Operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd
Summary
| CVE | CVE-2025-7195 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-08-07 19:15:29 UTC |
| Updated | 2026-06-26 00:16:49 UTC |
| Description | Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. |
Risk And Classification
Primary CVSS: v3.1 6.4 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.002050000 probability, percentile 0.105980000 (date 2026-06-29)
Problem Types: CWE-276 | CWE-276 Incorrect Default Permissions
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 6.4 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 6.4 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2025:21368 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:22418 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:21885 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHEA-2025:23406 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:19332 | [email protected] | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | [email protected] | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2025:22415 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:2572 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:22683 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:22420 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:22416 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHEA-2025:23478 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:23529 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:23542 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:23528 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:0627 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:5633 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:0718 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:19958 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHEA-2026:0129 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:19961 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:19335 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:0722 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:0737 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2025:22684 | [email protected] | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2025-7195 | [email protected] | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Red Hat would like to thank Antony Di Scala, James Force, and Michael Whale for reporting this issue. (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2025-07-04T08:54:01.878Z | Reported to Red Hat. |
| CNA | 2025-08-07T18:59:00.000Z | Made public. |
Workarounds
CNA: In Red Hat OpenShift Container Platform, the following default configurations reduce the impact of this vulnerability. Security Context Constraints (SCCs): The default SCC, Restricted-v2, applies several crucial security settings to containers. Capabilities: drop: ALL removes all Linux capabilities, including SETUID and SETGID. This prevents a process from changing its user or group ID, a common step in privilege escalation attacks. The SETUID and SETGID capabilities can also be dropped explicitly if other capabilities are still required. allowPrivilegeEscalation: false ensures that a process cannot gain more privileges than its parent process. This blocks attempts by a compromised container process to grant itself additional capabilities. SELinux Mandatory Access Control (MAC): Pods are required to run with a pre-allocated Multi-Category Security (MCS) label. This SELinux feature provides a strong layer of isolation between containers and from the host system. A properly configured SELinux policy can prevent a container escape, even if an attacker gains elevated permissions within the container itself. Filesystem Hardening: While not a default setting, a common security practice is to set readOnlyRootFilesystem: true in a container's security context. In this specific scenario, this configuration would prevent an attacker from modifying critical files like /etc/passwd, even if they managed to gain file-level write permissions.