2372501 – (CVE-2025-6032) CVE-2025-6032 podman: podman missing TLS verification

Bug 2372501 (CVE-2025-6032) - CVE-2025-6032 podman: podman missing TLS verification

Summary: CVE-2025-6032 podman: podman missing TLS verification

Keywords:
Status:	NEW
Alias:	CVE-2025-6032
Deadline:	2025-06-24
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2374581
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-12 15:24 UTC by OSIDB Bzimport
Modified:	2025-06-24 13:52 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-06-12 15:24:27 UTC

The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry (which it does by default since 5.0.0) allowing a possible Man In The Middle attack.

Requirements to exploit:
Access to the network path between registry and client to perform a MITM
attack.

Version affected: podman >= 4.8.0
Code was added in commit ea4775e, however it is only used as default way
to pull images since 5.0.0.

Comment 2 Tom Sweeney 2025-06-17 17:19:46 UTC

Just noting that the code with the issue was first introduced in Podman v4.8 and RHEL 8.10 & 9.4.  Also in OCP 4.16.  Earlier versions of OCP and RHEL are not affected by this issue.

Note You need to log in before you can comment on or make changes to this bug.