Podman TLS Verification Flaw in Image Download Process Allows Man-In-The-Middle Attacks

Vulnerability

A vulnerability exists in Podman versions 4.8.0 and later, including 5.0.0, where the 'podman machine init' command does not properly verify TLS certificates when downloading virtual machine images from an OCI registry. This oversight could allow a Man-In-The-Middle (MITM) attack, as an attacker could intercept the network traffic between the registry and the client. The vulnerability arises because, although TLS verification is enabled by default in Podman 5.0.0 and later, the issue was introduced in version 4.8.0 and affects Red Hat Enterprise Linux (RHEL) 8.10, RHEL 9.4, and OpenShift Container Platform (OCP) 4.16.

Impact

Exploitation of this vulnerability could lead to a Man-In-The-Middle attack, where an attacker intercepts and potentially alters the communication between the Podman client and the OCI registry.

Added: Jun 24, 2025, 2:48 PM

Updated: Jun 24, 2025, 2:48 PM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

0.6

exploitability

5.4

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

0.6

exploitability

5.4

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Podman TLS Verification Flaw in Image Download Process Allows Man-In-The-Middle Attacks

Vulnerability

Impact

Affected Products

Podman

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating