CVE-2025-6193

EPSS 0.39%
Veröffentlicht 20.06.2025 15:54:13
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Trustyai-explainability: command injection via lmevaljob cr

A command injection vulnerability was discovered in the TrustyAI Explainability toolkit. Arbitrary commands placed in certain fields of a LMEValJob custom resource (CR) may be executed in the LMEvalJob pod's terminal. This issue can be exploited via a maliciously crafted LMEvalJob by a user with permissions to deploy a CR.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

CNA 6 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/trustyai-explainability/trustyai-service-operator

≫

Paket trustyAI

Default Statusunaffected

Version <= 1.38

Version 0

Status affected

HerstellerRed Hat

≫

Produkt Red Hat OpenShift AI 2.16

Default Statusaffected

Version sha256:297d22ca72b764328f7d0b85f7f7c013c91ca85d70f08be45a6689c85da6b311

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat OpenShift AI (RHOAI)

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat OpenShift AI (RHOAI)

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat OpenShift AI (RHOAI)

Default Statusunaffected

HerstellerRed Hat

≫

Produkt Red Hat OpenShift AI (RHOAI)

Default Statusunaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.39%	0.598

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	5.9	1.7	3.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://access.redhat.com/security/cve/CVE-2025-6193

https://bugzilla.redhat.com/show_bug.cgi?id=2374032

https://github.com/trustyai-explainability/trustyai-service-operator/pull/504

https://access.redhat.com/errata/RHSA-2026:5807

https://nvd.nist.gov/vuln/detail/CVE-2025-6193

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-6193

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-6193

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-6193