Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Dismissed
Permalink CVE-2025-7195
5.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 2 weeks ago
  • @LeSuisse dismissed 2 months, 2 weeks ago
Operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

References

Affected products

operator-sdk
  • <0.15.2
odf4/cephcsi-rhel9
  • *
odf4/mcg-cli-rhel9
  • *
odf4/odf-cli-rhel9
  • *
odf4/mcg-core-rhel9
  • *
odf4/odf-console-rhel9
  • *
odf4/mcg-rhel9-operator
  • *
odf4/ocs-rhel9-operator
  • *
odf4/odf-rhel9-operator
  • *
odf4/odr-rhel9-operator
  • *
odf4/odf-must-gather-rhel9
  • *
openshift4/cnf-tests-rhel8
openshift4/cnf-tests-rhel9
odf4/cephcsi-rhel9-operator
  • *
odf4/odf-cosi-sidecar-rhel9
  • *
odf4/ocs-client-console-rhel9
  • *
odf4/rook-ceph-rhel9-operator
  • *
rhacm2/rbac-query-proxy-rhel9
rhacm2/search-collector-rhel9
multicluster-engine/work-rhel8
multicluster-engine/work-rhel9
  • *
odf4/ocs-client-rhel9-operator
  • *
rhacm2/metrics-collector-rhel9
odf4/ocs-metrics-exporter-rhel9
  • *
apicurio/apicurio-registry-rhel8
  • *
apicurio/apicurio-studio-ui-rhel8
  • *
odf4/odf-csi-addons-sidecar-rhel9
  • *
odf4/odf-csi-addons-rhel9-operator
  • *
openshift4/ztp-site-generate-rhel8
rhacm2/iam-policy-controller-rhel9
apicurio/apicurio-registry-ui-rhel8
  • *
fuse7/fuse-apicurito-rhel8-operator
multicluster-engine/discovery-rhel8
multicluster-engine/discovery-rhel9
  • *
multicluster-engine/placement-rhel8
multicluster-engine/placement-rhel9
  • *
odf4/odf-multicluster-console-rhel9
  • *
rhacm2/acm-cluster-permission-rhel8
rhacm2/acm-cluster-permission-rhel9
  • *
rhacm2/cert-policy-controller-rhel9
odf4/odf-multicluster-rhel9-operator
  • *
rhacm2/cluster-backup-rhel9-operator
  • *
rhacm2/multicloud-integrations-rhel8
rhacm2/multicloud-integrations-rhel9
  • *
web-terminal/web-terminal-exec-rhel9
rhacm2/config-policy-controller-rhel9
rhacm2/grafana-dashboard-loader-rhel9
multicluster-engine/registration-rhel8
multicluster-engine/registration-rhel9
  • *
multicluster-engine/addon-manager-rhel8
multicluster-engine/addon-manager-rhel9
  • *
devworkspace/devworkspace-rhel8-operator
devworkspace/devworkspace-rhel9-operator
rhacm2/klusterlet-addon-controller-rhel8
rhacm2/klusterlet-addon-controller-rhel9
  • *
web-terminal/web-terminal-rhel9-operator
apicurio/apicurio-registry-rhel8-operator
  • *
rhacm2/endpoint-monitoring-rhel9-operator
rhacm2/governance-policy-propagator-rhel9
openshift4/lifecycle-agent-operator-bundle
rhacm2/multicluster-operators-channel-rhel8
rhacm2/multicluster-operators-channel-rhel9
  • *
apicurio/apicurio-registry-3-operator-bundle
  • *
devworkspace/devworkspace-project-clone-rhel8
devworkspace/devworkspace-project-clone-rhel9
advanced-cluster-security/rhacs-rhel8-operator
compliance/openshift-compliance-rhel8-operator
  • *
container-native-virtualization/virt-api-rhel9
  • *
container-native-virtualization/pr-helper-rhel9
  • *
multicluster-engine/registration-operator-rhel8
multicluster-engine/registration-operator-rhel9
  • *
rhacm2/multicluster-operators-application-rhel8
rhacm2/multicluster-operators-application-rhel9
  • *
container-native-virtualization/aaq-server-rhel9
  • *
container-native-virtualization/virtio-win-rhel9
  • *
container-native-virtualization/wasp-agent-rhel9
  • *
rhacm2/multicluster-observability-rhel9-operator
rhacm2/multicluster-operators-subscription-rhel9
  • *
container-native-virtualization/kubemacpool-rhel9
  • *
compliance/openshift-file-integrity-rhel8-operator
  • *
container-native-virtualization/aaq-operator-rhel9
  • *
container-native-virtualization/sidecar-shim-rhel9
  • *
container-native-virtualization/virt-handler-rhel9
  • *
rhacm2/acm-governance-policy-framework-addon-rhel9
compliance/openshift-file-integrity-operator-bundle
container-native-virtualization/bridge-marker-rhel9
  • *
container-native-virtualization/virt-launcher-rhel9
  • *
container-native-virtualization/virt-operator-rhel9
  • *
multicluster-engine/hypershift-addon-rhel8-operator
multicluster-engine/hypershift-addon-rhel9-operator
container-native-virtualization/aaq-controller-rhel9
  • *
container-native-virtualization/ovs-cni-plugin-rhel9
  • *
container-native-virtualization/cnv-must-gather-rhel9
  • *
container-native-virtualization/virt-cdi-cloner-rhel9
  • *
container-native-virtualization/virt-controller-rhel9
  • *
container-native-virtualization/kubesecondarydns-rhel9
  • *
container-native-virtualization/libguestfs-tools-rhel9
  • *
container-native-virtualization/virt-exportproxy-rhel9
  • *
container-native-virtualization/vm-console-proxy-rhel9
  • *
container-native-virtualization/virt-cdi-importer-rhel9
  • *
container-native-virtualization/virt-cdi-operator-rhel9
  • *
container-native-virtualization/virt-exportserver-rhel9
  • *
container-native-virtualization/virt-cdi-apiserver-rhel9
  • *
multicluster-engine/clusterlifecycle-state-metrics-rhel8
multicluster-engine/clusterlifecycle-state-metrics-rhel9
  • *
container-native-virtualization/hco-bundle-registry-rhel9
  • *
container-native-virtualization/hostpath-csi-driver-rhel9
  • *
container-native-virtualization/virt-cdi-controller-rhel9
  • *
multicluster-globalhub/multicluster-globalhub-agent-rhel9
container-native-virtualization/hostpath-provisioner-rhel9
  • *
container-native-virtualization/virt-cdi-uploadproxy-rhel9
  • *
multicluster-engine/managedcluster-import-controller-rhel8
multicluster-engine/managedcluster-import-controller-rhel9
  • *
container-native-virtualization/kubevirt-dpdk-checkup-rhel9
  • *
container-native-virtualization/kubevirt-ssp-operator-rhel9
  • *
container-native-virtualization/virt-artifacts-server-rhel9
  • *
container-native-virtualization/virt-cdi-uploadserver-rhel9
  • *
multicluster-globalhub/multicluster-globalhub-manager-rhel9
openshift4/topology-aware-lifecycle-manager-operator-bundle
multicluster-globalhub/multicluster-globalhub-rhel9-operator
container-native-virtualization/kubevirt-console-plugin-rhel9
  • *
container-native-virtualization/multus-dynamic-networks-rhel9
  • *
multicluster-globalhub/multicluster-globalhub-operator-bundle
container-native-virtualization/kubevirt-apiserver-proxy-rhel9
  • *
container-native-virtualization/kubevirt-ipam-controller-rhel9
  • *
container-native-virtualization/kubevirt-storage-checkup-rhel9
  • *
container-native-virtualization/cluster-network-addons-operator
container-native-virtualization/kubevirt-realtime-checkup-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm
container-native-virtualization/vm-network-latency-checkup-rhel9
  • *
container-native-virtualization/kubevirt-template-validator-rhel9
  • *
container-native-virtualization/hostpath-provisioner-operator-rhel9
  • *
container-native-virtualization/kubevirt-common-instancetypes-rhel9
  • *
container-native-virtualization/hyperconverged-cluster-webhook-rhel9
  • *
container-native-virtualization/cluster-network-addons-operator-rhel9
  • *
container-native-virtualization/cnv-containernetworking-plugins-rhel9
  • *
container-native-virtualization/hyperconverged-cluster-operator-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm-rhel9
container-native-virtualization/passt-network-binding-plugin-cni-rhel9
  • *
container-native-virtualization/kubevirt-api-lifecycle-automation-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status
container-native-virtualization/passt-network-binding-plugin-sidecar-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-create-datavolume-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status-rhel9

Matching in nixpkgs

pkgs.operator-sdk

SDK for building Kubernetes applications. Provides high level APIs, useful abstractions, and project scaffolding

Package maintainers

First version introduced in nixpkgs is 0.18.2 (https://github.com/NixOS/nixpkgs/commit/5458f54a8301f59a8acf5d42856d84f8019efd8d).