Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-6032

Опубликовано: 24 июн. 2025
Источник: redhat
CVSS3: 8.3
EPSS Низкий

Описание

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

Отчет

To exploit this flaw, a user needs to download an image from an untrusted OCI registry, specifically, an OCI registry with an invalid TLS certificate. This allows a remote attacker with access to the network path between the registry and the client to perform a Man In the Middle attack.

Меры по смягчению последствий

Download the VM image manually with another tool that verifies the TLS certificate and then pass the local image as a file path to podman, for example:

podman machine init --image

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenShift Container Platform 4rhcosAffected
Red Hat Enterprise Linux 10podmanFixedRHSA-2025:1054908.07.2025
Red Hat Enterprise Linux 8container-toolsFixedRHSA-2025:1055108.07.2025
Red Hat Enterprise Linux 9podmanFixedRHSA-2025:1055008.07.2025
Red Hat Enterprise Linux 9.4 Extended Update SupportpodmanFixedRHSA-2025:1066808.07.2025
Red Hat OpenShift Container Platform 4.16podmanFixedRHSA-2025:976602.07.2025
Red Hat OpenShift Container Platform 4.17podmanFixedRHSA-2025:1029509.07.2025
Red Hat OpenShift Container Platform 4.18podmanFixedRHSA-2025:972602.07.2025
Red Hat OpenShift Container Platform 4.19podmanFixedRHSA-2025:975101.07.2025

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-295
https://bugzilla.redhat.com/show_bug.cgi?id=2372501podman: podman missing TLS verification

EPSS

Процентиль: 8%
0.00034
Низкий

8.3 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-6032

CVSS3: 8.3
ubuntu
28 дней назад

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

nvd логотип

CVE-2025-6032

CVSS3: 8.3
nvd
28 дней назад

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

debian логотип

CVE-2025-6032

CVSS3: 8.3
debian
28 дней назад

A flaw was found in Podman. The podman machine init command fails to v ...

github логотип

GHSA-65gg-3w2w-hr4h

CVSS3: 8.3
github
27 дней назад

Podman Improper Certificate Validation; machine missing TLS verification

oracle-oval логотип

ELSA-2025-10551

oracle-oval
14 дней назад

ELSA-2025-10551: container-tools:rhel8 security update (IMPORTANT)

EPSS

Процентиль: 8%
0.00034
Низкий

8.3 High

CVSS3