CVE-2025-8766
Container Privilege Escalation via Group-Writable /etc/passwd in Multi-Cloud Gateway
Publication date: 2026-03-13
Last updated on: 2026-03-13
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Affected Vendors & Products
| Vendor | Product | Version |
|---|---|---|
| redhat | noobaa-core | to 2026-03-13 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a container privilege escalation flaw found in certain Multi-Cloud Object Gateway Core images, specifically in the noobaa-core container. The issue arises because the /etc/passwd file is created with group-writable permissions (mode 664) during build time. This improper permission setting allows any user within the container who is part of the root group to modify the /etc/passwd file.
By modifying this file, an attacker can add a new user with any arbitrary user ID, including UID 0, which is the root user. This effectively grants the attacker full root privileges within the container, even if they initially have only non-root access.
How can this vulnerability impact me? :
This vulnerability can have serious impacts by allowing an attacker with limited access inside the container to escalate their privileges to full root access. This means the attacker can execute any command with the highest level of permissions within the container.
Such privilege escalation can compromise the integrity and security of container processes, potentially leading to unauthorized modifications, data breaches, or further exploitation within the container environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the permissions of the /etc/passwd file inside the affected noobaa-core container images. Specifically, you should verify if the /etc/passwd file or the /etc directory has group-writable permissions (mode 664).
- Run the command inside the container to check permissions: ls -l /etc/passwd
- Check the permissions of the /etc directory: ls -ld /etc
- If the permissions show group-writable (e.g., -rw-rw-r-- for /etc/passwd or drwxrwxr-x for /etc), the container is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should ensure that the /etc/passwd file and the /etc directory inside the noobaa-core container images do not have group-writable permissions.
- Modify the permissions of /etc/passwd to remove group write access, for example: chmod 644 /etc/passwd
- Modify the permissions of the /etc directory to remove group write access, for example: chmod 755 /etc
Additionally, update or rebuild the container images using a fixed version of the noobaa-core source code where the setup_platform.sh script correctly sets permissions, as the issue originates from improper permission settings during build time.
Monitor for updates or patches released by the vendor and apply them as soon as possible.