Empty Password in Configuration File

CVE-2025-9276

High

9.8/10

Summary

Cockroach Labs cockroach-k8s-request-cert Empty Root Password Authentication Bypass Vulnerability. This vulnerability could allow remote attackers to bypass authentication on systems that use the affected version of the Cockroach Labs cockroach-k8s-request-cert container image. The specific flaw exists within the configuration of the system shadow file. The issue results from a blank password setting for the root user. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-22195.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-258 - Empty Password in Configuration File

Using an empty string as a password is insecure.

References

Advisory Timeline

Published Sep 02, 2025

Empty Password in Configuration File

CVE-2025-9276

Summary

CWE-258 - Empty Password in Configuration File

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS