{"api_version":"1","generated_at":"2026-04-08T19:54:19+00:00","cve":"CVE-2025-14243","urls":{"html":"https://cve.report/CVE-2025-14243","api":"https://cve.report/api/cve/CVE-2025-14243.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-14243","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-14243"},"summary":{"title":"Mirror-registry: openshift mirror registry: user enumeration via authentication error messages","description":"A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation.","state":"PUBLISHED","assigner":"redhat","published_at":"2026-04-08 17:20:25","updated_at":"2026-04-08 17:20:25"},"problem_types":["CWE-209","CWE-209 Generation of Error Message Containing Sensitive Information"],"metrics":[{"version":"3.1","source":"secalert@redhat.com","type":"Primary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2419829","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2419829","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2025-14243","name":"https://access.redhat.com/security/cve/CVE-2025-14243","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-14243","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14243","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Red Hat","product":"mirror registry for Red Hat OpenShift","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"mirror registry for Red Hat OpenShift 2","version":"","platforms":[]}],"timeline":[{"source":"CNA","time":"2025-12-08T04:22:23.735Z","lang":"en","value":"Reported to Red Hat."},{"source":"CNA","time":"2026-04-08T16:31:00.659Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"Red Hat would like to thank Antony Di Scala (Lloyds Banking) and Michael Whale (Lloyds BankingLloyds Banking) for reporting this issue.","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:mirror_registry:1"],"defaultStatus":"affected","packageName":"openshift/mirror-registry-rhel8","product":"mirror registry for Red Hat OpenShift","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:mirror_registry:2"],"defaultStatus":"affected","packageName":"openshift/mirror-registry-rhel8","product":"mirror registry for Red Hat OpenShift 2","vendor":"Red Hat"}],"credits":[{"lang":"en","value":"Red Hat would like to thank Antony Di Scala (Lloyds Banking) and Michael Whale (Lloyds BankingLloyds Banking) for reporting this issue."}],"datePublic":"2026-04-08T16:31:00.659Z","descriptions":[{"lang":"en","value":"A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Moderate"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-209","description":"Generation of Error Message Containing Sensitive Information","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T16:41:55.597Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2025-14243"},{"name":"RHBZ#2419829","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2419829"}],"timeline":[{"lang":"en","time":"2025-12-08T04:22:23.735Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-08T16:31:00.659Z","value":"Made public."}],"title":"Mirror-registry: openshift mirror registry: user enumeration via authentication error messages","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_generator":{"engine":"cvelib 1.8.0"},"x_redhatCweChain":"CWE-209: Generation of Error Message Containing Sensitive Information"}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2025-14243","datePublished":"2026-04-08T16:41:55.597Z","dateReserved":"2025-12-08T04:22:54.845Z","dateUpdated":"2026-04-08T16:41:55.597Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-08 17:20:25","lastModifiedDate":"2026-04-08 17:20:25","problem_types":["CWE-209","CWE-209 Generation of Error Message Containing Sensitive Information"],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"14243","Ordinal":"1","Title":"Mirror-registry: openshift mirror registry: user enumeration via","CVE":"CVE-2025-14243","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"14243","Ordinal":"1","NoteData":"A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation.","Type":"Description","Title":"Mirror-registry: openshift mirror registry: user enumeration via"}]}}}