CVE-2025-14243 - Vulnerability Details

- Mirror-registry: openshift mirror registry: user enumeration via authentication error messages

Description

A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation.

Published: 2026-04-08

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the OpenShift Mirror Registry lets an unauthenticated attacker discover existing usernames and email addresses by receiving different error responses during login attempts or account creation. The disclosed information (CWE‑209) can be used to plan credential‑guessing or social‑engineering attacks, but it does not provide direct access to data or code execution.

Affected Systems

The vulnerability affects Red Hat Mirror Registry for OpenShift and its second version, as sold and maintained by Red Hat. All known releases of these products are potentially impacted; specific version ranges are not detailed in the advisory.

Risk and Exploitability

The CVSS base score of 5.3 places the issue in the moderate severity range. No EPSS score or KEV listing is available, suggesting the risk is not currently high from a deployment‑level viewpoint. The attack vector is remote and unauthenticated, requiring no special credentials. Any host that can reach the Mirror Registry service can enumerate valid users, increasing the likelihood of subsequent targeted credential attacks. The information revelation remains the primary impact, though it lays groundwork for more serious exploits if attackers combine it with other weaknesses.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	mirror registry for Red Hat OpenShift	affected	—
Red Hat	mirror registry for Red Hat OpenShift 2	affected	—

No data.

Vendor Product Confidence Versions

Redhat

Mirror Registry

100%

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

Apply any vendor patch or update that addresses the vulnerability as soon as it becomes available.
If no patch is released yet, stay alert to Red Hat security advisories and confirm the issue is fixed before proceeding further.
As a temporary measure, reduce the detail in authentication error messages to prevent revealing whether a username exists.
Restrict external access to the Mirror Registry service using network segmentation or firewall rules to lower the attack surface.

Generated by OpenCVE AI on April 8, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2025-14243
https://bugzilla.redhat.com/show_bug.cgi?id=2419829
https://nvd.nist.gov/vuln/detail/CVE-2025-14243
https://www.cve.org/CVERecord?id=CVE-2025-14243

History

Thu, 09 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-14243 https://www.cve.org/CVERecord?id=CVE-2025-14243
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation.
Title		Mirror-registry: openshift mirror registry: user enumeration via authentication error messages
First Time appeared		Redhat Redhat mirror Registry
Weaknesses		CWE-209
CPEs		cpe:/a:redhat:mirror_registry:1 cpe:/a:redhat:mirror_registry:2
Vendors & Products		Redhat Redhat mirror Registry
References		https://access.redhat.com/security/cve/CVE-2025-14243 https://bugzilla.redhat.com/show_bug.cgi?id=2419829
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Redhat Mirror Registry

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-04-08T16:41:55.597Z

Updated: 2026-04-08T21:46:14.175Z

Reserved: 2025-12-08T04:22:54.845Z

Link: CVE-2025-14243

Vulnrichment

Updated: 2026-04-08T19:15:12.643Z

NVD

Status : Awaiting Analysis

Published: 2026-04-08T17:20:25.247

Modified: 2026-04-08T21:26:13.410

Link: CVE-2025-14243

Redhat

Severity : Moderate

Publid Date: 2026-04-08T16:31:00Z

Links: CVE-2025-14243 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-09T08:18:42Z

Weaknesses

CWE-209

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object