What is the severity of CVE-2025-7195?

CVE-2025-7195 has a UNKNOWN severity rating with a CVSS score of 5.2.

CVE-2025-7195

UNKNOWN

Published 2025-08-07T19:05:08.756Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2025-7195. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1

5.2

/10

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L

Base Score Metrics

Exploitability: N/A Impact: N/A

Attack Vector Metrics

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Impact Metrics

Confidentiality

LOW

Integrity

HIGH

Availability

LOW

Description

In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

Understanding This Vulnerability

This Common Vulnerabilities and Exposures (CVE) entry provides detailed information about a security vulnerability that has been publicly disclosed. CVEs are standardized identifiers assigned by MITRE Corporation to track and catalog security vulnerabilities across software and hardware products.

The severity rating (UNKNOWN) indicates the potential impact of this vulnerability based on the CVSS (Common Vulnerability Scoring System) framework. Higher severity ratings typically indicate vulnerabilities that could lead to more significant security breaches if exploited. Security teams should prioritize remediation efforts based on severity, exploit availability, and the EPSS (Exploit Prediction Scoring System) score, which predicts the likelihood of exploitation in the wild.

If this vulnerability affects products or systems in your infrastructure, we recommend reviewing the affected products section, checking for available patches or updates from vendors, and implementing recommended workarounds or solutions until a permanent fix is available. Organizations should also monitor security advisories and threat intelligence feeds for updates about active exploitation of this vulnerability.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Red Hat

Compliance Operator 1

Affected Versions:

sha256:296761e66fbac8934c137df3e0f0027e823b5db5a32eddf24f97489e24f4b8bf

Red Hat

multicluster engine for Kubernetes 2.7

Affected Versions:

sha256:1c49bf643ea000a0f92a1d93114a4a866ff51f47947c6a7102fb8e200ae57e8a

Red Hat

multicluster engine for Kubernetes 2.7

Affected Versions:

sha256:4364624686c53f5996960296f8ce496ee819d500eab396f35f7bf417dfdf08b9

Red Hat

multicluster engine for Kubernetes 2.7

Affected Versions:

sha256:0488dca3cb2db097732fe153483af7c4b2acdb7b0bc241f30e78cdb0474d11bb

Red Hat

multicluster engine for Kubernetes 2.7

Affected Versions:

sha256:af41dc511a4fba130590c8528e555fa331d0fea3c617a3f942e98216900d6773

Red Hat

multicluster engine for Kubernetes 2.7

Affected Versions:

sha256:ff0c848b18b366afbe60b4fe97c876c0f71999262c9b92eae89db03b1158496f

Red Hat

multicluster engine for Kubernetes 2.7

Affected Versions:

sha256:7ccd6c3cf13980e73689da2a969cb29c1875e3bd4a76999a76f588f9f0cde8dd

Red Hat

multicluster engine for Kubernetes 2.7

Affected Versions:

sha256:46a940727ab0bb654158deab9b9fa85a768b2fd6bdcf32f9eb0c0b061317be72

Red Hat

multicluster engine for Kubernetes 2.7

Affected Versions:

sha256:17ff83445d5f6c2296f1b5c5061734a7866c84f6951e140f194bb5a1b2c981a2

Red Hat

multicluster engine for Kubernetes 2.9

Affected Versions:

sha256:92dcf853dee08f8f68d43d6928df81e0e03cb95ed1c7b9035de089ec831ac12f

Red Hat

multicluster engine for Kubernetes 2.9

Affected Versions:

sha256:c124e98be5de4a56ea655e4beca79f2858b32465fd20e07773e7a1395ab698bf

Red Hat

multicluster engine for Kubernetes 2.9

Affected Versions:

sha256:5f920fdd7a8222e575e3be8108f35053199041f51ea5aef10afdf16270d2c2e5

Red Hat

multicluster engine for Kubernetes 2.9

Affected Versions:

sha256:495c95d1a2df101e0bf9c0eaa3caeb575f596d6098782c3a0a1dcb0342589886

Red Hat

multicluster engine for Kubernetes 2.9

Affected Versions:

sha256:b488d0482849357ec15b94803eba470bd3c96a3aa70eb401e5e010d939996fd5

Red Hat

multicluster engine for Kubernetes 2.9

Affected Versions:

sha256:36c26ae9529d584fbd4ed24376ff8a83fd583190d4b13461a484e8f49c3ac3b3

Red Hat

multicluster engine for Kubernetes 2.9

Affected Versions:

sha256:e9a01f91576307ab1e618ce7e4db1c116b2eb9701c5f5a48b0ad671fa57dc18d

Red Hat

multicluster engine for Kubernetes 2.9

Affected Versions:

sha256:f2b3e838d78b6bd89e5c9f401326d08696fb29b862fa99b701a3b0aa8b705fe4

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2.12

Affected Versions:

sha256:e1ed0e73c99eb402fe547d9c112e3c2b9d23ff1fc5dda797638eebb42f4791be

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2.14

Affected Versions:

sha256:1b56fc6c4b897bb8a62b1fa176af6bace8282b2de38e3e69b5673c5ae3e6848c

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:1ff67f3ff46b59b86c2f29596008440da7da8d594005881c65d6d4ab645aefc6

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:5ee6284d6354e4e55f1ee7eb5a79b833aae6e31bf42bf185c4192e5d373f06e7

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:c8dce4a25f10645edc649576e995b2b6619c8bc39c2c30d3cffbe3a3c3a86b35

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:c6eb556ecea92be74c6175061678d06bb3006a6ccfc5927d2327ddcf244c934b

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:e9f1e2743fe9930ccb470c6eb8d9e9577640fe6a9ab7a013648e513b6216fa74

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:2bd4927011a029a1dd7ba2baa2fdc759d431550879eddc8813d89cb44cdb2767

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:d40189f09ff39240e5e49412c1314d9911fcb957459c7496b215da8c9f758b8e

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:d2cc16ec9cc1f40da3b1967bc9a7b208062c5bc4a2753213ae2c41c62c5115aa

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:c786effa06598ecb80690644d1c9075588e123ad200db05686568a80a1feeb56

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:7ea7c9adce3bb022e345cffcb939e4d4d03e44717ac32a00cbef60d3fb5eb2b3

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:173a4998c70c4c8ff9d0d4f90fb48e8e3d3f8fbc4deeb4f742cbaa38dda61215

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:599bfb2b83e095f88d90a408d4e8bf66bf10070255c5d174ca9ed8668111d25f

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:4da2afb698447df4a45a8bc1b479e57a5da7cd7a3ace09e131717a31155ec8a5

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:da96f0e217a418accd74f8958444423cb4baca7311ee8d3bf70d22c42597f5cb

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:228bbd789e0de72a48a3673fab02aa53b14485fce3b27d2e4cd30eb30f5ac1b6

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:eb4386e6dfb4a2277085dbc44190243c40d973b80e9985fe42378098eb35e6e7

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:65c4003dfb7180e015ec74fe9e599bcc313501ab9b9c67d61fc59a68e6c89349

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:2987990bc63fa58ced038084921bdf168a017bd0b94b296a7c79dc264388339a

Red Hat

Red Hat Openshift Data Foundation 4.18

Affected Versions:

sha256:fdb74e11ba60926cf6abfe7898ffec199d3efe07fb0273e794ba4e10c9f7ad70

Red Hat

File Integrity Operator

Red Hat

File Integrity Operator

Red Hat

Multicluster Engine for Kubernetes

Red Hat

Multicluster Engine for Kubernetes

Red Hat

Multicluster Engine for Kubernetes

Red Hat

Multicluster Engine for Kubernetes

Red Hat

Multicluster Engine for Kubernetes

Red Hat

Multicluster Engine for Kubernetes

Red Hat

Multicluster Engine for Kubernetes

Red Hat

Multicluster Engine for Kubernetes

Red Hat

Multicluster Engine for Kubernetes

Red Hat

Multicluster Engine for Kubernetes

Red Hat

Multicluster Global Hub

Red Hat

Multicluster Global Hub

Red Hat

Multicluster Global Hub

Red Hat

Multicluster Global Hub

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Management for Kubernetes 2

Red Hat

Red Hat Advanced Cluster Security 4

Red Hat

Red Hat build of Apicurio Registry 3

Red Hat

Red Hat Fuse 7

Red Hat

Red Hat OpenShift Container Platform 4

Red Hat

Red Hat OpenShift Container Platform 4

Red Hat

Red Hat OpenShift Container Platform 4

Red Hat

Red Hat OpenShift Container Platform 4

Red Hat

Red Hat OpenShift Container Platform 4

Red Hat

Red Hat OpenShift Container Platform 4

Red Hat

Red Hat OpenShift Container Platform 4

Red Hat

Red Hat OpenShift Container Platform 4

Red Hat

Red Hat OpenShift Dev Workspaces Operator

Red Hat

Red Hat OpenShift Dev Workspaces Operator

Red Hat

Red Hat OpenShift Dev Workspaces Operator

Red Hat

Red Hat OpenShift Dev Workspaces Operator

Red Hat

Red Hat OpenShift Virtualization 4

Red Hat

Red Hat OpenShift Virtualization 4

Red Hat

Red Hat OpenShift Virtualization 4

Red Hat

Red Hat OpenShift Virtualization 4

Red Hat

Red Hat OpenShift Virtualization 4

Red Hat

Red Hat OpenShift Virtualization 4

Red Hat

Red Hat OpenShift Virtualization 4

Red Hat

Red Hat OpenShift Virtualization 4

Red Hat

Red Hat Web Terminal

Red Hat

Red Hat Web Terminal

References

https://access.redhat.com/errata/RHSA-2025:19332 (CNA)

https://access.redhat.com/errata/RHSA-2025:19335 (CNA)

https://access.redhat.com/errata/RHSA-2025:19958 (CNA)

https://access.redhat.com/errata/RHSA-2025:19961 (CNA)

https://access.redhat.com/errata/RHSA-2025:21368 (CNA)

https://access.redhat.com/errata/RHSA-2025:21885 (CNA)

https://access.redhat.com/security/cve/CVE-2025-7195 (CNA)

https://bugzilla.redhat.com/show_bug.cgi?id=2376300 (CNA)

Workarounds

In Red Hat OpenShift Container Platform, the following default configurations reduce the impact of this vulnerability.

Security Context Constraints (SCCs): The default SCC, Restricted-v2, applies several crucial security settings to containers.

Capabilities: drop: ALL removes all Linux capabilities, including SETUID and SETGID. This prevents a process from changing its user or group ID, a common step in privilege escalation attacks. The SETUID and SETGID capabilities can also be dropped explicitly if other capabilities are still required.

allowPrivilegeEscalation: false ensures that a process cannot gain more privileges than its parent process. This blocks attempts by a compromised container process to grant itself additional capabilities.

SELinux Mandatory Access Control (MAC): Pods are required to run with a pre-allocated Multi-Category Security (MCS) label. This SELinux feature provides a strong layer of isolation between containers and from the host system. A properly configured SELinux policy can prevent a container escape, even if an attacker gains elevated permissions within the container itself.

Filesystem Hardening: While not a default setting, a common security practice is to set readOnlyRootFilesystem: true in a container's security context. In this specific scenario, this configuration would prevent an attacker from modifying critical files like /etc/passwd, even if they managed to gain file-level write permissions.

Credits & Acknowledgments

Red Hat would like to thank Antony Di Scala, James Force, and Michael Whale for reporting this issue.

Timeline

Made public.

Reported to Red Hat.

EU Vulnerability Database

Monitored by ENISA for EU cybersecurity

EU Coordination

Not EU Coordinated

Exploitation Status

No Known Exploitation

EUVD ID

View on ENISA

ENISA Analysis

Malicious code in bioql (PyPI)

Affected Products (ENISA)

red hat

Unknown Product

ENISA Scoring

CVSS Score (3.1)

5.2

/10

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L

ENISA References

https://access.redhat.com/security/cve/CVE-2025-7195

https://bugzilla.redhat.com/show_bug.cgi?id=2376300

https://nvd.nist.gov/vuln/detail/CVE-2025-7195

https://github.com/operator-framework/operator-sdk

Data provided by ENISA EU Vulnerability Database. Last updated: October 3, 2025

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd

GHSA-856v-8qm2-9wjv

Advisory Details

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

Affected Packages

Go github.com/operator-framework/operator-sdk

ECOSYSTEM: ≥0 <0.15.2

CVSS Scoring

CVSS Score

5.0

CVSS Vector


                                    CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-7195

WEB https://access.redhat.com/errata/RHSA-2025:19332

WEB https://access.redhat.com/errata/RHSA-2025:19335

WEB https://access.redhat.com/errata/RHSA-2025:19958

WEB https://access.redhat.com/errata/RHSA-2025:19961

WEB https://access.redhat.com/errata/RHSA-2025:21368

WEB https://access.redhat.com/errata/RHSA-2025:21885

WEB https://access.redhat.com/security/cve/CVE-2025-7195

WEB https://bugzilla.redhat.com/show_bug.cgi?id=2376300

PACKAGE https://github.com/operator-framework/operator-sdk

Advisory provided by GitHub Security Advisory Database. Published: August 7, 2025, Modified: November 20, 2025

References

https://access.redhat.com/errata/RHSA-2025:19332

https://access.redhat.com/errata/RHSA-2025:19335

https://access.redhat.com/errata/RHSA-2025:19958

https://access.redhat.com/errata/RHSA-2025:19961

https://access.redhat.com/errata/RHSA-2025:21368

https://access.redhat.com/errata/RHSA-2025:21885

https://access.redhat.com/security/cve/CVE-2025-7195

https://bugzilla.redhat.com/show_bug.cgi?id=2376300

Published: 2025-08-07T19:05:08.756Z

Last Modified: 2025-11-23T06:25:51.631Z

Copied to clipboard!