Insecure User Permissions in Operator-SDK from Red Hat
CVE-2025-7195

5.2MEDIUM

Key Information:

Vendor

Operator-framework

Status
Operator-sdk
Rhel-9-cnv-4.17
Rhel-9-cnv-4.18
Rhel-9-cnv-4.20
Vendor
CVE Published:
7 August 2025

What is CVE-2025-7195?

Early releases of the Operator-SDK from Red Hat contained a security flaw that allowed the /etc/passwd file to be built with insecure group-writable permissions. This issue arises from the use of the 'user_setup' script, which modifies file permissions during the container image build process. If an attacker gains access to an impacted container, they can exploit their non-root user membership in the root group to alter the /etc/passwd file. This exploitation could allow the attacker to create new user accounts with arbitrary user IDs, including root privileges, posing a severe security risk to the container and its environment.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Compliance Operator 1 sha256:9bc1fca7173d0080640ff9900d362512e480012a616922f4763e8e6becd8f520

Compliance Operator 1 sha256:74010cf229f6fa17a927e56f63db06f9fe4ce61dce5e8bece77d05a082c49e3b

File Integrity Operator 1 sha256:822fc16687164f666df5e498030bec3d3ab1e07d0a0576cc133a468e4ea01cf2

References

https://access.redhat.com/errata/RHEA-2025:23406
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHEA-2025:23478
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHEA-2026:0129
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
5.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.