{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3528", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-04-11T18:46:42.874Z", "datePublished": "2025-05-09T11:58:24.957Z", "dateUpdated": "2025-09-25T02:43:36.147Z"}, "containers": {"cna": {"title": "Mirror-registry: local privilege escalation due to incorrect permissions in mirror-registry", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Mirror Registry. The quay-app container shipped as part of the Mirror Registry for OpenShift has write access to the `/etc/passwd`. This flaw allows a malicious actor with access to the container to modify the passwd file and elevate their privileges to the root user within that pod."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "2", "versionType": "custom"}], "packageName": "mirror-registry", "collectionURL": "https://access.redhat.com/downloads/content/686/ver=2/rhel---8/2/x86_64/product-software", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "MIRROR-REGISTRY-2.0-RHEL-8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift/mirror-registry-rhel8", "defaultStatus": "affected", "versions": [{"version": "v2.0.7-9", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:mirror_registry:2.0.0::el8"]}, {"vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "mirror-registry-container", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:mirror_registry:1"]}], "references": [{"url": "https://access.redhat.com/errata/RHBA-2025:9645", "name": "RHBA-2025:9645", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-3528", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359143", "name": "RHBZ#2359143", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-04-11T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-276: Incorrect Default Permissions", "workarounds": [{"lang": "en", "value": "This issue can be mitigated by setting this line in each mirror registry systemd configurations:\n\n--security-opt=no-new-privileges\n\nThis would prevent any privilege escalation until the issue is fixed."}], "timeline": [{"lang": "en", "time": "2025-04-11T18:57:24.546000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-04-11T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Antony Di Scala and Mike Whale for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-09-25T02:43:36.147Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-09T14:01:56.315475Z", "id": "CVE-2025-3528", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T14:10:27.855Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3528", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-09T14:01:56.315475Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T14:10:19.394Z"}}], "cna": {"title": "Mirror-registry: local privilege escalation due to incorrect permissions in mirror-registry", "credits": [{"lang": "en", "value": "Red Hat would like to thank Antony Di Scala and Mike Whale for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "2", "versionType": "custom"}], "packageName": "mirror-registry", "collectionURL": "https://access.redhat.com/downloads/content/686/ver=2/rhel---8/2/x86_64/product-software", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:mirror_registry:2.0.0::el8"], "vendor": "Red Hat", "product": "MIRROR-REGISTRY-2.0-RHEL-8", "versions": [{"status": "unaffected", "version": "v2.0.7-9", "lessThan": "*", "versionType": "rpm"}], "packageName": "openshift/mirror-registry-rhel8", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:mirror_registry:1"], "vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift", "packageName": "mirror-registry-container", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2025-04-11T18:57:24.546000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-04-11T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-04-11T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHBA-2025:9645", "name": "RHBA-2025:9645", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-3528", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359143", "name": "RHBZ#2359143", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "This issue can be mitigated by setting this line in each mirror registry systemd configurations:\n\n--security-opt=no-new-privileges\n\nThis would prevent any privilege escalation until the issue is fixed."}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Mirror Registry. The quay-app container shipped as part of the Mirror Registry for OpenShift has write access to the `/etc/passwd`. This flaw allows a malicious actor with access to the container to modify the passwd file and elevate their privileges to the root user within that pod."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-276", "description": "Incorrect Default Permissions"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-09-25T02:43:36.147Z"}, "x_redhatCweChain": "CWE-276: Incorrect Default Permissions"}}, "cveMetadata": {"cveId": "CVE-2025-3528", "state": "PUBLISHED", "dateUpdated": "2025-09-25T02:43:36.147Z", "dateReserved": "2025-04-11T18:46:42.874Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-05-09T11:58:24.957Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the Mirror Registry. The quay-app container shipped as part of the Mirror Registry for OpenShift has write access to the `/etc/passwd`. This flaw allows a malicious actor with access to the container to modify the passwd file and elevate their privileges to the root user within that pod."}, {"lang": "es", "value": "Se detect\u00f3 una falla en Mirror Registry. El contenedor quay-app, incluido en el Registro Mirror para OpenShift, tiene acceso de escritura al archivo `/etc/passwd`. Esta falla permite que un usuario malicioso con acceso al contenedor modifique el archivo passwd y ascienda sus privilegios al usuario root dentro de ese pod."}], "id": "CVE-2025-3528", "lastModified": "2025-08-14T18:15:29.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2025-05-09T12:15:33.223", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHBA-2025:9645"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-3528"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359143"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Antony Di Scala and Mike Whale for reporting this issue.", "bugzilla": {"description": "mirror-registry: Local privilege escalation due to incorrect permissions in mirror-registry", "id": "2359143", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359143"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-276", "details": ["A flaw was found in the Mirror Registry. The quay-app container shipped as part of the Mirror Registry for OpenShift has write access to the `/etc/passwd`. This flaw allows a malicious actor with access to the container to modify the passwd file and elevate their privileges to the root user within that pod.", "A flaw was found in the Mirror Registry. The quay-app container shipped as part of the Mirror Registry for OpenShift has write access to the `/etc/passwd`. This flaw allows a malicious actor with access to the container to modify the passwd file and elevate their privileges to the root user within that pod."], "mitigation": {"lang": "en:us", "value": "This issue can be mitigated by setting this line in each mirror registry systemd configurations:\n--security-opt=no-new-privileges\nThis would prevent any privilege escalation until the issue is fixed."}, "name": "CVE-2025-3528", "package_state": [{"cpe": "cpe:/a:redhat:mirror_registry:1", "fix_state": "Affected", "package_name": "mirror-registry-container", "product_name": "mirror registry for Red Hat OpenShift"}], "public_date": "2024-04-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-3528\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-3528"], "statement": "This issue was classified with and Important severity according to the severity ratings described at https://access.redhat.com/security/updates/classification. This rating was given because the attacker, when a successfully attack is performed, can elevate its privilege to the root user.", "threat_severity": "Important"}