GHSA-65gg-3w2w-hr4h

Suggest an improvement
Source
https://github.com/advisories/GHSA-65gg-3w2w-hr4h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-65gg-3w2w-hr4h/GHSA-65gg-3w2w-hr4h.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-65gg-3w2w-hr4h
Aliases
Published
2025-06-25T21:57:00Z
Modified
2025-07-02T09:30:29Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Podman Improper Certificate Validation; machine missing TLS verification
Details

Impact

The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry (which it does by default since 5.0.0) allowing a possible Man In The Middle attack.

Patches

https://github.com/containers/podman/commit/726b506acc8a00d99f1a3a1357ecf619a1f798c3 Fixed in v5.5.2

Workarounds

Download the disk image manually via some other tool that verifies the TLS connection. Then pass the local image as file path (podman machine init --image ./somepath)

Database specific 
{
    "github_reviewed": true,
    "nvd_published_at": "2025-06-24T14:15:30Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-295"
    ],
    "github_reviewed_at": "2025-06-25T21:57:00Z"
}
References

Affected packages

Go / github.com/containers/podman/v4

Package

Name
github.com/containers/podman/v4
View open source insights on deps.dev
Purl
pkg:golang/github.com/containers/podman/v4

Affected ranges

Type
SEMVER
Events
Introduced
4.8.0
Last affected
4.9.5

Go / github.com/containers/podman/v5

Package

Name
github.com/containers/podman/v5
View open source insights on deps.dev
Purl
pkg:golang/github.com/containers/podman/v5

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.5.2