| CVE ID | CVE-2025-9276 |
| CVSS SCORE | 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| AFFECTED VENDORS |
Cockroach Labs |
| AFFECTED PRODUCTS |
cockroach-k8s-request-cert |
| VULNERABILITY DETAILS |
This vulnerability could allow remote attackers to bypass authentication on systems that use the affected version of the Cockroach Labs cockroach-k8s-request-cert container image. The specific flaw exists within the configuration of the system shadow file. The issue results from a blank password setting for the root user. An attacker can leverage this vulnerability to bypass authentication on the system. |
| ADDITIONAL DETAILS |
10/06/2023 – ZDI attempted to contact the vendor multiple times, but no response was received -- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product. |
| DISCLOSURE TIMELINE |
|
| CREDIT | Alfredo de Oliveira - Trend Micro Nebula Team |
