Antony Di

**Name of the Vulnerable Software and Affected Versions** Operator-SDK versions prior to 0.15.2 **Description** Early versions of Operator-SDK included an insecure method for operator containers to run in environments utilizing a random UID. A script, `user setup`, modified the permissions of the `/etc/passwd` file to 664 during build time. An attacker executing commands within an affected container, even as a non-root user, could leverage root group membership to modify the `/etc/passwd` file. This could allow the addition of a new user with an arbitrary UID, potentially including UID 0, resulting in full root privileges within the container. **Recommendations** Update to Operator-SDK version 0.15.2 or later. If using an older version, ensure the insecure `user setup` script is not used during container image builds.