Skip to main content

netavark CVE-2025-8283

LOW
External Control of System or Configuration Setting (CWE-15)
2025-07-28 secalert@redhat.com
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 19, 2026 - 17:46 vuln.today
Analysis Generated
May 19, 2026 - 17:46 vuln.today

DescriptionNVD

A vulnerability was found in the netavark package, a network stack for containers used with Podman. Due to dns.podman search domain being removed, netavark may return external servers if a valid A/AAAA record is sent as a response. When creating a container with a given name, this name will be used as the hostname for the container itself, as the podman's search domain is not added anymore the container is using the host's resolv.conf, and the DNS resolver will try to look into the search domains contained on it. If one of the domains contain a name with the same hostname as the running container, the connection will forward to unexpected external servers.

AnalysisAI

DNS resolve confusion in netavark, the Rust-based network stack for Podman containers, causes container name lookups to be forwarded to unexpected external DNS servers due to a regression that removed the dns.podman search domain. Affected deployments on Red Hat Enterprise Linux 8/9/10 and OpenShift Container Platform 4.0 running netavark < 1.15.1 are subject to misdirected container DNS resolution when host resolv.conf search domains contain a record matching a running container's hostname. The impact is limited to information disclosure (CVSS 3.7, Low), with no confirmed active exploitation and no public exploit identified at time of analysis.

Technical ContextAI

Netavark is a Rust-implemented network stack that manages networking for rootful Podman containers, including internal DNS resolution. Historically, netavark injected a 'dns.podman' search domain to scope container hostname resolution within the container network. A regression removed this search domain, causing the container to fall back to the host's /etc/resolv.conf for DNS resolution. CWE-15 (External Control of System or Configuration Setting) captures the root cause: an externally influenced configuration (the host's resolv.conf search domains) is now consulted where the internal search domain should take precedence. If the host's search domains include a domain with an A or AAAA record matching the container's hostname, the resolver satisfies the query using that external record rather than the expected internal container IP. Affected CPEs confirm the exposure spans cpe:2.3:a:redhat:openshift_container_platform:4.0, cpe:2.3:o:redhat:enterprise_linux:8.0, 9.0, and 10.0.

RemediationAI

The vendor-released patch is netavark v1.15.1, confirmed by the tagged GitHub release at https://github.com/containers/netavark/releases/tag/v1.15.1 and upstream fix commit 068abc869b736a03a947b5419c102da73830e882 (PR #1256). Upgrade netavark to 1.15.1 or later on all affected systems running RHEL 8/9/10 or OpenShift Container Platform 4.0. For Red Hat systems, monitor https://access.redhat.com/security/cve/CVE-2025-8283 for RPM package availability. As a compensating control prior to patching, administrators can audit the host's /etc/resolv.conf search domain list and remove or restrict entries that could resolve container hostnames externally - note that modifying resolv.conf may affect other host-level DNS resolution behavior and should be tested. Alternatively, avoid naming containers with hostnames that overlap with entries resolvable through the host's search domains. No significant side effects are anticipated from upgrading to 1.15.1, which is described as a regression fix restoring prior correct behavior.

CVE-2015-8103 CRITICAL POC
9.8 Nov 25

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co

CVE-2021-4104 HIGH
7.5 Dec 14

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Lo

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2025-26465 MEDIUM
6.8 Feb 18

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. Rated medium severity (CVSS 6.8), this

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2018-1000861 CRITICAL POC
9.8 Dec 10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2024-12085 HIGH POC
7.5 Jan 14

A flaw was found in rsync which could be triggered when rsync compares file checksums. Rated high severity (CVSS 7.5), t

Share

CVE-2025-8283 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy