CVE-2025-12414

EPSS 0.08%
Veröffentlicht 20.11.2025 10:32:52
Zuletzt bearbeitet 21.11.2025 15:13:59
Quelle f45cbf4e-4146-4068-b7e1-655ffc
CVE-Watchlists
Login
Unerledigt
Login

An attacker could take over a Looker account in a Looker instance configured with OIDC authentication, due to email address string normalization.Looker-hosted and Self-hosted were found to be vulnerable.

This issue has already been mitigated for Looker-hosted.


Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.
The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page   https://download.looker.com/ :
  *  24.12.100+
  *  24.18.193+
  *  25.0.69+
  *  25.6.57+
  *  25.8.39+
  *  25.10.22+
  *  25.12.0+

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerGoogle Cloud

≫

Produkt Looker

Default Statusunaffected

Version < 24.12.100

Version 0

Status affected

Version < 24.18.193

Version 0

Status affected

Version < 25.0.69

Version 0

Status affected

Version < 25.6.57

Version 0

Status affected

Version < 25.8.39

Version 0

Status affected

Version < 25.10.22

Version 0

Status affected

Version < 25.12.0

Version 0

Status affected

HerstellerGoogle Cloud

≫

Produkt Looker

Default Statusunaffected

Version < 24.12.100

Version 0

Status affected

Version < 24.18.193

Version 0

Status affected

Version < 25.0.69

Version 0

Status affected

Version < 25.6.57

Version 0

Status affected

Version < 25.8.39

Version 0

Status affected

Version < 25.10.22

Version 0

Status affected

Version < 25.12.0

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.237

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
f45cbf4e-4146-4068-b7e1-655ffc2c548c	9.2	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

https://cloud.google.com/support/bulletins#GCP-2025-067

https://nvd.nist.gov/vuln/detail/CVE-2025-12414

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-12414

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-12414

EUVD