CVE-2025-32802

EPSS 0.01%
Veröffentlicht 28.05.2025 17:15:23
Zuletzt bearbeitet 29.05.2025 14:29:50
Quelle security-officer@isc.org
Teams Watchlist Login
Unerledigt Login

Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea.  Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths.
This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerISC

≫

Produkt Kea

Default Statusunaffected

Version <= 2.4.1

Version 2.4.0

Status affected

Version <= 2.6.2

Version 2.6.0

Status affected

Version <= 2.7.8

Version 2.7.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.002

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-officer@isc.org	6.1	1.8	4.2	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CWE-379 Creation of Temporary File in Directory with Insecure Permissions

The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

CWE-73 External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

https://kb.isc.org/docs/cve-2025-32802

https://nvd.nist.gov/vuln/detail/CVE-2025-32802

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-32802

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-32802

EUVD