CVE-2019-19355: 
NixOS vulnerability analysis and mitigation

An insecure modification vulnerability (CVE-2019-19355) was discovered in the openshift/ocp-release-operator-sdk, specifically affecting the openshift/ansible-operator-container as shipped in OpenShift 4. The vulnerability was related to incorrect privileges assigned to the /etc/passwd file. The issue was disclosed and addressed in March 2020 (Red Hat CVE).

The vulnerability stems from incorrect file permissions set on the /etc/passwd file within the container, allowing it to be modified by users other than root. The vulnerability received a CVSS v3.1 base score of 7.0 (HIGH) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD). The issue is classified under CWE-269 (Improper Privilege Management) and CWE-266 (Incorrect Privilege Assignment) (NVD).

An attacker with access to the container could exploit this vulnerability to modify the /etc/passwd file and escalate their privileges to root. While OpenShift runs containers with restricted Security Context Constraints (SCC) that block SETUID and SETGID systemcalls, the vulnerability still presents an increased attack surface (Red Hat Article).

Red Hat has addressed this vulnerability through several security updates, including RHSA-2020:0683 for OpenShift Container Platform 4.3. The recommended solutions include either relying on CRI-O (starting from OpenShift 4.2) which automatically inserts the random user for the container into /etc/passwd, or using nss_wrapper to provide a local, unprivileged passwd file (Red Hat Article).