EUVD-2025-209306
GHSA-7qwf-6qxg-9cq5
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
A container privilege escalation flaw was found in certain Red Hat Process Automation Manager images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Analysis
Red Hat Process Automation Manager container images allow local privilege escalation when the /etc/passwd file is created with group-writable permissions during the build process. An attacker with non-root command execution capability who is a member of the root group can modify /etc/passwd to create a new user with UID 0, gaining full root privileges within the container. This requires high privileges (membership in root group) and challenging conditions (AC:H), but affects all versions of Red Hat Process Automation 7 distributed as container images. No public exploit code has been identified at the time of analysis.
Technical Context
The vulnerability stems from improper file permissions during container image build time, specifically CWE-276 (Incorrect Default Permissions). The /etc/passwd file, which is essential for user authentication and identity resolution in Linux systems, is created with group-writable permissions (mode allowing the owning group to modify the file). Red Hat Process Automation Manager, an enterprise process automation and business rules platform, packages its application as container images. When /etc/passwd has group-writable permissions and a user belongs to the root group (GID 0), that user can modify the file despite lacking traditional root (UID 0) privileges. This allows injection of arbitrary user entries, including entries with UID 0, effectively elevating privileges to root within the container namespace. The CPE data indicates this affects Red Hat Process Automation 7 across all versions and update streams.
Affected Products
Red Hat Process Automation Manager version 7 is affected across all versions and update streams in container image format. The vulnerability applies to all container image distributions of Red Hat Process Automation 7, as identified by CPE cpe:2.3:a:red_hat:red_hat_process_automation_7:*:*:*:*:*:*:*:*. Affected users should check Red Hat's Security Advisory at https://access.redhat.com/security/cve/CVE-2025-58713 and the associated Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2394419 for specific patched image versions and container repository URIs.
Remediation
Rebuild Red Hat Process Automation Manager 7 container images with corrected /etc/passwd file permissions (removing group-write permissions, typically mode 0644 or 0444). Obtain the patched container images from Red Hat's container registry; consult the official security advisory at https://access.redhat.com/security/cve/CVE-2025-58713 for specific patched image tags and versions. As an interim mitigation, restrict group membership in running containers to only necessary groups, remove users from the root group (GID 0) unless explicitly required, and enforce read-only root filesystems or immutable /etc/passwd files via container runtime policies or Kubernetes Pod Security Standards to prevent runtime modification of critical system files.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today