CVE-2025-6032 | THREATINT

Description

A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.

PUBLISHED Reserved 2025-06-12 | Published 2025-06-24 | Updated 2025-11-29 | Assigner redhat

HIGH: 8.3CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Problem types

Improper Certificate Validation

Product status

Default status

unaffected

4.8.0 (semver) before 5.5.2

affected

Default status

affected

6:5.4.0-12.el10_0 (rpm) before *

unaffected

Default status

affected

8100020250625105344.afee755d (rpm) before *

unaffected

Default status

affected

5:5.4.0-12.el9_6 (rpm) before *

unaffected

Default status

affected

4:4.9.4-18.el9_4.2 (rpm) before *

unaffected

Default status

affected

4:4.9.4-16.rhaos4.16.el9 (rpm) before *

unaffected

Default status

affected

416.94.202507222002-0 (rpm) before *

unaffected

Default status

affected

5:5.2.2-8.rhaos4.17.el9 (rpm) before *

unaffected

Default status

affected

417.94.202507132309-0 (rpm) before *

unaffected

Default status

affected

418.94.202507221927-0 (rpm) before *

unaffected

Default status

affected

5:5.2.2-9.rhaos4.18.el9 (rpm) before *

unaffected

Default status

affected

4.19.9.6.202507152218-0 (rpm) before *

unaffected

Default status

affected

5:5.4.0-6.rhaos4.19.el9 (rpm) before *

unaffected

Default status

affected

4.20.9.6.202509251656-0 (rpm) before *

unaffected

Default status

affected

Timeline

2025-06-12:	Reported to Red Hat.
2025-06-24:	Made public.

Credits

This issue was discovered by Paul Holzinger (Red Hat Inc.).

References

access.redhat.com/errata/RHSA-2025:10295 (RHSA-2025:10295) vendor-advisory

access.redhat.com/errata/RHSA-2025:10549 (RHSA-2025:10549) vendor-advisory

access.redhat.com/errata/RHSA-2025:10550 (RHSA-2025:10550) vendor-advisory

access.redhat.com/errata/RHSA-2025:10551 (RHSA-2025:10551) vendor-advisory

access.redhat.com/errata/RHSA-2025:10668 (RHSA-2025:10668) vendor-advisory

access.redhat.com/errata/RHSA-2025:11359 (RHSA-2025:11359) vendor-advisory

access.redhat.com/errata/RHSA-2025:11363 (RHSA-2025:11363) vendor-advisory

access.redhat.com/errata/RHSA-2025:11677 (RHSA-2025:11677) vendor-advisory

access.redhat.com/errata/RHSA-2025:11681 (RHSA-2025:11681) vendor-advisory

access.redhat.com/errata/RHSA-2025:15397 (RHSA-2025:15397) vendor-advisory

access.redhat.com/errata/RHSA-2025:9726 (RHSA-2025:9726) vendor-advisory

access.redhat.com/errata/RHSA-2025:9751 (RHSA-2025:9751) vendor-advisory

access.redhat.com/errata/RHSA-2025:9766 (RHSA-2025:9766) vendor-advisory

access.redhat.com/security/cve/CVE-2025-6032 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2372501 (RHBZ#2372501) issue-tracking

github.com/...ommit/726b506acc8a00d99f1a3a1357ecf619a1f798c3

github.com/...podman/security/advisories/GHSA-65gg-3w2w-hr4h

cve.org (CVE-2025-6032)

nvd.nist.gov (CVE-2025-6032)

Download JSON