8.1
CVE-2025-54955
- EPSS 0.33%
- Veröffentlicht 02.08.2025 00:00:00
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
OpenNebula Community Edition (CE) before 7.0.0 and Enterprise Edition (EE) before 6.10.3 have a critical FireEdge race condition that can lead to full account takeover. By exploiting this, an unauthenticated attacker can obtain a valid JSON Web Token (JWT) belonging to a legitimate user without knowledge of their credentials.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerOpenNebula
≫
Produkt
OpenNebula
Default Statusunaffected
Version
Enterprise Edition
Version <
6.10.3
Status
affected
Version
Community Edition
Version <
7.0.0
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.33% | 0.245 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| cve@mitre.org | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
https://github.com/OpenNebula/one
https://github.com/Stolichnayer/OpenNebula-Account-Takeover
https://docs.opennebula.io/6.10/intro_release_notes/release_notes_enterprise/resolved_issues_6103.html
https://github.com/OpenNebula/one/releases/tag/release-7.0.0
https://github.com/OpenNebula/one/commit/81058d9705e7ac619d294423de28b76d88f613b6