Platform
kubernetes
Component
mirror-registry
Fixed in
1.10.0
2.5.4
CVE-2025-14243 is a security vulnerability affecting the OpenShift Mirror Registry. This flaw enables an unauthenticated, remote attacker to discover valid usernames and email addresses by observing error messages generated during authentication attempts and account creation processes. The vulnerability impacts versions 1.0.0 through 2.5.3 of the OpenShift Mirror Registry, and a patch is available in version 2.5.4.
A vulnerability has been identified in the OpenShift Mirror Registry (CVE-2025-14243) allowing an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation. The CVSS score for this vulnerability is 5.3. Exposure of this information could facilitate social engineering attacks, credential theft, and potentially unauthorized access to resources within the OpenShift cluster. The mirror registry is crucial for container image availability, and compromising its security can have significant consequences for business continuity and application integrity.
A remote, unauthenticated attacker can exploit this vulnerability by sending authentication or account creation requests with invalid credentials. The error messages generated by the mirror registry reveal information about the validity of the provided usernames and email addresses. By systematically repeating this process, the attacker can compile a list of valid usernames and email addresses. The ease of exploitation and low access requirement make this vulnerability a significant concern, especially in environments where the mirror registry is exposed to the public network.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for this vulnerability is to upgrade the OpenShift Mirror Registry to version 2.5.4 or later. This version includes the necessary fixes to prevent user and email enumeration. Additionally, implementing robust security practices such as multi-factor authentication (MFA) and regular password rotation is recommended. Monitoring the mirror registry logs for unusual authentication attempts or account creation-related errors can also help detect and respond to potential attacks. If immediate upgrade is not possible, temporary measures such as restricting access to the mirror registry and reviewing logging configuration to minimize information exposed in error messages can be implemented.
Actualice a la versión 2.5.4 o superior del OpenShift Mirror Registry para mitigar la vulnerabilidad de enumeración de usuarios. Esta actualización corrige el problema al validar correctamente las entradas de usuario y evitar la divulgación de información sensible a través de mensajes de error. Consulte la documentación oficial de Red Hat para obtener instrucciones detalladas de actualización.
Vulnerability analysis and critical alerts directly to your inbox.
The OpenShift Mirror Registry is a local copy of a container registry (such as Docker Hub) used to improve container image download speeds and ensure availability in case of issues with the original registry.
Version 2.5.4 contains the necessary fixes to prevent user and email enumeration, mitigating the CVE-2025-14243 vulnerability.
You can restrict access to the mirror registry and review the logging configuration to minimize information exposed in error messages.
Regularly review the mirror registry logs for unusual authentication attempts or account creation-related errors.
Red Hat provides tools and guidance for vulnerability assessment. Refer to the official Red Hat OpenShift documentation for more information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.