CVE-2025-6032

Опубликовано: 24 июн. 2025

Источник: redhat

CVSS3: 8.3

EPSS Низкий

Описание

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

Отчет

To exploit this flaw, a user needs to download an image from an untrusted OCI registry, specifically, an OCI registry with an invalid TLS certificate. This allows a remote attacker with access to the network path between the registry and the client to perform a Man In the Middle attack.

Меры по смягчению последствий

Download the VM image manually with another tool that verifies the TLS certificate and then pass the local image as a file path to podman, for example:

podman machine init --image

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat OpenShift Container Platform 4	rhcos	Affected
Red Hat Enterprise Linux 10	podman	Fixed	RHSA-2025:10549	08.07.2025
Red Hat Enterprise Linux 8	container-tools	Fixed	RHSA-2025:10551	08.07.2025
Red Hat Enterprise Linux 9	podman	Fixed	RHSA-2025:10550	08.07.2025
Red Hat Enterprise Linux 9.4 Extended Update Support	podman	Fixed	RHSA-2025:10668	08.07.2025
Red Hat OpenShift Container Platform 4.16	podman	Fixed	RHSA-2025:9766	02.07.2025
Red Hat OpenShift Container Platform 4.16	rhcos-416.94.202507222002	Fixed	RHSA-2025:11681	30.07.2025
Red Hat OpenShift Container Platform 4.17	podman	Fixed	RHSA-2025:10295	09.07.2025
Red Hat OpenShift Container Platform 4.18	rhcos-418.94.202507221927	Fixed	RHSA-2025:11677	30.07.2025
Red Hat OpenShift Container Platform 4.18	podman	Fixed	RHSA-2025:9726	02.07.2025

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-295

https://bugzilla.redhat.com/show_bug.cgi?id=2372501podman: podman missing TLS verification

EPSS

Процентиль: 14%

0.00046

Низкий

8.3 High

CVSS3

Связанные уязвимости

CVE-2025-6032

CVSS3: 8.3

ubuntu

7 месяцев назад

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

CVE-2025-6032

CVSS3: 8.3

nvd

7 месяцев назад

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

CVE-2025-6032

msrc

5 месяцев назад

Podman: podman missing tls verification

CVE-2025-6032

CVSS3: 8.3

debian

7 месяцев назад

A flaw was found in Podman. The podman machine init command fails to v ...

SUSE-SU-2025:02808-1

suse-cvrf

5 месяцев назад

Security update for podman

EPSS

Процентиль: 14%

0.00046

Низкий

8.3 High

CVSS3