Severity by source
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A container privilege escalation flaw was found in certain Ansible Automation Platform images. This issue arises from the /etc/passwd file being created with group-writable permissions during the build process. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This vulnerability allows an attacker to add a new user with any arbitrary UID, including UID 0, gaining full root privileges within the container.
AnalysisAI
Container privilege escalation in Red Hat Ansible Automation Platform 2 allows non-root users within affected container images to gain root privileges by modifying the group-writable /etc/passwd file. During the container build process, /etc/passwd is created with overly permissive group-write permissions, enabling any user in the root group to add arbitrary entries including a UID 0 account. This vulnerability requires local container execution access and elevated group membership, but results in complete container compromise when exploited.
Technical ContextAI
The vulnerability stems from improper file permissions (CWE-276: Incorrect Default Permissions) set during container image construction in Red Hat Ansible Automation Platform 2. The /etc/passwd file, a critical authentication and identity database on Unix-like systems, is created with group-writable permissions instead of the secure default of 0644 (owner read-write, group and others read-only). When a non-root user is a member of the root group (GID 0) within the container, they can directly edit /etc/passwd to insert new user entries. By adding an entry with UID 0 and appropriate shell configuration, an attacker gains full root-level access within the container's namespace. This is a container-specific privilege escalation that exploits the container build pipeline rather than kernel or runtime vulnerabilities.
RemediationAI
Organizations should apply patched container images from Red Hat's official container registry. Red Hat's security advisory (https://access.redhat.com/security/cve/CVE-2025-57847) provides the specific patched versions and remediation guidance. As an interim workaround, container operators can manually correct /etc/passwd file permissions in existing container images by rebuilding them with corrected Dockerfile directives that explicitly set /etc/passwd to 0644 permissions (e.g., RUN chmod 644 /etc/passwd), and restrict root group membership to only necessary system accounts. All running containers based on affected images should be redeployed with patched versions.
Credential disclosure in Red Hat Ansible Automation Platform 2.5 and 2.6 allows any authenticated user to retrieve plain
mTLS authentication bypass in the Red Hat Ansible Automation Platform (AAP) Gateway Envoy proxy allows unauthenticated r
Remote code execution in galaxy_ng's legacy role import API (v1) allows an authenticated user controlling a git reposito
Server-Side Request Forgery in AWX's GitHub webhook integration (Red Hat Ansible Automation Platform 2) enables a remote
Insufficient OAuth token invalidation in Ansible Lightspeed (part of Red Hat Ansible Automation Platform 2.x) allows a r
Path traversal in awxkit's YAML !include directive exposes arbitrary local files when a user imports a crafted YAML file
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209298
GHSA-49g2-wpmf-55pv