Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN396
_____________________________________________________________________

DATE                : 26/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running podman versions prior to 5.5.2.

=====================================================================
https://github.com/containers/podman/security/advisories/GHSA-65gg-3w2w-hr4h
_____________________________________________________________________

podman machine missing TLS verification
High
Luap99 published GHSA-65gg-3w2w-hr4h Jun 24, 2025

Package
github.com/containers/podman (Go)

Affected versions
v4.8.0 to v5.5.1

Patched versions
v5.5.2


Description

Impact

The podman machine init command fails to verify the TLS certificate
when downloading the VM images from an OCI registry (which it does
by default since 5.0.0) allowing a possible Man In The Middle attack.


Patches

726b506
Fixed in v5.5.2


Workarounds

Download the disk image manually via some other tool that verifies the
TLS connection. Then pass the local image as file path
(podman machine init --image ./somepath)


Severity
High
8.4/ 10
CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE ID
CVE-2025-6032

Weaknesses
No CWEs


Credits

    @Luap99 Luap99 


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================