Description
Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images.

In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Published: 2025-08-07
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation to root inside container
Action: Patch and Harden
AI Analysis

Impact

Early versions of Operator SDK used a script that set the permissions of /etc/passwd to 664 and owned the file by root group. This allowed any user with membership in the root group within a running container to modify the file and add a new user with UID 0, achieving full root privileges inside the container. The weakness is a misconfiguration of file permissions (CWE-276).

Affected Systems

The vulnerability affects operator images built with Operator SDK before 0.15.2 that still include the insecure user_setup script. This includes Red Hat OpenShift Container Platform, Advanced Cluster Management for Kubernetes, OpenShift Data Foundation, Advanced Cluster Security, OpenShift Virtualization, OpenShift Web Terminal, and other Red Hat products that support operator building with the affected SDK versions.

Risk and Exploitability

The CVSS score is 6.4 and the EPSS score is below 1 %, indicating a moderate severity and low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. An attacker must already be able to execute commands inside the container, which is typically achieved through container breakout or an initial compromise, to modify /etc/passwd and elevate privileges. The attack vector is therefore in‑container exploitation relying on improper file permissions.

Generated by OpenCVE AI on April 20, 2026 at 15:52 UTC.

Remediation

Vendor Workaround

In Red Hat OpenShift Container Platform, the following default configurations reduce the impact of this vulnerability. Security Context Constraints (SCCs): The default SCC, Restricted-v2, applies several crucial security settings to containers. Capabilities: drop: ALL removes all Linux capabilities, including SETUID and SETGID. This prevents a process from changing its user or group ID, a common step in privilege escalation attacks. The SETUID and SETGID capabilities can also be dropped explicitly if other capabilities are still required. allowPrivilegeEscalation: false ensures that a process cannot gain more privileges than its parent process. This blocks attempts by a compromised container process to grant itself additional capabilities. SELinux Mandatory Access Control (MAC): Pods are required to run with a pre-allocated Multi-Category Security (MCS) label. This SELinux feature provides a strong layer of isolation between containers and from the host system. A properly configured SELinux policy can prevent a container escape, even if an attacker gains elevated permissions within the container itself. Filesystem Hardening: While not a default setting, a common security practice is to set readOnlyRootFilesystem: true in a container's security context. In this specific scenario, this configuration would prevent an attacker from modifying critical files like /etc/passwd, even if they managed to gain file-level write permissions.

OpenCVE Recommended Actions

  • Upgrade Operator SDK to version 0.15.2 or later and rebuild all operator images to remove the insecure user_setup script.
  • Set correct file permissions during image build so that /etc/passwd is not group‑writable and is owned by a non‑root group.
  • Apply Red Hat OpenShift security context constraints: use the Restricted‑v2 SCC, drop ALL capabilities, set allowPrivilegeEscalation to false, enforce SELinux with a unique MCS label, and, if possible, set readOnlyRootFilesystem to true.

Generated by OpenCVE AI on April 20, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23951 Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Github GHSA Github GHSA GHSA-856v-8qm2-9wjv operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd
History

Tue, 24 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 06 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L'}

 cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
References

Fri, 16 Jan 2026 00:00:00 +0000

Type Values Removed Values Added
References

Thu, 15 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:multicluster_engine:2.8::el9
References

Thu, 15 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
References

Wed, 14 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.13::el9
References

Thu, 08 Jan 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:container_native_virtualization:4.17::el9
cpe:/a:redhat:container_native_virtualization:4.20::el9
References

Tue, 06 Jan 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:container_native_virtualization:4.18::el9
References

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.11::el9
References

Wed, 17 Dec 2025 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_file_integrity_operator:1 cpe:/a:redhat:openshift_file_integrity_operator:1::el9
References

Wed, 17 Dec 2025 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:multicluster_engine:2.6::el9
References

Tue, 09 Dec 2025 16:30:00 +0000

Type Values Removed Values Added
References

Tue, 09 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhosemc:1.0::el8
Vendors & Products Redhat rhosemc

Mon, 08 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat service Registry
CPEs cpe:/a:redhat:service_registry:2
Vendors & Products Redhat service Registry

Mon, 08 Dec 2025 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhosemc
CPEs cpe:/a:redhat:rhosemc:1.0::el8
Vendors & Products Redhat rhosemc
References

Fri, 05 Dec 2025 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:devworkspace
Vendors & Products Redhat devworkspace

Thu, 04 Dec 2025 00:00:00 +0000

Type Values Removed Values Added
References

Wed, 03 Dec 2025 23:00:00 +0000

Type Values Removed Values Added
References

Mon, 01 Dec 2025 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_data_foundation:4.15::el9
cpe:/a:redhat:openshift_data_foundation:4.17::el9
References

Mon, 01 Dec 2025 12:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_data_foundation:4.14::el9
References

Mon, 01 Dec 2025 12:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_data_foundation:4.16::el9
References

Thu, 20 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Compliance Operator
CPEs cpe:/a:redhat:openshift_compliance_operator:1::el9
Vendors & Products Redhat openshift Compliance Operator
References

Thu, 13 Nov 2025 22:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_data_foundation:4 cpe:/a:redhat:openshift_data_foundation:4.18::el9
References

Mon, 10 Nov 2025 01:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.12::el9
cpe:/a:redhat:multicluster_engine:2.7::el9
References

Thu, 06 Nov 2025 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:multicluster_engine:2.9::el9
References

Thu, 30 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.14::el9
References

Sun, 31 Aug 2025 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat apicurio Registry
Redhat container Native Virtualization
Redhat devworkspace
Redhat jboss Fuse
Redhat webterminal
CPEs cpe:/a:redhat:apicurio_registry:3
cpe:/a:redhat:container_native_virtualization:4
cpe:/a:redhat:devworkspace
cpe:/a:redhat:jboss_fuse:7
cpe:/a:redhat:webterminal:1
Vendors & Products Redhat apicurio Registry
Redhat container Native Virtualization
Redhat devworkspace
Redhat jboss Fuse
Redhat webterminal

Fri, 08 Aug 2025 19:45:00 +0000

Type Values Removed Values Added
Description Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

Fri, 08 Aug 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 07 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Description Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Title Operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd
First Time appeared Redhat
Redhat acm
Redhat advanced Cluster Security
Redhat multicluster Engine
Redhat multicluster Globalhub
Redhat openshift
Redhat openshift Data Foundation
Redhat openshift File Integrity Operator
Weaknesses CWE-276
CPEs cpe:/a:redhat:acm:2
cpe:/a:redhat:advanced_cluster_security:4
cpe:/a:redhat:multicluster_engine
cpe:/a:redhat:multicluster_globalhub
cpe:/a:redhat:openshift:4
cpe:/a:redhat:openshift_data_foundation:4
cpe:/a:redhat:openshift_file_integrity_operator:1
Vendors & Products Redhat
Redhat acm
Redhat advanced Cluster Security
Redhat multicluster Engine
Redhat multicluster Globalhub
Redhat openshift
Redhat openshift Data Foundation
Redhat openshift File Integrity Operator
References
Metrics cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Redhat Acm Advanced Cluster Security Apicurio Registry Container Native Virtualization Jboss Fuse Multicluster Engine Multicluster Globalhub Openshift Openshift Compliance Operator Openshift Data Foundation Openshift File Integrity Operator Service Registry Webterminal
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-16T21:54:06.831Z

Reserved: 2025-07-07T08:45:21.278Z

Link: CVE-2025-7195

cve-icon Vulnrichment

Updated: 2025-08-07T19:23:17.337Z

cve-icon NVD

Status : Deferred

Published: 2025-08-07T19:15:29.367

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7195

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-08-07T18:59:00Z

Links: CVE-2025-7195 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:00:10Z

Weaknesses