CVE-2025-14243

| EUVD-2025-209308 MEDIUM
2026-04-08 redhat GHSA-v9gq-365f-qxxw
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 08, 2026 - 17:16 vuln.today
EUVD ID Assigned
Apr 08, 2026 - 17:16 euvd
EUVD-2025-209308
CVE Published
Apr 08, 2026 - 16:41 nvd
MEDIUM 5.3

Tags

Information Disclosure

Description

A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation.

Analysis

OpenShift Mirror Registry leaks valid usernames and email addresses through inconsistent error messages during authentication and account creation, enabling unauthenticated remote attackers to enumerate registered users. CVSS score of 5.3 reflects the low confidentiality impact with no authentication required and low attack complexity; no public exploit code or active exploitation has been confirmed at time of analysis.

Technical Context

The vulnerability stems from CWE-209 (Information Exposure Through an Error Message), a class of flaw where disparate error responses reveal sensitive information. OpenShift Mirror Registry, a Red Hat container image registry component, fails to implement uniform error handling across authentication and account creation endpoints. An attacker can send requests to login and registration endpoints, analyzing response codes, messages, or timing differences to determine whether an email address or username exists in the system. This information disclosure attack requires no authentication (PR:N per CVSS vector) and no special user interaction, making it a low-complexity enumeration vector.

Affected Products

Red Hat Mirror Registry for Red Hat OpenShift versions are impacted, including both the primary product (cpe:2.3:a:red_hat:mirror_registry_for_red_hat_openshift) and version 2 (cpe:2.3:a:red_hat:mirror_registry_for_red_hat_openshift_2). The CPE entries indicate all versions are affected, though exact version ranges with and without the fix are not specified in the available data. Red Hat security advisory CVE-2025-14243 at https://access.redhat.com/security/cve/CVE-2025-14243 and the associated Bugzilla report (https://bugzilla.redhat.com/show_bug.cgi?id=2419829) provide official vendor guidance.

Remediation

Apply the patch released by Red Hat for Mirror Registry. Consult the Red Hat Security Advisory at https://access.redhat.com/security/cve/CVE-2025-14243 and Bugzilla ticket 2419829 for the specific patched version applicable to your deployment. In interim periods, implement rate limiting and monitoring on authentication and account creation endpoints to detect enumeration attempts, and consider network-level access controls restricting these endpoints to trusted networks if operational context permits. Upgrade to the patched version as soon as testing and deployment windows allow.

Priority Score

26
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +26
POC: 0

Share

CVE-2025-14243 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy