CVE-2025-14243 - Vulnerability Details - OpenCVE

A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Mirror Registry

No data.

No data.

No data.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2025-14243
https://bugzilla.redhat.com/show_bug.cgi?id=2419829

History

Wed, 08 Apr 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation.
Title		Mirror-registry: openshift mirror registry: user enumeration via authentication error messages
First Time appeared		Redhat Redhat mirror Registry
Weaknesses		CWE-209
CPEs		cpe:/a:redhat:mirror_registry:1 cpe:/a:redhat:mirror_registry:2
Vendors & Products		Redhat Redhat mirror Registry
References		https://access.redhat.com/security/cve/CVE-2025-14243 https://bugzilla.redhat.com/show_bug.cgi?id=2419829
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-04-08T16:41:55.597Z

Updated: 2026-04-08T19:22:41.466Z

Reserved: 2025-12-08T04:22:54.845Z

Link: CVE-2025-14243

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-08T17:20:25.247

Modified: 2026-04-08T17:20:25.247

Link: CVE-2025-14243

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14243", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-12-08T04:22:54.845Z", "datePublished": "2026-04-08T16:41:55.597Z", "dateUpdated": "2026-04-08T19:22:41.466Z"}, "containers": {"cna": {"title": "Mirror-registry: openshift mirror registry: user enumeration via authentication error messages", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation."}], "affected": [{"vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift/mirror-registry-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:mirror_registry:1"]}, {"vendor": "Red Hat", "product": "mirror registry for Red Hat OpenShift 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift/mirror-registry-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:mirror_registry:2"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-14243", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419829", "name": "RHBZ#2419829", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-08T16:31:00.659Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-209: Generation of Error Message Containing Sensitive Information", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "timeline": [{"lang": "en", "time": "2025-12-08T04:22:23.735Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-08T16:31:00.659Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Antony Di Scala (Lloyds Banking) and Michael Whale (Lloyds BankingLloyds Banking) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-08T16:41:55.597Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T19:14:34.911976Z", "id": "CVE-2025-14243", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:22:41.466Z"}}]}}