9.4
CVE-2025-25182
- EPSS 0.33%
- Veröffentlicht 12.02.2025 17:15:23
- Zuletzt bearbeitet 12.02.2025 17:15:23
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Stroom is a data processing, storage and analysis platform. A vulnerability exists starting in version 7.2-beta.53 and prior to versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2 that allows authentication bypass to a Stroom system when configured with ALB and installed in a way that the application is accessible not through the ALB itself. This vulnerability may also allow for server-side request forgery which may lead to code execution or further privileges escalations when using the AWS metadata URL. This scenario assumes that Stroom must be configured to use ALB Authentication integration and the application is network accessible. The vulnerability has been fixed in versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginDaten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellergchq
≫
Produkt
stroom
Version
>= 7.2-beta.53, < 7.2.24
Status
affected
Version
= 7.5-beta.1
Status
affected
Version
>= 7.3-beta.1, < 7.3-beta.22
Status
affected
Version
>= 7.4-beta.1, < 7.4.4
Status
affected
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.33% | 0.55 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 9.4 | 3.9 | 5.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
|
CWE-290 Authentication Bypass by Spoofing
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.