CVE-2025-7195

Operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd

Description

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

Remediation

Workaround:

  • In Red Hat OpenShift Container Platform, the following default configurations reduce the impact of this vulnerability. Security Context Constraints (SCCs): The default SCC, Restricted-v2, applies several crucial security settings to containers. Capabilities: drop: ALL removes all Linux capabilities, including SETUID and SETGID. This prevents a process from changing its user or group ID, a common step in privilege escalation attacks. The SETUID and SETGID capabilities can also be dropped explicitly if other capabilities are still required. allowPrivilegeEscalation: false ensures that a process cannot gain more privileges than its parent process. This blocks attempts by a compromised container process to grant itself additional capabilities. SELinux Mandatory Access Control (MAC): Pods are required to run with a pre-allocated Multi-Category Security (MCS) label. This SELinux feature provides a strong layer of isolation between containers and from the host system. A properly configured SELinux policy can prevent a container escape, even if an attacker gains elevated permissions within the container itself. Filesystem Hardening: While not a default setting, a common security practice is to set readOnlyRootFilesystem: true in a container's security context. In this specific scenario, this configuration would prevent an attacker from modifying critical files like /etc/passwd, even if they managed to gain file-level write permissions.

Category

5.2
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.00%
Affected: Red Hat File Integrity Operator
Affected: Red Hat File Integrity Operator
Affected: Red Hat Multicluster Engine for Kubernetes
Affected: Red Hat Multicluster Engine for Kubernetes
Affected: Red Hat Multicluster Engine for Kubernetes
Affected: Red Hat Multicluster Engine for Kubernetes
Affected: Red Hat Multicluster Engine for Kubernetes
Affected: Red Hat Multicluster Engine for Kubernetes
Affected: Red Hat Multicluster Engine for Kubernetes
Affected: Red Hat Multicluster Engine for Kubernetes
Affected: Red Hat Multicluster Engine for Kubernetes
Affected: Red Hat Multicluster Engine for Kubernetes
Affected: Red Hat Multicluster Engine for Kubernetes
Affected: Red Hat Multicluster Engine for Kubernetes
Affected: Red Hat Multicluster Engine for Kubernetes
Affected: Red Hat Multicluster Engine for Kubernetes
Affected: Red Hat Multicluster Engine for Kubernetes
Affected: Red Hat Multicluster Engine for Kubernetes
Affected: Red Hat Multicluster Global Hub
Affected: Red Hat Multicluster Global Hub
Affected: Red Hat Multicluster Global Hub
Affected: Red Hat Multicluster Global Hub
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
Affected: Red Hat Red Hat Advanced Cluster Security 4
Affected: Red Hat Red Hat OpenShift Container Platform 4
Affected: Red Hat Red Hat OpenShift Container Platform 4
Affected: Red Hat Red Hat OpenShift Container Platform 4
Affected: Red Hat Red Hat OpenShift Container Platform 4
Affected: Red Hat Red Hat OpenShift Container Platform 4
Affected: Red Hat Red Hat OpenShift Container Platform 4
Affected: Red Hat Red Hat OpenShift Container Platform 4
Affected: Red Hat Red Hat OpenShift Container Platform 4
Affected: Red Hat Red Hat Openshift Data Foundation 4
Affected: Red Hat Red Hat Openshift Data Foundation 4
Affected: Red Hat Red Hat Openshift Data Foundation 4
Affected: Red Hat Red Hat Openshift Data Foundation 4
Published at:
Updated at:

References

Link Tags
https://access.redhat.com/security/cve/CVE-2025-7195 vdb entry
https://bugzilla.redhat.com/show_bug.cgi?id=2376300 issue tracking

Frequently Asked Questions

What is the severity of CVE-2025-7195?
CVE-2025-7195 has been scored as a medium severity vulnerability.
How to fix CVE-2025-7195?
As a workaround for remediating CVE-2025-7195: In Red Hat OpenShift Container Platform, the following default configurations reduce the impact of this vulnerability. Security Context Constraints (SCCs): The default SCC, Restricted-v2, applies several crucial security settings to containers. Capabilities: drop: ALL removes all Linux capabilities, including SETUID and SETGID. This prevents a process from changing its user or group ID, a common step in privilege escalation attacks. The SETUID and SETGID capabilities can also be dropped explicitly if other capabilities are still required. allowPrivilegeEscalation: false ensures that a process cannot gain more privileges than its parent process. This blocks attempts by a compromised container process to grant itself additional capabilities. SELinux Mandatory Access Control (MAC): Pods are required to run with a pre-allocated Multi-Category Security (MCS) label. This SELinux feature provides a strong layer of isolation between containers and from the host system. A properly configured SELinux policy can prevent a container escape, even if an attacker gains elevated permissions within the container itself. Filesystem Hardening: While not a default setting, a common security practice is to set readOnlyRootFilesystem: true in a container's security context. In this specific scenario, this configuration would prevent an attacker from modifying critical files like /etc/passwd, even if they managed to gain file-level write permissions.
Is CVE-2025-7195 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-7195 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-7195?
CVE-2025-7195 affects Red Hat File Integrity Operator, Red Hat File Integrity Operator, Red Hat Multicluster Engine for Kubernetes, Red Hat Multicluster Engine for Kubernetes, Red Hat Multicluster Engine for Kubernetes, Red Hat Multicluster Engine for Kubernetes, Red Hat Multicluster Engine for Kubernetes, Red Hat Multicluster Engine for Kubernetes, Red Hat Multicluster Engine for Kubernetes, Red Hat Multicluster Engine for Kubernetes, Red Hat Multicluster Engine for Kubernetes, Red Hat Multicluster Engine for Kubernetes, Red Hat Multicluster Engine for Kubernetes, Red Hat Multicluster Engine for Kubernetes, Red Hat Multicluster Engine for Kubernetes, Red Hat Multicluster Engine for Kubernetes, Red Hat Multicluster Engine for Kubernetes, Red Hat Multicluster Engine for Kubernetes, Red Hat Multicluster Global Hub, Red Hat Multicluster Global Hub, Red Hat Multicluster Global Hub, Red Hat Multicluster Global Hub, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Management for Kubernetes 2, Red Hat Red Hat Advanced Cluster Security 4, Red Hat Red Hat OpenShift Container Platform 4, Red Hat Red Hat OpenShift Container Platform 4, Red Hat Red Hat OpenShift Container Platform 4, Red Hat Red Hat OpenShift Container Platform 4, Red Hat Red Hat OpenShift Container Platform 4, Red Hat Red Hat OpenShift Container Platform 4, Red Hat Red Hat OpenShift Container Platform 4, Red Hat Red Hat OpenShift Container Platform 4, Red Hat Red Hat Openshift Data Foundation 4, Red Hat Red Hat Openshift Data Foundation 4, Red Hat Red Hat Openshift Data Foundation 4, Red Hat Red Hat Openshift Data Foundation 4.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.