CVE-2025-7195

MEDIUM
2025-08-07 [email protected]
6.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 24, 2026 - 15:22 vuln.today
CVE Published
Aug 07, 2025 - 19:15 nvd
MEDIUM 6.4

Tags

Redhat Docker Privilege Escalation Kubernetes Suse

Description

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

Analysis

Operator-SDK before version 0.15.2 scaffolds operator container images with an insecure user_setup script that leaves the /etc/passwd file with group-writable permissions (mode 664) and root group ownership, enabling any non-root container user who is a member of the root group to modify /etc/passwd and add arbitrary users with UID 0, achieving full container root compromise. Developers who used affected versions to build operators may still be deploying vulnerable container images if the insecure script persists in their build pipelines. The vulnerability carries a CVSS score of 6.4 with high complexity and high privilege requirements (CVSS:3.1/AV:L/AC:H/PR:H), but an EPSS score of 0.01% indicates minimal real-world exploitation likelihood; no public exploit code or active exploitation has been confirmed.

Technical Context

The vulnerability stems from insecure file permission handling during container image build time, rooted in CWE-276 (Incorrect Default Permissions). The affected Operator-SDK versions generate a user_setup script that modifies /etc/passwd to world-readable and group-writable permissions (664 octal) with root group ownership. In Linux containerized environments, processes running with random UIDs (common in Kubernetes security contexts with runAsNonRoot constraints) often maintain membership in the root group (gid=0) for backward compatibility. The technical flaw allows any such process to write to /etc/passwd despite running as non-root, enabling user enumeration and privilege escalation. This is a build-time misconfiguration issue affecting container images derived from Operator-SDK scaffolding, rather than a runtime flaw in the SDK itself. The issue affects operators built with Operator-SDK before version 0.15.2.

Affected Products

Operator-SDK versions prior to 0.15.2 are affected. Any container images built using Operator-SDK scaffolding before version 0.15.2 that retain the insecure user_setup script during their build process are vulnerable. Red Hat has issued multiple security advisories addressing impacts to downstream products built on this SDK, including RHSA-2025:19332, RHSA-2025:19335, RHSA-2025:19958, RHSA-2025:19961, RHSA-2025:21368, RHSA-2025:21885, RHSA-2025:22415, RHSA-2025:22416, RHSA-2025:22418, RHSA-2025:22420, RHSA-2025:22683, and RHSA-2025:22684. The vulnerability does not affect Operator-SDK 0.15.2 or later versions. Specific CPE strings for affected versions are available through the Red Hat security advisory references.

Remediation

Upgrade Operator-SDK to version 0.15.2 or later, which corrected the user_setup script to set /etc/passwd with secure permissions (644 or equivalent restrictive mode). For operators already deployed using vulnerable Operator-SDK versions, rebuild all container images using the patched SDK version and redeploy. Organizations unable to immediately rebuild should audit their running operator containers to verify they do not have /etc/passwd with mode 664; if confirmed vulnerable, implement Pod Security Standards or network policies that restrict inter-pod communication and enforce runAsNonRoot with restricted group memberships. Review Red Hat security advisories RHSA-2025:19332, RHSA-2025:19335, RHSA-2025:19958, RHSA-2025:19961, RHSA-2025:21368, RHSA-2025:21885, RHSA-2025:22415, RHSA-2025:22416, RHSA-2025:22418, RHSA-2025:22420, RHSA-2025:22683, and RHSA-2025:22684 for patched downstream product versions. As a preventive measure, audit container image build pipelines to ensure no outdated Operator-SDK scaffolding templates remain in use.

Priority Score

32
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: 0

Vendor Status

Share

CVE-2025-7195 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy