CVE-2025-3528

Summary

A flaw was found in the Mirror Registry. The quay-app container shipped as part of the Mirror Registry for OpenShift has write access to the /etc/passwd. This flaw allows a malicious actor with access to the container to modify the passwd file and elevate their privileges to the root user within that pod.

Affected Software

VendorProductVersion RangeStatus
0 < 2affected
Red HatMIRROR-REGISTRY-2.0-RHEL-8v2.0.7-9 < *unaffected

Weaknesses

  • CWE-276: Incorrect Default Permissions

Workarounds

This issue can be mitigated by setting this line in each mirror registry systemd configurations:

–security-opt=no-new-privileges

This would prevent any privilege escalation until the issue is fixed.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References