RHSA-2026:0737

Vulnerability from csaf_redhat - Published: 2026-01-15 23:39 - Updated: 2026-03-26 11:54
Summary
Red Hat Security Advisory: OpenShift Compliance Operator bug fix and enhancement update
Severity
Low
Notes
Topic: An updated OpenShift Compliance Operator image that fixes various bugs and adds new enhancements is now available for the Red Hat OpenShift Enterprise 4 catalog.
Details: The OpenShift Compliance Operator v1.8.1 is now available. See the documentation for bug fix information: https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/security_and_compliance/compliance-operator#compliance-operator-release-notes
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
CVE-2025-7195

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

6.4 (Medium)
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-276 - Incorrect Default Permissions
Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://docs.openshift.com/container-platform/latest/updating/updating_a_cluster/updating-cluster-cli.html https://access.redhat.com/errata/RHSA-2026:0737
Workaround In Red Hat OpenShift Container Platform, the following default configurations reduce the impact of this vulnerability. Security Context Constraints (SCCs): The default SCC, Restricted-v2, applies several crucial security settings to containers. Capabilities: drop: ALL removes all Linux capabilities, including SETUID and SETGID. This prevents a process from changing its user or group ID, a common step in privilege escalation attacks. The SETUID and SETGID capabilities can also be dropped explicitly if other capabilities are still required. allowPrivilegeEscalation: false ensures that a process cannot gain more privileges than its parent process. This blocks attempts by a compromised container process to grant itself additional capabilities. SELinux Mandatory Access Control (MAC): Pods are required to run with a pre-allocated Multi-Category Security (MCS) label. This SELinux feature provides a strong layer of isolation between containers and from the host system. A properly configured SELinux policy can prevent a container escape, even if an attacker gains elevated permissions within the container itself. Filesystem Hardening: While not a default setting, a common security practice is to set readOnlyRootFilesystem: true in a container's security context. In this specific scenario, this configuration would prevent an attacker from modifying critical files like /etc/passwd, even if they managed to gain file-level write permissions.
References
Acknowledgments
Antony Di Scala Michael Whale James Force
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Low"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated OpenShift Compliance Operator image that fixes various bugs and adds new\nenhancements is now available for the Red Hat OpenShift Enterprise 4 catalog.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The OpenShift Compliance Operator v1.8.1 is now available.\nSee the documentation for bug fix information:\n\nhttps://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/security_and_compliance/compliance-operator#compliance-operator-release-notes",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:0737",
        "url": "https://access.redhat.com/errata/RHSA-2026:0737"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-7195",
        "url": "https://access.redhat.com/security/cve/CVE-2025-7195"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_0737.json"
      }
    ],
    "title": "Red Hat Security Advisory: OpenShift Compliance Operator bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2026-03-26T11:54:17+00:00",
      "generator": {
        "date": "2026-03-26T11:54:17+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.4"
        }
      },
      "id": "RHSA-2026:0737",
      "initial_release_date": "2026-01-15T23:39:47+00:00",
      "revision_history": [
        {
          "date": "2026-01-15T23:39:47+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-01-15T23:39:56+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-03-26T11:54:17+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Compliance Operator 1",
                "product": {
                  "name": "Compliance Operator 1",
                  "product_id": "Compliance Operator 1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_compliance_operator:1::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Compliance Operator"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:4d0f9d6fd1a4856a870e48b99dc3714de17a65813e0caea50564cd63c79f11ab_amd64",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:4d0f9d6fd1a4856a870e48b99dc3714de17a65813e0caea50564cd63c79f11ab_amd64",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:4d0f9d6fd1a4856a870e48b99dc3714de17a65813e0caea50564cd63c79f11ab_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-operator-bundle@sha256%3A4d0f9d6fd1a4856a870e48b99dc3714de17a65813e0caea50564cd63c79f11ab?arch=amd64\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768410159"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:c83b17521bcf4687ce625af3e4771af79acbfe06a84f8361babfa3de5c96f8c0_amd64",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:c83b17521bcf4687ce625af3e4771af79acbfe06a84f8361babfa3de5c96f8c0_amd64",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:c83b17521bcf4687ce625af3e4771af79acbfe06a84f8361babfa3de5c96f8c0_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-content-rhel8@sha256%3Ac83b17521bcf4687ce625af3e4771af79acbfe06a84f8361babfa3de5c96f8c0?arch=amd64\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768401393"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:e75496b12cc5ea8ee990f5c48eb226a985f0fac77dfd9358999a915d6e3f8440_amd64",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:e75496b12cc5ea8ee990f5c48eb226a985f0fac77dfd9358999a915d6e3f8440_amd64",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:e75496b12cc5ea8ee990f5c48eb226a985f0fac77dfd9358999a915d6e3f8440_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-must-gather-rhel8@sha256%3Ae75496b12cc5ea8ee990f5c48eb226a985f0fac77dfd9358999a915d6e3f8440?arch=amd64\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768172657"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c70223946fe2da42492f18184540c67d95f109c1f4eac89b6fae8ddcc64aebb6_amd64",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c70223946fe2da42492f18184540c67d95f109c1f4eac89b6fae8ddcc64aebb6_amd64",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c70223946fe2da42492f18184540c67d95f109c1f4eac89b6fae8ddcc64aebb6_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-openscap-rhel8@sha256%3Ac70223946fe2da42492f18184540c67d95f109c1f4eac89b6fae8ddcc64aebb6?arch=amd64\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768172795"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:eaddf506bddce47e0ea3fc4e5e827533a7349d228964dfbc919044f8e7f7108d_amd64",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:eaddf506bddce47e0ea3fc4e5e827533a7349d228964dfbc919044f8e7f7108d_amd64",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:eaddf506bddce47e0ea3fc4e5e827533a7349d228964dfbc919044f8e7f7108d_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-rhel8-operator@sha256%3Aeaddf506bddce47e0ea3fc4e5e827533a7349d228964dfbc919044f8e7f7108d?arch=amd64\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768172669"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:5021683827a84666f7d7db8c2946d6df6fe440a60fae4b4116cb3d7069ce0f8a_arm64",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:5021683827a84666f7d7db8c2946d6df6fe440a60fae4b4116cb3d7069ce0f8a_arm64",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:5021683827a84666f7d7db8c2946d6df6fe440a60fae4b4116cb3d7069ce0f8a_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-content-rhel8@sha256%3A5021683827a84666f7d7db8c2946d6df6fe440a60fae4b4116cb3d7069ce0f8a?arch=arm64\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768401393"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:8785d63200e3d69438ff6ccbdf46c58b14deceb13140ec878482d0b28c888b50_arm64",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:8785d63200e3d69438ff6ccbdf46c58b14deceb13140ec878482d0b28c888b50_arm64",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:8785d63200e3d69438ff6ccbdf46c58b14deceb13140ec878482d0b28c888b50_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-must-gather-rhel8@sha256%3A8785d63200e3d69438ff6ccbdf46c58b14deceb13140ec878482d0b28c888b50?arch=arm64\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768172657"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:50dab241896f4531ce58a67788cb2e52c7ccef7e87d457ff5b582e7b77414f96_arm64",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:50dab241896f4531ce58a67788cb2e52c7ccef7e87d457ff5b582e7b77414f96_arm64",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:50dab241896f4531ce58a67788cb2e52c7ccef7e87d457ff5b582e7b77414f96_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-openscap-rhel8@sha256%3A50dab241896f4531ce58a67788cb2e52c7ccef7e87d457ff5b582e7b77414f96?arch=arm64\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768172795"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0deacfbd0d55638fb334e2435007586fcfd3a08328c3a7c9b2908bb0cab759c2_arm64",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0deacfbd0d55638fb334e2435007586fcfd3a08328c3a7c9b2908bb0cab759c2_arm64",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0deacfbd0d55638fb334e2435007586fcfd3a08328c3a7c9b2908bb0cab759c2_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-rhel8-operator@sha256%3A0deacfbd0d55638fb334e2435007586fcfd3a08328c3a7c9b2908bb0cab759c2?arch=arm64\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768172669"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:97eb97d086c27db57d8e796a034064323792bc6666643b36c5c8439730d3f60d_ppc64le",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:97eb97d086c27db57d8e796a034064323792bc6666643b36c5c8439730d3f60d_ppc64le",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:97eb97d086c27db57d8e796a034064323792bc6666643b36c5c8439730d3f60d_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-content-rhel8@sha256%3A97eb97d086c27db57d8e796a034064323792bc6666643b36c5c8439730d3f60d?arch=ppc64le\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768401393"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9d6b9b992968665864c87dd5996981e24276043e7ca742707fa745a059e4c44e_ppc64le",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9d6b9b992968665864c87dd5996981e24276043e7ca742707fa745a059e4c44e_ppc64le",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9d6b9b992968665864c87dd5996981e24276043e7ca742707fa745a059e4c44e_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-must-gather-rhel8@sha256%3A9d6b9b992968665864c87dd5996981e24276043e7ca742707fa745a059e4c44e?arch=ppc64le\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768172657"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:bd2924732958a2d3c06dc66a141ad26824bf11d99b175430291ccee84d0aeb2b_ppc64le",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:bd2924732958a2d3c06dc66a141ad26824bf11d99b175430291ccee84d0aeb2b_ppc64le",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:bd2924732958a2d3c06dc66a141ad26824bf11d99b175430291ccee84d0aeb2b_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-openscap-rhel8@sha256%3Abd2924732958a2d3c06dc66a141ad26824bf11d99b175430291ccee84d0aeb2b?arch=ppc64le\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768172795"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:74010cf229f6fa17a927e56f63db06f9fe4ce61dce5e8bece77d05a082c49e3b_ppc64le",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:74010cf229f6fa17a927e56f63db06f9fe4ce61dce5e8bece77d05a082c49e3b_ppc64le",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:74010cf229f6fa17a927e56f63db06f9fe4ce61dce5e8bece77d05a082c49e3b_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-rhel8-operator@sha256%3A74010cf229f6fa17a927e56f63db06f9fe4ce61dce5e8bece77d05a082c49e3b?arch=ppc64le\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768172669"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:45639de3f6d9e482f9dbbba28e08ac892001bc2f53829d520769ffdf17fcfca5_s390x",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:45639de3f6d9e482f9dbbba28e08ac892001bc2f53829d520769ffdf17fcfca5_s390x",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:45639de3f6d9e482f9dbbba28e08ac892001bc2f53829d520769ffdf17fcfca5_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-content-rhel8@sha256%3A45639de3f6d9e482f9dbbba28e08ac892001bc2f53829d520769ffdf17fcfca5?arch=s390x\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768401393"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:7073072fe893e3ef6e0a17e6f3937c523a58b96cb1f1a5ed7e9c4e3a5ceddb1c_s390x",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:7073072fe893e3ef6e0a17e6f3937c523a58b96cb1f1a5ed7e9c4e3a5ceddb1c_s390x",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:7073072fe893e3ef6e0a17e6f3937c523a58b96cb1f1a5ed7e9c4e3a5ceddb1c_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-must-gather-rhel8@sha256%3A7073072fe893e3ef6e0a17e6f3937c523a58b96cb1f1a5ed7e9c4e3a5ceddb1c?arch=s390x\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768172657"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:0b6981c2ca3a9ca0082d639754a414947697b8d3493ebb46446f5a24b63f42b5_s390x",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:0b6981c2ca3a9ca0082d639754a414947697b8d3493ebb46446f5a24b63f42b5_s390x",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:0b6981c2ca3a9ca0082d639754a414947697b8d3493ebb46446f5a24b63f42b5_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-openscap-rhel8@sha256%3A0b6981c2ca3a9ca0082d639754a414947697b8d3493ebb46446f5a24b63f42b5?arch=s390x\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768172795"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:e043fdf674a120f56d62a0c6ff2b91bc8c61875d5ce371abc3540714928e0528_s390x",
                "product": {
                  "name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:e043fdf674a120f56d62a0c6ff2b91bc8c61875d5ce371abc3540714928e0528_s390x",
                  "product_id": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:e043fdf674a120f56d62a0c6ff2b91bc8c61875d5ce371abc3540714928e0528_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-compliance-rhel8-operator@sha256%3Ae043fdf674a120f56d62a0c6ff2b91bc8c61875d5ce371abc3540714928e0528?arch=s390x\u0026repository_url=registry.redhat.io/compliance\u0026tag=1768172669"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:45639de3f6d9e482f9dbbba28e08ac892001bc2f53829d520769ffdf17fcfca5_s390x as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:45639de3f6d9e482f9dbbba28e08ac892001bc2f53829d520769ffdf17fcfca5_s390x"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:45639de3f6d9e482f9dbbba28e08ac892001bc2f53829d520769ffdf17fcfca5_s390x",
        "relates_to_product_reference": "Compliance Operator 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:5021683827a84666f7d7db8c2946d6df6fe440a60fae4b4116cb3d7069ce0f8a_arm64 as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:5021683827a84666f7d7db8c2946d6df6fe440a60fae4b4116cb3d7069ce0f8a_arm64"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:5021683827a84666f7d7db8c2946d6df6fe440a60fae4b4116cb3d7069ce0f8a_arm64",
        "relates_to_product_reference": "Compliance Operator 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:97eb97d086c27db57d8e796a034064323792bc6666643b36c5c8439730d3f60d_ppc64le as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:97eb97d086c27db57d8e796a034064323792bc6666643b36c5c8439730d3f60d_ppc64le"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:97eb97d086c27db57d8e796a034064323792bc6666643b36c5c8439730d3f60d_ppc64le",
        "relates_to_product_reference": "Compliance Operator 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:c83b17521bcf4687ce625af3e4771af79acbfe06a84f8361babfa3de5c96f8c0_amd64 as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:c83b17521bcf4687ce625af3e4771af79acbfe06a84f8361babfa3de5c96f8c0_amd64"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:c83b17521bcf4687ce625af3e4771af79acbfe06a84f8361babfa3de5c96f8c0_amd64",
        "relates_to_product_reference": "Compliance Operator 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:7073072fe893e3ef6e0a17e6f3937c523a58b96cb1f1a5ed7e9c4e3a5ceddb1c_s390x as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:7073072fe893e3ef6e0a17e6f3937c523a58b96cb1f1a5ed7e9c4e3a5ceddb1c_s390x"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:7073072fe893e3ef6e0a17e6f3937c523a58b96cb1f1a5ed7e9c4e3a5ceddb1c_s390x",
        "relates_to_product_reference": "Compliance Operator 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:8785d63200e3d69438ff6ccbdf46c58b14deceb13140ec878482d0b28c888b50_arm64 as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:8785d63200e3d69438ff6ccbdf46c58b14deceb13140ec878482d0b28c888b50_arm64"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:8785d63200e3d69438ff6ccbdf46c58b14deceb13140ec878482d0b28c888b50_arm64",
        "relates_to_product_reference": "Compliance Operator 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9d6b9b992968665864c87dd5996981e24276043e7ca742707fa745a059e4c44e_ppc64le as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9d6b9b992968665864c87dd5996981e24276043e7ca742707fa745a059e4c44e_ppc64le"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9d6b9b992968665864c87dd5996981e24276043e7ca742707fa745a059e4c44e_ppc64le",
        "relates_to_product_reference": "Compliance Operator 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:e75496b12cc5ea8ee990f5c48eb226a985f0fac77dfd9358999a915d6e3f8440_amd64 as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:e75496b12cc5ea8ee990f5c48eb226a985f0fac77dfd9358999a915d6e3f8440_amd64"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:e75496b12cc5ea8ee990f5c48eb226a985f0fac77dfd9358999a915d6e3f8440_amd64",
        "relates_to_product_reference": "Compliance Operator 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:0b6981c2ca3a9ca0082d639754a414947697b8d3493ebb46446f5a24b63f42b5_s390x as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:0b6981c2ca3a9ca0082d639754a414947697b8d3493ebb46446f5a24b63f42b5_s390x"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:0b6981c2ca3a9ca0082d639754a414947697b8d3493ebb46446f5a24b63f42b5_s390x",
        "relates_to_product_reference": "Compliance Operator 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:50dab241896f4531ce58a67788cb2e52c7ccef7e87d457ff5b582e7b77414f96_arm64 as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:50dab241896f4531ce58a67788cb2e52c7ccef7e87d457ff5b582e7b77414f96_arm64"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:50dab241896f4531ce58a67788cb2e52c7ccef7e87d457ff5b582e7b77414f96_arm64",
        "relates_to_product_reference": "Compliance Operator 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:bd2924732958a2d3c06dc66a141ad26824bf11d99b175430291ccee84d0aeb2b_ppc64le as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:bd2924732958a2d3c06dc66a141ad26824bf11d99b175430291ccee84d0aeb2b_ppc64le"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:bd2924732958a2d3c06dc66a141ad26824bf11d99b175430291ccee84d0aeb2b_ppc64le",
        "relates_to_product_reference": "Compliance Operator 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c70223946fe2da42492f18184540c67d95f109c1f4eac89b6fae8ddcc64aebb6_amd64 as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c70223946fe2da42492f18184540c67d95f109c1f4eac89b6fae8ddcc64aebb6_amd64"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c70223946fe2da42492f18184540c67d95f109c1f4eac89b6fae8ddcc64aebb6_amd64",
        "relates_to_product_reference": "Compliance Operator 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:4d0f9d6fd1a4856a870e48b99dc3714de17a65813e0caea50564cd63c79f11ab_amd64 as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:4d0f9d6fd1a4856a870e48b99dc3714de17a65813e0caea50564cd63c79f11ab_amd64"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:4d0f9d6fd1a4856a870e48b99dc3714de17a65813e0caea50564cd63c79f11ab_amd64",
        "relates_to_product_reference": "Compliance Operator 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0deacfbd0d55638fb334e2435007586fcfd3a08328c3a7c9b2908bb0cab759c2_arm64 as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0deacfbd0d55638fb334e2435007586fcfd3a08328c3a7c9b2908bb0cab759c2_arm64"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0deacfbd0d55638fb334e2435007586fcfd3a08328c3a7c9b2908bb0cab759c2_arm64",
        "relates_to_product_reference": "Compliance Operator 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:74010cf229f6fa17a927e56f63db06f9fe4ce61dce5e8bece77d05a082c49e3b_ppc64le as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:74010cf229f6fa17a927e56f63db06f9fe4ce61dce5e8bece77d05a082c49e3b_ppc64le"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:74010cf229f6fa17a927e56f63db06f9fe4ce61dce5e8bece77d05a082c49e3b_ppc64le",
        "relates_to_product_reference": "Compliance Operator 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:e043fdf674a120f56d62a0c6ff2b91bc8c61875d5ce371abc3540714928e0528_s390x as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:e043fdf674a120f56d62a0c6ff2b91bc8c61875d5ce371abc3540714928e0528_s390x"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:e043fdf674a120f56d62a0c6ff2b91bc8c61875d5ce371abc3540714928e0528_s390x",
        "relates_to_product_reference": "Compliance Operator 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:eaddf506bddce47e0ea3fc4e5e827533a7349d228964dfbc919044f8e7f7108d_amd64 as a component of Compliance Operator 1",
          "product_id": "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:eaddf506bddce47e0ea3fc4e5e827533a7349d228964dfbc919044f8e7f7108d_amd64"
        },
        "product_reference": "registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:eaddf506bddce47e0ea3fc4e5e827533a7349d228964dfbc919044f8e7f7108d_amd64",
        "relates_to_product_reference": "Compliance Operator 1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Antony Di Scala",
            "Michael Whale",
            "James Force"
          ]
        }
      ],
      "cve": "CVE-2025-7195",
      "cwe": {
        "id": "CWE-276",
        "name": "Incorrect Default Permissions"
      },
      "discovery_date": "2025-07-04T08:54:01.878000+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:45639de3f6d9e482f9dbbba28e08ac892001bc2f53829d520769ffdf17fcfca5_s390x",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:5021683827a84666f7d7db8c2946d6df6fe440a60fae4b4116cb3d7069ce0f8a_arm64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:97eb97d086c27db57d8e796a034064323792bc6666643b36c5c8439730d3f60d_ppc64le",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:c83b17521bcf4687ce625af3e4771af79acbfe06a84f8361babfa3de5c96f8c0_amd64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:7073072fe893e3ef6e0a17e6f3937c523a58b96cb1f1a5ed7e9c4e3a5ceddb1c_s390x",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:8785d63200e3d69438ff6ccbdf46c58b14deceb13140ec878482d0b28c888b50_arm64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9d6b9b992968665864c87dd5996981e24276043e7ca742707fa745a059e4c44e_ppc64le",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:e75496b12cc5ea8ee990f5c48eb226a985f0fac77dfd9358999a915d6e3f8440_amd64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:0b6981c2ca3a9ca0082d639754a414947697b8d3493ebb46446f5a24b63f42b5_s390x",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:50dab241896f4531ce58a67788cb2e52c7ccef7e87d457ff5b582e7b77414f96_arm64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:bd2924732958a2d3c06dc66a141ad26824bf11d99b175430291ccee84d0aeb2b_ppc64le",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c70223946fe2da42492f18184540c67d95f109c1f4eac89b6fae8ddcc64aebb6_amd64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:4d0f9d6fd1a4856a870e48b99dc3714de17a65813e0caea50564cd63c79f11ab_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2376300"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. \n\nIn affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Product Security has rated this vulnerability as moderate severity for affected products which run on OpenShift. The vulnerability allows for potential privilege escalation within a container, but OpenShift\u0027s default, multi-layered security posture effectively mitigates this risk. \n\nThe primary controls include the default Security Context Constraints (SCC), which severely limit a container\u0027s permissions from the start, and SELinux, which enforces mandatory access control to ensure strict isolation. While other container runtime environments may have different controls available and require case-by-case analysis, OpenShift\u0027s built-in defenses are designed to prevent this type of attack.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0deacfbd0d55638fb334e2435007586fcfd3a08328c3a7c9b2908bb0cab759c2_arm64",
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:74010cf229f6fa17a927e56f63db06f9fe4ce61dce5e8bece77d05a082c49e3b_ppc64le",
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:e043fdf674a120f56d62a0c6ff2b91bc8c61875d5ce371abc3540714928e0528_s390x",
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:eaddf506bddce47e0ea3fc4e5e827533a7349d228964dfbc919044f8e7f7108d_amd64"
        ],
        "known_not_affected": [
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:45639de3f6d9e482f9dbbba28e08ac892001bc2f53829d520769ffdf17fcfca5_s390x",
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:5021683827a84666f7d7db8c2946d6df6fe440a60fae4b4116cb3d7069ce0f8a_arm64",
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:97eb97d086c27db57d8e796a034064323792bc6666643b36c5c8439730d3f60d_ppc64le",
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:c83b17521bcf4687ce625af3e4771af79acbfe06a84f8361babfa3de5c96f8c0_amd64",
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:7073072fe893e3ef6e0a17e6f3937c523a58b96cb1f1a5ed7e9c4e3a5ceddb1c_s390x",
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:8785d63200e3d69438ff6ccbdf46c58b14deceb13140ec878482d0b28c888b50_arm64",
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9d6b9b992968665864c87dd5996981e24276043e7ca742707fa745a059e4c44e_ppc64le",
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:e75496b12cc5ea8ee990f5c48eb226a985f0fac77dfd9358999a915d6e3f8440_amd64",
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:0b6981c2ca3a9ca0082d639754a414947697b8d3493ebb46446f5a24b63f42b5_s390x",
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:50dab241896f4531ce58a67788cb2e52c7ccef7e87d457ff5b582e7b77414f96_arm64",
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:bd2924732958a2d3c06dc66a141ad26824bf11d99b175430291ccee84d0aeb2b_ppc64le",
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c70223946fe2da42492f18184540c67d95f109c1f4eac89b6fae8ddcc64aebb6_amd64",
          "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:4d0f9d6fd1a4856a870e48b99dc3714de17a65813e0caea50564cd63c79f11ab_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-7195"
        },
        {
          "category": "external",
          "summary": "RHBZ#2376300",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376300"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-7195",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-7195"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-7195",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7195"
        }
      ],
      "release_date": "2025-08-07T18:59:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-01-15T23:39:47+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your\nsystem have been applied. For details on how to apply this update, refer to:\n  \nhttps://docs.openshift.com/container-platform/latest/updating/updating_a_cluster/updating-cluster-cli.html",
          "product_ids": [
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0deacfbd0d55638fb334e2435007586fcfd3a08328c3a7c9b2908bb0cab759c2_arm64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:74010cf229f6fa17a927e56f63db06f9fe4ce61dce5e8bece77d05a082c49e3b_ppc64le",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:e043fdf674a120f56d62a0c6ff2b91bc8c61875d5ce371abc3540714928e0528_s390x",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:eaddf506bddce47e0ea3fc4e5e827533a7349d228964dfbc919044f8e7f7108d_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:0737"
        },
        {
          "category": "workaround",
          "details": "In Red Hat OpenShift Container Platform, the following default configurations reduce the impact of this vulnerability.\n\nSecurity Context Constraints (SCCs): The default SCC, Restricted-v2, applies several crucial security settings to containers. \n\nCapabilities: drop: ALL removes all Linux capabilities, including SETUID and SETGID. This prevents a process from changing its user or group ID, a common step in privilege escalation attacks. The SETUID and SETGID capabilities can also be dropped explicitly if other capabilities are still required.\n\nallowPrivilegeEscalation: false ensures that a process cannot gain more privileges than its parent process. This blocks attempts by a compromised container process to grant itself additional capabilities.\n\nSELinux Mandatory Access Control (MAC): Pods are required to run with a pre-allocated Multi-Category Security (MCS) label. This SELinux feature provides a strong layer of isolation between containers and from the host system. A properly configured SELinux policy can prevent a container escape, even if an attacker gains elevated permissions within the container itself.\n\nFilesystem Hardening: While not a default setting, a common security practice is to set readOnlyRootFilesystem: true in a container\u0027s security context. In this specific scenario, this configuration would prevent an attacker from modifying critical files like /etc/passwd, even if they managed to gain file-level write permissions.",
          "product_ids": [
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:45639de3f6d9e482f9dbbba28e08ac892001bc2f53829d520769ffdf17fcfca5_s390x",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:5021683827a84666f7d7db8c2946d6df6fe440a60fae4b4116cb3d7069ce0f8a_arm64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:97eb97d086c27db57d8e796a034064323792bc6666643b36c5c8439730d3f60d_ppc64le",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:c83b17521bcf4687ce625af3e4771af79acbfe06a84f8361babfa3de5c96f8c0_amd64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:7073072fe893e3ef6e0a17e6f3937c523a58b96cb1f1a5ed7e9c4e3a5ceddb1c_s390x",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:8785d63200e3d69438ff6ccbdf46c58b14deceb13140ec878482d0b28c888b50_arm64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9d6b9b992968665864c87dd5996981e24276043e7ca742707fa745a059e4c44e_ppc64le",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:e75496b12cc5ea8ee990f5c48eb226a985f0fac77dfd9358999a915d6e3f8440_amd64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:0b6981c2ca3a9ca0082d639754a414947697b8d3493ebb46446f5a24b63f42b5_s390x",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:50dab241896f4531ce58a67788cb2e52c7ccef7e87d457ff5b582e7b77414f96_arm64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:bd2924732958a2d3c06dc66a141ad26824bf11d99b175430291ccee84d0aeb2b_ppc64le",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c70223946fe2da42492f18184540c67d95f109c1f4eac89b6fae8ddcc64aebb6_amd64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:4d0f9d6fd1a4856a870e48b99dc3714de17a65813e0caea50564cd63c79f11ab_amd64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0deacfbd0d55638fb334e2435007586fcfd3a08328c3a7c9b2908bb0cab759c2_arm64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:74010cf229f6fa17a927e56f63db06f9fe4ce61dce5e8bece77d05a082c49e3b_ppc64le",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:e043fdf674a120f56d62a0c6ff2b91bc8c61875d5ce371abc3540714928e0528_s390x",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:eaddf506bddce47e0ea3fc4e5e827533a7349d228964dfbc919044f8e7f7108d_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:45639de3f6d9e482f9dbbba28e08ac892001bc2f53829d520769ffdf17fcfca5_s390x",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:5021683827a84666f7d7db8c2946d6df6fe440a60fae4b4116cb3d7069ce0f8a_arm64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:97eb97d086c27db57d8e796a034064323792bc6666643b36c5c8439730d3f60d_ppc64le",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:c83b17521bcf4687ce625af3e4771af79acbfe06a84f8361babfa3de5c96f8c0_amd64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:7073072fe893e3ef6e0a17e6f3937c523a58b96cb1f1a5ed7e9c4e3a5ceddb1c_s390x",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:8785d63200e3d69438ff6ccbdf46c58b14deceb13140ec878482d0b28c888b50_arm64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:9d6b9b992968665864c87dd5996981e24276043e7ca742707fa745a059e4c44e_ppc64le",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-must-gather-rhel8@sha256:e75496b12cc5ea8ee990f5c48eb226a985f0fac77dfd9358999a915d6e3f8440_amd64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:0b6981c2ca3a9ca0082d639754a414947697b8d3493ebb46446f5a24b63f42b5_s390x",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:50dab241896f4531ce58a67788cb2e52c7ccef7e87d457ff5b582e7b77414f96_arm64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:bd2924732958a2d3c06dc66a141ad26824bf11d99b175430291ccee84d0aeb2b_ppc64le",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-openscap-rhel8@sha256:c70223946fe2da42492f18184540c67d95f109c1f4eac89b6fae8ddcc64aebb6_amd64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-operator-bundle@sha256:4d0f9d6fd1a4856a870e48b99dc3714de17a65813e0caea50564cd63c79f11ab_amd64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:0deacfbd0d55638fb334e2435007586fcfd3a08328c3a7c9b2908bb0cab759c2_arm64",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:74010cf229f6fa17a927e56f63db06f9fe4ce61dce5e8bece77d05a082c49e3b_ppc64le",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:e043fdf674a120f56d62a0c6ff2b91bc8c61875d5ce371abc3540714928e0528_s390x",
            "Compliance Operator 1:registry.redhat.io/compliance/openshift-compliance-rhel8-operator@sha256:eaddf506bddce47e0ea3fc4e5e827533a7349d228964dfbc919044f8e7f7108d_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.