github · asrar-mared · Feb 14, 2026 · Feb 15, 2026 · Feb 23, 2026 · Feb 24, 2026
diff --git a/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/GHSA-856v-8qm2-9wjv.backup.json b/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/GHSA-856v-8qm2-9wjv.backup.json
@@ -0,0 +1,161 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-856v-8qm2-9wjv",
+  "modified": "2026-02-11T18:32:31Z",
+  "published": "2025-08-07T21:31:08Z",
+  "aliases": [
+    "CVE-2025-7195"
+  ],
+  "summary": "operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd",
+  "details": "Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.\n ⭐ Introduce Automated Remediation Framework for Operator‑SDK Vulnerabilities\n\n\n",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/operator-framework/operator-sdk"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.15.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7195"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/operator-framework/operator-sdk"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376300"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2025-7195"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:2572"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:0737"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:0722"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:0718"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:0627"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23542"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23529"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23528"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22684"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22683"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22420"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22418"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22416"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22415"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:21885"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:21368"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:19961"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:19958"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:19335"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:19332"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHEA-2026:0129"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHEA-2025:23478"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHEA-2025:23406"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHBA-2024:11569"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-276"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-08-07T21:59:46Z",
+    "nvd_published_at": "2025-08-07T19:15:29Z"
+  }
+}
diff --git a/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/GHSA-856v-8qm2-9wjv.json.backup b/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/GHSA-856v-8qm2-9wjv.json.backup
@@ -0,0 +1,161 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-856v-8qm2-9wjv",
+  "modified": "2026-02-11T18:32:31Z",
+  "published": "2025-08-07T21:31:08Z",
+  "aliases": [
+    "CVE-2025-7195"
+  ],
+  "summary": "operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd",
+  "details": "Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.\n ⭐ Introduce Automated Remediation Framework for Operator‑SDK Vulnerabilities\n\n\n",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/operator-framework/operator-sdk"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.38.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7195"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/operator-framework/operator-sdk"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376300"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2025-7195"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:2572"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:0737"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:0722"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:0718"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:0627"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23542"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23529"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:23528"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22684"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22683"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22420"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22418"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22416"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22415"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:21885"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:21368"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:19961"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:19958"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:19335"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:19332"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHEA-2026:0129"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHEA-2025:23478"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHEA-2025:23406"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHBA-2024:11569"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-276"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-08-07T21:59:46Z",
+    "nvd_published_at": "2025-08-07T19:15:29Z"
+  }
+}
diff --git a/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/fix_operator_sdk_advisory.py b/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/fix_operator_sdk_advisory.py
@@ -0,0 +1,46 @@
+#!/usr/bin/env python3
+import json
+from datetime import datetime
+import subprocess
+
+# اسم ملف الـ GHSA اللي نشتغل عليه فقط
+FILE = "GHSA-856v-8qm2-9wjv.json"
+
+# إعدادات التحديث
+NEW_FIXED = "1.38.0"
+NEW_TYPE = "SEMVER"
+
+# التاريخ الحالي بصيغة ISO
+current_time = datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ")
+
+# عمل نسخة احتياطية
+backup_path = FILE + ".backup"
+subprocess.run(["cp", FILE, backup_path])
+
+# قراءة الملف
+with open(FILE, "r", encoding="utf-8") as f:
+    data = json.load(f)
+
+# تحديث النوع والتصحيح
+for pkg in data.get("affected", []):
+    for r in pkg.get("ranges", []):
+        r["type"] = NEW_TYPE
+        for event in r.get("events", []):
+            if "fixed" in event:
+                event["fixed"] = NEW_FIXED
+
+# تحديث modified
+data["modified"] = current_time
+
+# حفظ التغييرات
+with open(FILE, "w", encoding="utf-8") as f:
+    json.dump(data, f, indent=2, ensure_ascii=False)
+
+print(f"✅ Updated {FILE}")
+
+# Git add & commit
+subprocess.run(["git", "add", FILE])
+commit_message = f"Professional update: SEMVER range and fixed version updated on {current_time}"
+subprocess.run(["git", "commit", "-m", commit_message])
+
+print("✅ Commit created and ready for push.")