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:b14c3a7c4cc6531ed0d9701fe1b07ddc8c85e702ef8b058f0eaaadb1e8852a04 < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:173a4998c70c4c8ff9d0d4f90fb48e8e3d3f8fbc4deeb4f742cbaa38dda61215 < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:599bfb2b83e095f88d90a408d4e8bf66bf10070255c5d174ca9ed8668111d25f < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:4da2afb698447df4a45a8bc1b479e57a5da7cd7a3ace09e131717a31155ec8a5 < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:da96f0e217a418accd74f8958444423cb4baca7311ee8d3bf70d22c42597f5cb < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:053ad72159390ad37825015b051252dc162f46ebeeab4866e1568af1f0084cab < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:ca0284c10827905e1576ea0a01bb09425acbf96d30b2e556b34e22e2d0115196 < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:65c4003dfb7180e015ec74fe9e599bcc313501ab9b9c67d61fc59a68e6c89349 < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:74b1659b62a5d75ef62f8fc46701445a51a1e78e8d7d96ccccab47cdd67acacb < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	Red Hat Openshift Data Foundation 4.18	Unaffected: sha256:f0fc8196ffce6f355f06c0157a38e36109eaa9be1f3e91ad71fdd72bc33ee509 < * cpe:/a:redhat:openshift_data_foundation:4.18::el9
Red Hat	File Integrity Operator	cpe:/a:redhat:openshift_file_integrity_operator:1
Red Hat	File Integrity Operator	cpe:/a:redhat:openshift_file_integrity_operator:1
Red Hat	Multicluster Engine for Kubernetes	cpe:/a:redhat:multicluster_engine
Red Hat	Multicluster Engine for Kubernetes	cpe:/a:redhat:multicluster_engine
Red Hat	Multicluster Engine for Kubernetes	cpe:/a:redhat:multicluster_engine
Red Hat	Multicluster Engine for Kubernetes	cpe:/a:redhat:multicluster_engine
Red Hat	Multicluster Engine for Kubernetes	cpe:/a:redhat:multicluster_engine
Red Hat	Multicluster Engine for Kubernetes	cpe:/a:redhat:multicluster_engine
Red Hat	Multicluster Engine for Kubernetes	cpe:/a:redhat:multicluster_engine
Red Hat	Multicluster Engine for Kubernetes	cpe:/a:redhat:multicluster_engine
Red Hat	Multicluster Engine for Kubernetes	cpe:/a:redhat:multicluster_engine
Red Hat	Multicluster Engine for Kubernetes	cpe:/a:redhat:multicluster_engine
Red Hat	Multicluster Global Hub	cpe:/a:redhat:multicluster_globalhub
Red Hat	Multicluster Global Hub	cpe:/a:redhat:multicluster_globalhub
Red Hat	Multicluster Global Hub	cpe:/a:redhat:multicluster_globalhub
Red Hat	Multicluster Global Hub	cpe:/a:redhat:multicluster_globalhub
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Management for Kubernetes 2	cpe:/a:redhat:acm:2
Red Hat	Red Hat Advanced Cluster Security 4	cpe:/a:redhat:advanced_cluster_security:4
Red Hat	Red Hat build of Apicurio Registry 3	cpe:/a:redhat:apicurio_registry:3
Red Hat	Red Hat Fuse 7	cpe:/a:redhat:jboss_fuse:7
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4
Red Hat	Red Hat OpenShift Dev Workspaces Operator	cpe:/a:redhat:devworkspace
Red Hat	Red Hat OpenShift Dev Workspaces Operator	cpe:/a:redhat:devworkspace
Red Hat	Red Hat OpenShift Dev Workspaces Operator	cpe:/a:redhat:devworkspace
Red Hat	Red Hat OpenShift Dev Workspaces Operator	cpe:/a:redhat:devworkspace
Red Hat	Red Hat OpenShift Virtualization 4	cpe:/a:redhat:container_native_virtualization:4
Red Hat	Red Hat OpenShift Virtualization 4	cpe:/a:redhat:container_native_virtualization:4
Red Hat	Red Hat OpenShift Virtualization 4	cpe:/a:redhat:container_native_virtualization:4
Red Hat	Red Hat OpenShift Virtualization 4	cpe:/a:redhat:container_native_virtualization:4
Red Hat	Red Hat OpenShift Virtualization 4	cpe:/a:redhat:container_native_virtualization:4
Red Hat	Red Hat OpenShift Virtualization 4	cpe:/a:redhat:container_native_virtualization:4
Red Hat	Red Hat OpenShift Virtualization 4	cpe:/a:redhat:container_native_virtualization:4
Red Hat	Red Hat OpenShift Virtualization 4	cpe:/a:redhat:container_native_virtualization:4
Red Hat	Red Hat Web Terminal	cpe:/a:redhat:webterminal:1
Red Hat	Red Hat Web Terminal	cpe:/a:redhat:webterminal:1

Show details on NVD website