{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14243", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-12-08T04:22:54.845Z", "datePublished": "2026-04-08T16:41:55.597Z", "dateUpdated": "2026-04-08T19:22:41.466Z"}, "containers": {"cna": {"title": "Mirror-registry: openshift mirror registry: user enumeration via authentication error messages", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation."}], "affected": [{"vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift/mirror-registry-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:mirror_registry:1"]}, {"vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift/mirror-registry-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:mirror_registry:2"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-14243", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419829", "name": "RHBZ#2419829", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-08T16:31:00.659Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-209: Generation of Error Message Containing Sensitive Information", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "timeline": [{"lang": "en", "time": "2025-12-08T04:22:23.735Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-08T16:31:00.659Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Antony Di Scala (Lloyds Banking) and Michael Whale (Lloyds BankingLloyds Banking) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-08T16:41:55.597Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T19:14:34.911976Z", "id": "CVE-2025-14243", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:22:41.466Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14243", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T19:14:34.911976Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:15:12.643Z"}}], "cna": {"title": "Mirror-registry: openshift mirror registry: user enumeration via authentication error messages", "credits": [{"lang": "en", "value": "Red Hat would like to thank Antony Di Scala (Lloyds Banking) and Michael Whale (Lloyds BankingLloyds Banking) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"cpes": ["cpe:/a:redhat:mirror_registry:1"], "vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift", "packageName": "openshift/mirror-registry-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:mirror_registry:2"], "vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift 2", "packageName": "openshift/mirror-registry-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2025-12-08T04:22:23.735Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-08T16:31:00.659Z", "value": "Made public."}], "datePublic": "2026-04-08T16:31:00.659Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-14243", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419829", "name": "RHBZ#2419829", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "Generation of Error Message Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-08T16:41:55.597Z"}, "x_redhatCweChain": "CWE-209: Generation of Error Message Containing Sensitive Information"}}, "cveMetadata": {"cveId": "CVE-2025-14243", "state": "PUBLISHED", "dateUpdated": "2026-04-08T19:22:41.466Z", "dateReserved": "2025-12-08T04:22:54.845Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-08T16:41:55.597Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation."}], "id": "CVE-2025-14243", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-04-08T17:20:25.247", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-14243"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419829"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-08T19:21:20.780915+00:00", "value": {"mitigation_remediation": ["Apply any vendor patch or update that addresses the vulnerability as soon as it becomes available.", "If no patch is released yet, stay alert to Red\u00a0Hat security advisories and confirm the issue is fixed before proceeding further.", "As a temporary measure, reduce the detail in authentication error messages to prevent revealing whether a username exists.", "Restrict external access to the Mirror Registry service using network segmentation or firewall rules to lower the attack surface."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Red\u00a0Hat Mirror Registry for OpenShift and its second version, as sold and maintained by Red\u00a0Hat. All known releases of these products are potentially impacted; specific version ranges are not detailed in the advisory.", "description_and_impact": "A flaw in the OpenShift Mirror Registry lets an unauthenticated attacker discover existing usernames and email addresses by receiving different error responses during login attempts or account creation. The disclosed information (CWE\u2011209) can be used to plan credential\u2011guessing or social\u2011engineering attacks, but it does not provide direct access to data or code execution.", "risk_and_exploitability": "The CVSS base score of 5.3 places the issue in the moderate severity range. No EPSS score or KEV listing is available, suggesting the risk is not currently high from a deployment\u2011level viewpoint. The attack vector is remote and unauthenticated, requiring no special credentials. Any host that can reach the Mirror Registry service can enumerate valid users, increasing the likelihood of subsequent targeted credential attacks. The information revelation remains the primary impact, though it lays groundwork for more serious exploits if attackers combine it with other weaknesses."}}}}, "created": "2026-04-08T19:39:03.808204+00:00", "updated": "2026-04-08T19:39:03.808234+00:00", "vendors": []}