CVE-2025-6032
8.3
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
4.8.0 < 5.5.2 | affected | ||
| Red Hat | Red Hat Enterprise Linux 10 | 6:5.4.0-12.el10_0 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 8 | 8100020250625105344.afee755d < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 9 | 5:5.4.0-12.el9_6 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 9.4 Extended Update Support | 4:4.9.4-18.el9_4.2 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.16 | 4:4.9.4-14.rhaos4.16.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.16 | 416.94.202507222002-0 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.17 | 5:5.2.2-8.rhaos4.17.el8 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.17 | 417.94.202507132309-0 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.18 | 418.94.202507221927-0 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.18 | 5:5.2.2-9.rhaos4.18.el9 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.19 | 4.19.9.6.202507152218-0 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.19 | 5:5.4.0-6.rhaos4.19.el9 < * | unaffected |
| Red Hat | Red Hat OpenShift Container Platform 4.20 | 4.20.9.6.202509251656-0 < * | unaffected |
Weaknesses
- CWE-295: Improper Certificate Validation
Workarounds
Download the VM image manually with another tool that verifies the TLS certificate and then pass the local image as a file path to podman, for example:
podman machine init –image <local-image-path>
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://access.redhat.com/errata/RHSA-2025:10295
- https://access.redhat.com/errata/RHSA-2025:10549
- https://access.redhat.com/errata/RHSA-2025:10550
- https://access.redhat.com/errata/RHSA-2025:10551
- https://access.redhat.com/errata/RHSA-2025:10668
- https://access.redhat.com/errata/RHSA-2025:11359
- https://access.redhat.com/errata/RHSA-2025:11363
- https://access.redhat.com/errata/RHSA-2025:11677
- https://access.redhat.com/errata/RHSA-2025:11681
- https://access.redhat.com/errata/RHSA-2025:15397
- https://access.redhat.com/errata/RHSA-2025:9726
- https://access.redhat.com/errata/RHSA-2025:9751
- https://access.redhat.com/errata/RHSA-2025:9766
- https://access.redhat.com/security/cve/CVE-2025-6032
- https://bugzilla.redhat.com/show_bug.cgi?id=2372501
- https://github.com/containers/podman/commit/726b506acc8a00d99f1a3a1357ecf619a1f798c3
- https://github.com/containers/podman/security/advisories/GHSA-65gg-3w2w-hr4h
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.