CVE-2025-7195: operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd

The vulnerability lies in the scripts generated by the operator-sdk for use in container images, not in a runtime function of the SDK itself. The root cause is the user_setup script, which is executed during the container image build process. This script insecurely sets the permissions of the /etc/passwd file to be group-writable by the root group (chmod g+rw /etc/passwd).

The analysis of the patch commit d2205b9df5d509f23aaa417d6369620fc2915168 confirms this. The commit removes the chmod g+rw /etc/passwd command from the userSetupTmpl template variable in internal/scaffold/usersetup.go, internal/scaffold/ansible/usersetup.go, and internal/scaffold/helm/usersetup.go. The Go functions that use these templates to generate the vulnerable scripts are identified as UserSetup.GetInput in their respective packages. Although these functions themselves are not executing the vulnerable command, they are responsible for creating the script that does.

Additionally, the entrypoint scripts generated by Entrypoint.GetInput functions were modified to remove logic that wrote to /etc/passwd. While not the primary cause, this logic took advantage of the weak permissions and was removed as part of the mitigation. An attacker with shell access to a container built with a vulnerable operator could exploit this by modifying /etc/passwd to add a new user with UID 0, gaining root privileges within the container. Therefore, the identified functions are the sources of the vulnerability, as they generate the insecure scripts.