CVE-2025-7195
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images.
In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| operator-framework | operator-sdk | 0 < 0.15.2 | affected |
| Red Hat | RHEL-9-CNV-4.17 | v4.17.39-2 < * | unaffected |
| Red Hat | RHEL-9-CNV-4.18 | v4.18.25-3 < * | unaffected |
| Red Hat | RHEL-9-CNV-4.20 | v4.20.3-3 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.6 | v2.6 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.6 | v2.6 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.6 | v2.6 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.6 | v2.6 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.6 | v2.6 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.6 | v2.6 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.6 | v2.6 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.7 | v2.7 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.7 | v2.7 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.7 | v2.7 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.7 | v2.7 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.7 | v2.7 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.7 | v2.7 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.7 | v2.7 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.7 | v2.7 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.7 | v2.7 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.7 | v2.7 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.7 | v2.7 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.7 | v2.7 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.7 | v2.7 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.7 | v2.7 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.7 | v2.7 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.7 | v2.7 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.8 | 1765872406 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.8 | 1766360304 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.8 | 1765669648 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.8 | 1765866268 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.8 | 1765872399 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.8 | 1765872402 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.8 | 1765872398 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.8 | 1765872400 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.9 | v2.9 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.9 | v2.9 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.9 | v2.9 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.9 | v2.9 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.9 | v2.9 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.9 | v2.9 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.9 | v2.9 < * | unaffected |
| Red Hat | multicluster engine for Kubernetes 2.9 | v2.9 < * | unaffected |
| Red Hat | OpenShift Compliance Operator 1 | 1.8.0 < * | unaffected |
| Red Hat | OpenShift Compliance Operator 1 | 1768172669 < * | unaffected |
| Red Hat | OpenShift File Integrity Operator - FIO 1 | v1.3 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.11 | v2.11 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.11 | v2.11 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.11 | v2.11 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.11 | v2.11 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.12 | v2.12 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.12 | v2.12 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.12 | v2.12 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.12 | v2.12 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.12 | v2.12 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.12 | v2.12 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.12 | v2.12 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.12 | 1773285089 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.12 | 1773259164 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.12 | 1773259182 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.12 | 1773358651 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.12 | 1773090513 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.13 | 1767569821 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.13 | 1767829032 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.13 | 1767569821 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.13 | 1767656229 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.13 | 1767829032 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.14 | v2.14 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.14 | v2.14 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.14 | v2.14 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.14 | v2.14 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.14 | v2.14 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.14 | v2.14 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.14 | 1769720041 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.14 | 1770343757 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.14 | 1769721579 < * | unaffected |
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2.14 | 1770336554 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178221 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178222 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178236 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178273 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178715 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178261 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178354 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178419 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178768 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178319 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178386 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178406 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178615 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178379 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178329 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178423 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764178419 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.14 | v4.14-1764215448 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764176261 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764176342 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764176372 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764176892 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764176485 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764176698 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764176699 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764176675 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764177101 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764176690 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764221806 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764222436 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764177174 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764177033 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764176958 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764177101 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764177020 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.15 | v4.15-1764177029 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764168955 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764169118 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764169242 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764169544 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764169347 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764169479 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764169526 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764169464 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764169687 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764169457 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764169527 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764169577 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764169730 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764169598 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764169623 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764169710 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764170019 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.16 | v4.16-1764170021 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764167834 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764167795 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764167826 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764167876 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764168179 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764167987 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764168476 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764168475 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764168431 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764168662 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764168475 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764168536 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764168609 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764168731 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764168699 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764168859 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764169063 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764169125 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.17 | v4.17-1764169222 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761854289 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761854280 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761854280 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761854319 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761855549 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761854321 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761854422 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761854430 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761854457 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761854484 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761854398 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761854494 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761854493 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761854504 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761854489 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761855467 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761854524 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1762335558 < * | unaffected |
| Red Hat | Red Hat Openshift Data Foundation 4.18 | v4.18-1761855234 < * | unaffected |
Weaknesses
- CWE-276: Incorrect Default Permissions
Workarounds
In Red Hat OpenShift Container Platform, the following default configurations reduce the impact of this vulnerability.
Security Context Constraints (SCCs): The default SCC, Restricted-v2, applies several crucial security settings to containers.
Capabilities: drop: ALL removes all Linux capabilities, including SETUID and SETGID. This prevents a process from changing its user or group ID, a common step in privilege escalation attacks. The SETUID and SETGID capabilities can also be dropped explicitly if other capabilities are still required.
allowPrivilegeEscalation: false ensures that a process cannot gain more privileges than its parent process. This blocks attempts by a compromised container process to grant itself additional capabilities.
SELinux Mandatory Access Control (MAC): Pods are required to run with a pre-allocated Multi-Category Security (MCS) label. This SELinux feature provides a strong layer of isolation between containers and from the host system. A properly configured SELinux policy can prevent a container escape, even if an attacker gains elevated permissions within the container itself.
Filesystem Hardening: While not a default setting, a common security practice is to set readOnlyRootFilesystem: true in a container's security context. In this specific scenario, this configuration would prevent an attacker from modifying critical files like /etc/passwd, even if they managed to gain file-level write permissions.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://access.redhat.com/errata/RHEA-2025:23406
- https://access.redhat.com/errata/RHEA-2025:23478
- https://access.redhat.com/errata/RHEA-2026:0129
- https://access.redhat.com/errata/RHSA-2025:19332
- https://access.redhat.com/errata/RHSA-2025:19335
- https://access.redhat.com/errata/RHSA-2025:19958
- https://access.redhat.com/errata/RHSA-2025:19961
- https://access.redhat.com/errata/RHSA-2025:21368
- https://access.redhat.com/errata/RHSA-2025:21885
- https://access.redhat.com/errata/RHSA-2025:22415
- https://access.redhat.com/errata/RHSA-2025:22416
- https://access.redhat.com/errata/RHSA-2025:22418
- https://access.redhat.com/errata/RHSA-2025:22420
- https://access.redhat.com/errata/RHSA-2025:22683
- https://access.redhat.com/errata/RHSA-2025:22684
- https://access.redhat.com/errata/RHSA-2025:23528
- https://access.redhat.com/errata/RHSA-2025:23529
- https://access.redhat.com/errata/RHSA-2025:23542
- https://access.redhat.com/errata/RHSA-2026:0627
- https://access.redhat.com/errata/RHSA-2026:0718
- https://access.redhat.com/errata/RHSA-2026:0722
- https://access.redhat.com/errata/RHSA-2026:0737
- https://access.redhat.com/errata/RHSA-2026:2572
- https://access.redhat.com/errata/RHSA-2026:5633
- https://access.redhat.com/security/cve/CVE-2025-7195
- https://bugzilla.redhat.com/show_bug.cgi?id=2376300
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.