Incorrect Default Permissions Affecting compliance/openshift-file-integrity-operator-bundle package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Incorrect Default Permissions vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-RHEL7-COMPLIANCEOPENSHIFTFILEINTEGRITYOPERATORBUNDLE-11539059
- published8 Aug 2025
- disclosed7 Aug 2025
Introduced: 7 Aug 2025
NewCVE-2025-7195 (opens in a new tab)How to fix?
There is no fixed version for RHEL:7 compliance/openshift-file-integrity-operator-bundle.
NVD Description
Note: Versions mentioned in the description apply only to the upstream compliance/openshift-file-integrity-operator-bundle package and not the compliance/openshift-file-integrity-operator-bundle package as distributed by RHEL.
See How to fix? for RHEL:7 relevant fixed versions and status.
Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images.
In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.