Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Redhat |
|
No data.
No data.
References
History
Thu, 07 Aug 2025 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 07 Aug 2025 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | |
| Title | Operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd | |
| First Time appeared |
Redhat
Redhat acm Redhat advanced Cluster Security Redhat multicluster Engine Redhat multicluster Globalhub Redhat openshift Redhat openshift Data Foundation Redhat openshift File Integrity Operator |
|
| Weaknesses | CWE-276 | |
| CPEs | cpe:/a:redhat:acm:2 cpe:/a:redhat:advanced_cluster_security:4 cpe:/a:redhat:multicluster_engine cpe:/a:redhat:multicluster_globalhub cpe:/a:redhat:openshift:4 cpe:/a:redhat:openshift_data_foundation:4 cpe:/a:redhat:openshift_file_integrity_operator:1 |
|
| Vendors & Products |
Redhat
Redhat acm Redhat advanced Cluster Security Redhat multicluster Engine Redhat multicluster Globalhub Redhat openshift Redhat openshift Data Foundation Redhat openshift File Integrity Operator |
|
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2025-08-07T19:05:08.756Z
Updated: 2025-08-07T19:36:47.691Z
Reserved: 2025-07-07T08:45:21.278Z
Link: CVE-2025-7195
Vulnrichment
Updated: 2025-08-07T19:23:17.337Z
NVD
Status : Awaiting Analysis
Published: 2025-08-07T19:15:29.367
Modified: 2025-08-07T21:26:37.453
Link: CVE-2025-7195
Redhat
No data.