CVE-2025-7195
MediumCVSS 6.4Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
The vulnerability in Operator-SDK before version 0.15.2 involves an insecure user_setup script that sets permissions of the /etc/passwd file to 664 (group-writable) with group ownership root (gid=0) during image build. An attacker who can execute commands within the container, even as a non-root user, can leverage membership in the root group to modify /etc/passwd and add a new user with any arbitrary UID, including 0, leading to full root privileges within the container.
Risk Assessment
The risk for the organization includes privilege escalation within the container, potentially allowing an attacker to take control of the application running in the container and possibly access sensitive data or further attack the infrastructure.
Recommendation
It is recommended to update Operator-SDK to version 0.15.2 or later and remove or replace the insecure user_setup script in the container image build process. Container images should be rebuilt to eliminate the vulnerability.
Original NVD description (English source)
Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

