Nixpkgs Security Tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: operator-sdk

Found 2 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2025-32963
created 2 months ago
Minio Operator uses Kubernetes apiserver audience for AssumeRoleWithWebIdentity STS

MinIO Operator STS is a native IAM Authentication for Kubernetes. Prior to version 7.1.0, if no audiences are provided for the `spec.audiences` field, the default will be of the Kubernetes apiserver. Without scoping, it can be replayed to other internal systems, which may unintentionally trust it. This issue has been patched in version 7.1.0.

References

Affected products

operator
  • ==< 7.1.0

Matching in nixpkgs

pkgs.operator-sdk

SDK for building Kubernetes applications. Provides high level APIs, useful abstractions, and project scaffolding

Package maintainers

Dismissed
Permalink CVE-2025-7195
5.2 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): LOW
updated 2 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 2 weeks ago
  • @LeSuisse dismissed 2 months, 2 weeks ago
Operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

References

Affected products

operator-sdk
  • <0.15.2
odf4/cephcsi-rhel9
  • *
odf4/mcg-cli-rhel9
  • *
odf4/odf-cli-rhel9
  • *
odf4/mcg-core-rhel9
  • *
odf4/odf-console-rhel9
  • *
odf4/mcg-rhel9-operator
  • *
odf4/ocs-rhel9-operator
  • *
odf4/odf-rhel9-operator
  • *
odf4/odr-rhel9-operator
  • *
odf4/odf-must-gather-rhel9
  • *
openshift4/cnf-tests-rhel8
openshift4/cnf-tests-rhel9
odf4/cephcsi-rhel9-operator
  • *
odf4/odf-cosi-sidecar-rhel9
  • *
odf4/ocs-client-console-rhel9
  • *
odf4/rook-ceph-rhel9-operator
  • *
rhacm2/rbac-query-proxy-rhel9
rhacm2/search-collector-rhel9
multicluster-engine/work-rhel8
multicluster-engine/work-rhel9
  • *
odf4/ocs-client-rhel9-operator
  • *
rhacm2/metrics-collector-rhel9
odf4/ocs-metrics-exporter-rhel9
  • *
apicurio/apicurio-registry-rhel8
  • *
apicurio/apicurio-studio-ui-rhel8
  • *
odf4/odf-csi-addons-sidecar-rhel9
  • *
odf4/odf-csi-addons-rhel9-operator
  • *
openshift4/ztp-site-generate-rhel8
rhacm2/iam-policy-controller-rhel9
apicurio/apicurio-registry-ui-rhel8
  • *
fuse7/fuse-apicurito-rhel8-operator
multicluster-engine/discovery-rhel8
multicluster-engine/discovery-rhel9
  • *
multicluster-engine/placement-rhel8
multicluster-engine/placement-rhel9
  • *
odf4/odf-multicluster-console-rhel9
  • *
rhacm2/acm-cluster-permission-rhel8
rhacm2/acm-cluster-permission-rhel9
  • *
rhacm2/cert-policy-controller-rhel9
odf4/odf-multicluster-rhel9-operator
  • *
rhacm2/cluster-backup-rhel9-operator
  • *
rhacm2/multicloud-integrations-rhel8
rhacm2/multicloud-integrations-rhel9
  • *
web-terminal/web-terminal-exec-rhel9
rhacm2/config-policy-controller-rhel9
rhacm2/grafana-dashboard-loader-rhel9
multicluster-engine/registration-rhel8
multicluster-engine/registration-rhel9
  • *
multicluster-engine/addon-manager-rhel8
multicluster-engine/addon-manager-rhel9
  • *
devworkspace/devworkspace-rhel8-operator
devworkspace/devworkspace-rhel9-operator
rhacm2/klusterlet-addon-controller-rhel8
rhacm2/klusterlet-addon-controller-rhel9
  • *
web-terminal/web-terminal-rhel9-operator
apicurio/apicurio-registry-rhel8-operator
  • *
rhacm2/endpoint-monitoring-rhel9-operator
rhacm2/governance-policy-propagator-rhel9
openshift4/lifecycle-agent-operator-bundle
rhacm2/multicluster-operators-channel-rhel8
rhacm2/multicluster-operators-channel-rhel9
  • *
apicurio/apicurio-registry-3-operator-bundle
  • *
devworkspace/devworkspace-project-clone-rhel8
devworkspace/devworkspace-project-clone-rhel9
advanced-cluster-security/rhacs-rhel8-operator
compliance/openshift-compliance-rhel8-operator
  • *
container-native-virtualization/virt-api-rhel9
  • *
container-native-virtualization/pr-helper-rhel9
  • *
multicluster-engine/registration-operator-rhel8
multicluster-engine/registration-operator-rhel9
  • *
rhacm2/multicluster-operators-application-rhel8
rhacm2/multicluster-operators-application-rhel9
  • *
container-native-virtualization/aaq-server-rhel9
  • *
container-native-virtualization/virtio-win-rhel9
  • *
container-native-virtualization/wasp-agent-rhel9
  • *
rhacm2/multicluster-observability-rhel9-operator
rhacm2/multicluster-operators-subscription-rhel9
  • *
container-native-virtualization/kubemacpool-rhel9
  • *
compliance/openshift-file-integrity-rhel8-operator
  • *
container-native-virtualization/aaq-operator-rhel9
  • *
container-native-virtualization/sidecar-shim-rhel9
  • *
container-native-virtualization/virt-handler-rhel9
  • *
rhacm2/acm-governance-policy-framework-addon-rhel9
compliance/openshift-file-integrity-operator-bundle
container-native-virtualization/bridge-marker-rhel9
  • *
container-native-virtualization/virt-launcher-rhel9
  • *
container-native-virtualization/virt-operator-rhel9
  • *
multicluster-engine/hypershift-addon-rhel8-operator
multicluster-engine/hypershift-addon-rhel9-operator
container-native-virtualization/aaq-controller-rhel9
  • *
container-native-virtualization/ovs-cni-plugin-rhel9
  • *
container-native-virtualization/cnv-must-gather-rhel9
  • *
container-native-virtualization/virt-cdi-cloner-rhel9
  • *
container-native-virtualization/virt-controller-rhel9
  • *
container-native-virtualization/kubesecondarydns-rhel9
  • *
container-native-virtualization/libguestfs-tools-rhel9
  • *
container-native-virtualization/virt-exportproxy-rhel9
  • *
container-native-virtualization/vm-console-proxy-rhel9
  • *
container-native-virtualization/virt-cdi-importer-rhel9
  • *
container-native-virtualization/virt-cdi-operator-rhel9
  • *
container-native-virtualization/virt-exportserver-rhel9
  • *
container-native-virtualization/virt-cdi-apiserver-rhel9
  • *
multicluster-engine/clusterlifecycle-state-metrics-rhel8
multicluster-engine/clusterlifecycle-state-metrics-rhel9
  • *
container-native-virtualization/hco-bundle-registry-rhel9
  • *
container-native-virtualization/hostpath-csi-driver-rhel9
  • *
container-native-virtualization/virt-cdi-controller-rhel9
  • *
multicluster-globalhub/multicluster-globalhub-agent-rhel9
container-native-virtualization/hostpath-provisioner-rhel9
  • *
container-native-virtualization/virt-cdi-uploadproxy-rhel9
  • *
multicluster-engine/managedcluster-import-controller-rhel8
multicluster-engine/managedcluster-import-controller-rhel9
  • *
container-native-virtualization/kubevirt-dpdk-checkup-rhel9
  • *
container-native-virtualization/kubevirt-ssp-operator-rhel9
  • *
container-native-virtualization/virt-artifacts-server-rhel9
  • *
container-native-virtualization/virt-cdi-uploadserver-rhel9
  • *
multicluster-globalhub/multicluster-globalhub-manager-rhel9
openshift4/topology-aware-lifecycle-manager-operator-bundle
multicluster-globalhub/multicluster-globalhub-rhel9-operator
container-native-virtualization/kubevirt-console-plugin-rhel9
  • *
container-native-virtualization/multus-dynamic-networks-rhel9
  • *
multicluster-globalhub/multicluster-globalhub-operator-bundle
container-native-virtualization/kubevirt-apiserver-proxy-rhel9
  • *
container-native-virtualization/kubevirt-ipam-controller-rhel9
  • *
container-native-virtualization/kubevirt-storage-checkup-rhel9
  • *
container-native-virtualization/cluster-network-addons-operator
container-native-virtualization/kubevirt-realtime-checkup-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm
container-native-virtualization/vm-network-latency-checkup-rhel9
  • *
container-native-virtualization/kubevirt-template-validator-rhel9
  • *
container-native-virtualization/hostpath-provisioner-operator-rhel9
  • *
container-native-virtualization/kubevirt-common-instancetypes-rhel9
  • *
container-native-virtualization/hyperconverged-cluster-webhook-rhel9
  • *
container-native-virtualization/cluster-network-addons-operator-rhel9
  • *
container-native-virtualization/cnv-containernetworking-plugins-rhel9
  • *
container-native-virtualization/hyperconverged-cluster-operator-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm-rhel9
container-native-virtualization/passt-network-binding-plugin-cni-rhel9
  • *
container-native-virtualization/kubevirt-api-lifecycle-automation-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status
container-native-virtualization/passt-network-binding-plugin-sidecar-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-create-datavolume-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize-rhel9
  • *
container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status-rhel9

Matching in nixpkgs

pkgs.operator-sdk

SDK for building Kubernetes applications. Provides high level APIs, useful abstractions, and project scaffolding

Package maintainers

First version introduced in nixpkgs is 0.18.2 (https://github.com/NixOS/nixpkgs/commit/5458f54a8301f59a8acf5d42856d84f8019efd8d).