{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8766", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-08-08T16:07:52.076Z", "datePublished": "2026-03-13T02:48:19.748Z", "dateUpdated": "2026-05-10T07:17:25.677Z"}, "containers": {"cna": {"title": "Noobaa-core: excessive permissions of /etc could lead to escalation of privilege in the noobaa-core container", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A container privilege escalation flaw was found in certain Multi-Cloud Object Gateway Core images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container"}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Openshift Data Foundation 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "odf4/mcg-core-rhel9", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:openshift_data_foundation:4"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-8766", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387265", "name": "RHBZ#2387265", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-03-13T02:37:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-276: Incorrect Default Permissions", "timeline": [{"lang": "en", "time": "2025-08-08T16:08:17.737Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-03-13T02:37:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-05-10T07:17:25.677Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T14:13:26.491349Z", "id": "CVE-2025-8766", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T14:13:35.211Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8766", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-13T14:13:26.491349Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T14:13:29.623Z"}}], "cna": {"title": "Noobaa-core: excessive permissions of /etc could lead to escalation of privilege in the noobaa-core container", "credits": [{"lang": "en", "value": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:openshift_data_foundation:4"], "vendor": "Red Hat", "product": "Red Hat Openshift Data Foundation 4", "packageName": "odf4/mcg-core-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}], "timeline": [{"lang": "en", "time": "2025-08-08T16:08:17.737Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-03-13T02:37:00.000Z", "value": "Made public."}], "datePublic": "2026-03-13T02:37:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-8766", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387265", "name": "RHBZ#2387265", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A container privilege escalation flaw was found in certain Multi-Cloud Object Gateway Core images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-276", "description": "Incorrect Default Permissions"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-05-10T07:17:25.677Z"}, "x_redhatCweChain": "CWE-276: Incorrect Default Permissions"}}, "cveMetadata": {"cveId": "CVE-2025-8766", "state": "PUBLISHED", "dateUpdated": "2026-05-10T07:17:25.677Z", "dateReserved": "2025-08-08T16:07:52.076Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-03-13T02:48:19.748Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A container privilege escalation flaw was found in certain Multi-Cloud Object Gateway Core images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container"}], "id": "CVE-2025-8766", "lastModified": "2026-03-16T14:54:11.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-03-13T19:53:56.157", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-8766"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387265"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue.", "bugzilla": {"description": "noobaa-core: Excessive permissions of /etc could lead to escalation of privilege in the noobaa-core container", "id": "2387265", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387265"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-276", "details": ["A container privilege escalation flaw was found in certain Multi-Cloud Object Gateway Core images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container"], "name": "CVE-2025-8766", "package_state": [{"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Under investigation", "package_name": "odf4/mcg-core-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}], "public_date": "2026-03-13T02:37:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-8766\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-8766"], "statement": "Red Hat Product Security has rated this vulnerability as moderate severity for affected products which run on OpenShift. The vulnerability allows for potential privilege escalation within a container, but OpenShift's default, multi-layered security posture effectively mitigates this risk.\nThe primary controls include the default Security Context Constraints (SCC), which severely limit a container's permissions from the start, and SELinux, which enforces mandatory access control to ensure strict isolation. While other container runtime environments may have different controls available and require case-by-case analysis, OpenShift's built-in defenses are designed to prevent this type of attack.\nOut of Box RHEL configuration isolates a single process inside a container. Unless multiple processes are packaged inside a single container, that defeats the principle behind containerization, this bug can not be used to meaningfully escalate privileges.\nAlso, RHEL, and any common linux distributions do NOT add any additional users to the root group. The presence of the root group is strictly due to conformance with POSIX permission management requirements and can be considered to be an artifact of filesystem permission limitations.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "openshift_data_foundation", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-03-18T20:06:25.539489+00:00", "value": {"mitigation_remediation": ["Apply any vendor\u2011issued patch or update to a version of Multi\u2011Cloud Object Gateway Core that corrects the /etc/passwd permissions.", "If a patch is unavailable, rebuild the affected container images ensuring /etc/passwd is not group\u2011writable (chmod\u00a0644).", "Remove non\u2011root users from the root group or use a dedicated non\u2011privileged user for container operations.", "Deploy containers with the principle of least privilege, denying unnecessary group permissions and disabling root group membership.", "Regularly audit container filesystems for unexpected permission changes and monitor for unauthorized user additions."], "summary": {"action": "Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The flaw affects Red\u00a0Hat Openshift Data Foundation\u00a04, specifically the Multi\u2011Cloud Object Gateway Core images. No specific affected version numbers are listed in the CVE entry.", "description_and_impact": "An integrity flaw (CWE\u2011276) allows an attacker with command execution capability inside a Multi\u2011Cloud Object Gateway Core container to modify the /etc/passwd file because it is created group\u2011writable during image build. By changing the file to add an entry with UID\u00a00, the attacker gains full root privileges within the container.", "risk_and_exploitability": "The CVSS score of 6.4 denotes moderate severity, and the EPSS score of less than 1% indicates a low likelihood of active exploitation. The vulnerability is not included in the CISA KEV catalog. Exploitation requires that the attacker already have command execution within the container and membership in the root group; the attack vector is therefore local to the container environment, though it may be leveraged to compromise the host or other containers."}}}}, "created": "2026-03-16T09:38:03.019252+00:00", "updated": "2026-03-23T09:59:48.454428+00:00", "vendors": ["redhat", "redhat$PRODUCT$openshift_data_foundation"]}