CVE-2025-7195

Summary

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images.

In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

Affected Software

VendorProductVersion RangeStatus
operator-frameworkoperator-sdk0 < 0.15.2affected
Red HatRHEL-9-CNV-4.17v4.17.39-2 < *unaffected
Red HatRHEL-9-CNV-4.18v4.18.25-3 < *unaffected
Red HatRHEL-9-CNV-4.20v4.20.3-3 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.6v2.6 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.6v2.6 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.6v2.6 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.6v2.6 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.6v2.6 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.6v2.6 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.6v2.6 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.7v2.7 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.7v2.7 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.7v2.7 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.7v2.7 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.7v2.7 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.7v2.7 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.7v2.7 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.7v2.7 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.7v2.7 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.7v2.7 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.7v2.7 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.7v2.7 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.7v2.7 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.7v2.7 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.7v2.7 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.7v2.7 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.81765872406 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.81766360304 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.81765669648 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.81765866268 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.81765872399 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.81765872402 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.81765872398 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.81765872400 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.9v2.9 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.9v2.9 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.9v2.9 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.9v2.9 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.9v2.9 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.9v2.9 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.9v2.9 < *unaffected
Red Hatmulticluster engine for Kubernetes 2.9v2.9 < *unaffected
Red HatOpenShift Compliance Operator 11.8.0 < *unaffected
Red HatOpenShift Compliance Operator 11768172669 < *unaffected
Red HatOpenShift File Integrity Operator - FIO 1v1.3 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.11v2.11 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.11v2.11 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.11v2.11 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.11v2.11 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.12v2.12 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.12v2.12 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.12v2.12 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.12v2.12 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.12v2.12 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.12v2.12 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.12v2.12 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.121773285089 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.121773259164 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.121773259182 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.121773358651 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.121773090513 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.131767569821 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.131767829032 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.131767569821 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.131767656229 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.131767829032 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.14v2.14 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.14v2.14 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.14v2.14 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.14v2.14 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.14v2.14 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.14v2.14 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.141769720041 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.141770343757 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.141769721579 < *unaffected
Red HatRed Hat Advanced Cluster Management for Kubernetes 2.141770336554 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178221 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178222 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178236 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178273 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178715 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178261 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178354 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178419 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178768 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178319 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178386 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178406 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178615 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178379 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178329 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178423 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764178419 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.14v4.14-1764215448 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764176261 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764176342 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764176372 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764176892 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764176485 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764176698 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764176699 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764176675 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764177101 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764176690 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764221806 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764222436 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764177174 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764177033 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764176958 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764177101 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764177020 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.15v4.15-1764177029 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764168955 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764169118 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764169242 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764169544 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764169347 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764169479 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764169526 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764169464 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764169687 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764169457 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764169527 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764169577 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764169730 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764169598 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764169623 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764169710 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764170019 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.16v4.16-1764170021 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764167834 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764167795 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764167826 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764167876 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764168179 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764167987 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764168476 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764168475 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764168431 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764168662 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764168475 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764168536 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764168609 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764168731 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764168699 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764168859 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764169063 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764169125 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.17v4.17-1764169222 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761854289 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761854280 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761854280 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761854319 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761855549 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761854321 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761854422 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761854430 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761854457 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761854484 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761854398 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761854494 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761854493 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761854504 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761854489 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761855467 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761854524 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1762335558 < *unaffected
Red HatRed Hat Openshift Data Foundation 4.18v4.18-1761855234 < *unaffected

Weaknesses

  • CWE-276: Incorrect Default Permissions

Workarounds

In Red Hat OpenShift Container Platform, the following default configurations reduce the impact of this vulnerability.

Security Context Constraints (SCCs): The default SCC, Restricted-v2, applies several crucial security settings to containers.

Capabilities: drop: ALL removes all Linux capabilities, including SETUID and SETGID. This prevents a process from changing its user or group ID, a common step in privilege escalation attacks. The SETUID and SETGID capabilities can also be dropped explicitly if other capabilities are still required.

allowPrivilegeEscalation: false ensures that a process cannot gain more privileges than its parent process. This blocks attempts by a compromised container process to grant itself additional capabilities.

SELinux Mandatory Access Control (MAC): Pods are required to run with a pre-allocated Multi-Category Security (MCS) label. This SELinux feature provides a strong layer of isolation between containers and from the host system. A properly configured SELinux policy can prevent a container escape, even if an attacker gains elevated permissions within the container itself.

Filesystem Hardening: While not a default setting, a common security practice is to set readOnlyRootFilesystem: true in a container's security context. In this specific scenario, this configuration would prevent an attacker from modifying critical files like /etc/passwd, even if they managed to gain file-level write permissions.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References