{
  "threat_severity" : "Important",
  "public_date" : "2025-06-24T00:00:00Z",
  "bugzilla" : {
    "description" : "podman: podman missing TLS verification",
    "id" : "2372501",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2372501"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-295",
  "details" : [ "A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.", "A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack." ],
  "statement" : "To exploit this flaw, a user needs to download an image from an untrusted OCI registry, specifically, an OCI registry with an invalid TLS certificate. This allows a remote attacker with access to the network path between the registry and the client to perform a Man In the Middle attack.",
  "acknowledgement" : "This issue was discovered by Paul Holzinger (Red Hat Inc.).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-07-08T00:00:00Z",
    "advisory" : "RHSA-2025:10549",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "podman-6:5.4.0-12.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-07-08T00:00:00Z",
    "advisory" : "RHSA-2025:10551",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "container-tools:rhel8-8100020250625105344.afee755d"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-07-08T00:00:00Z",
    "advisory" : "RHSA-2025:10550",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "podman-5:5.4.0-12.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-07-08T00:00:00Z",
    "advisory" : "RHSA-2025:10668",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "podman-4:4.9.4-18.el9_4.2"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.16",
    "release_date" : "2025-07-02T00:00:00Z",
    "advisory" : "RHSA-2025:9766",
    "cpe" : "cpe:/a:redhat:openshift:4.16::el8",
    "package" : "podman-4:4.9.4-14.rhaos4.16.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.16",
    "release_date" : "2025-07-30T00:00:00Z",
    "advisory" : "RHSA-2025:11681",
    "cpe" : "cpe:/a:redhat:openshift:4.16::el9",
    "package" : "rhcos-416.94.202507222002-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.17",
    "release_date" : "2025-07-09T00:00:00Z",
    "advisory" : "RHSA-2025:10295",
    "cpe" : "cpe:/a:redhat:openshift:4.17::el8",
    "package" : "podman-5:5.2.2-8.rhaos4.17.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.17",
    "release_date" : "2025-07-23T00:00:00Z",
    "advisory" : "RHSA-2025:11359",
    "cpe" : "cpe:/a:redhat:openshift:4.17::el9",
    "package" : "rhcos-417.94.202507132309-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.18",
    "release_date" : "2025-07-30T00:00:00Z",
    "advisory" : "RHSA-2025:11677",
    "cpe" : "cpe:/a:redhat:openshift:4.18::el9",
    "package" : "rhcos-418.94.202507221927-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.18",
    "release_date" : "2025-07-02T00:00:00Z",
    "advisory" : "RHSA-2025:9726",
    "cpe" : "cpe:/a:redhat:openshift:4.18::el9",
    "package" : "podman-5:5.2.2-9.rhaos4.18.el9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.19",
    "release_date" : "2025-07-22T00:00:00Z",
    "advisory" : "RHSA-2025:11363",
    "cpe" : "cpe:/a:redhat:openshift:4.19::el9",
    "package" : "rhcos-4.19.9.6.202507152218-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.19",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:9751",
    "cpe" : "cpe:/a:redhat:openshift:4.19::el9",
    "package" : "podman-5:5.4.0-6.rhaos4.19.el9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.20",
    "release_date" : "2025-10-21T00:00:00Z",
    "advisory" : "RHSA-2025:15397",
    "cpe" : "cpe:/a:redhat:openshift:4.20::el9",
    "package" : "rhcos-4.20.9.6.202509251656-0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-6032\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-6032\nhttps://github.com/containers/podman/commit/726b506acc8a00d99f1a3a1357ecf619a1f798c3\nhttps://github.com/containers/podman/security/advisories/GHSA-65gg-3w2w-hr4h" ],
  "name" : "CVE-2025-6032",
  "mitigation" : {
    "value" : "Download the VM image manually with another tool that verifies the TLS certificate and then pass the local image as a file path to podman, for example:\n# podman machine init --image <local-image-path>",
    "lang" : "en:us"
  },
  "csaw" : false
}