#VU111945 Improper Certificate Validation in Podman - CVE-2025-6032

Cybersecurity Help s.r.o.

Published: 2025-06-25

Vulnerability identifier: #VU111945

Vulnerability risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-6032

CWE-ID: CWE-295

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Podman
Universal components / Libraries / Libraries used by multiple products

Vendor: Container Projects

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. A remote attacker can perform MitM attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Podman: All versions

External links
https://access.redhat.com/security/cve/CVE-2025-6032
https://bugzilla.redhat.com/show_bug.cgi?id=2372501

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Anolis OS update for container-tools:an8 module

Red Hat Enterprise Linux 8 update for the container-tools:rhel8 module

Red Hat Enterprise Linux 9 update for podman

Red Hat Enterprise Linux 10 update for podman

Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.17 packages

Red Hat Enterprise Linux 9 update for podman

Improper Certificate Validation in Red Hat OpenShift Container Platform 4.16 packages

Improper Certificate Validation in Red Hat OpenShift Container Platform 4.18 packages

Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.18

Improper Certificate Validation in Red Hat OpenShift Container Platform 4.19 packages