Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
479 vulnerabilities
CVE-2026-5412 (GCVE-0-2026-5412)
Vulnerability from cvelistv5 – Published: 2026-04-10 12:22 – Updated: 2026-04-10 14:04
VLAI?
Title
Juju CloudSpec API could leak senstive information
Summary
In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.
Severity ?
9.9 (Critical)
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
Credits
Ales Stimec
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5412",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T14:03:51.021044Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T14:04:30.155Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/juju/",
"defaultStatus": "unaffected",
"packageName": "juju",
"platforms": [
"Linux"
],
"product": "Juju",
"repo": "https://github.com/juju/juju",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.9.57",
"status": "affected",
"version": "2.9.0",
"versionType": "semver"
},
{
"lessThan": "3.6.21",
"status": "affected",
"version": "3.6.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ales Stimec"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37: Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T12:22:05.403Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"name": "CloudSpec method leaking cloud credentials",
"tags": [
"vdb-entry",
"vendor-advisory"
],
"url": "https://github.com/juju/juju/security/advisories/GHSA-w5fq-8965-c969"
},
{
"tags": [
"patch",
"issue-tracking"
],
"url": "https://github.com/juju/juju/pull/22206"
},
{
"tags": [
"patch",
"issue-tracking"
],
"url": "https://github.com/juju/juju/pull/22205"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Juju CloudSpec API could leak senstive information"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-5412",
"datePublished": "2026-04-10T12:22:05.403Z",
"dateReserved": "2026-04-02T07:07:23.750Z",
"dateUpdated": "2026-04-10T14:04:30.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5774 (GCVE-0-2026-5774)
Vulnerability from cvelistv5 – Published: 2026-04-10 12:10 – Updated: 2026-04-10 12:41
VLAI?
Title
Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map
Summary
Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.
Severity ?
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5774",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T12:41:23.862481Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T12:41:28.720Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/juju/",
"defaultStatus": "unaffected",
"packageName": "juju",
"platforms": [
"Linux"
],
"product": "Juju",
"repo": "https://github.com/juju/juju",
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.9.57",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
},
{
"lessThan": "3.6.21",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "4.0.6",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper synchronization of the userTokens map in the API server in Canonical Juju\u00a04.0.5,\u00a03.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token."
}
],
"impacts": [
{
"capecId": "CAPEC-26",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-26: Leveraging Race Conditions"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T12:10:55.634Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"name": "In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence",
"tags": [
"vdb-entry",
"vendor-advisory"
],
"url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78"
},
{
"tags": [
"patch",
"issue-tracking"
],
"url": "https://github.com/juju/juju/pull/22206"
},
{
"tags": [
"patch",
"issue-tracking"
],
"url": "https://github.com/juju/juju/pull/22205"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Juju API Server Denial of Service and Authentication Replay via Unsynchronized Token Map"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-5774",
"datePublished": "2026-04-10T12:10:55.634Z",
"dateReserved": "2026-04-08T07:22:06.115Z",
"dateUpdated": "2026-04-10T12:41:28.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14551 (GCVE-0-2025-14551)
Vulnerability from cvelistv5 – Published: 2026-04-09 15:03 – Updated: 2026-04-10 13:54
VLAI?
Title
Senstive information disclosure was affecting subiquity
Summary
In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user's plaintext Wi-Fi password, in the attached logs.
Severity ?
CWE
- CWE-1258 - Exposure of sensitive system information due to uncleared debug information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14551",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T13:53:25.206297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T13:54:40.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/canonical",
"defaultStatus": "unaffected",
"packageName": "subiquity",
"platforms": [
"Linux"
],
"product": "Ubuntu",
"repo": "https://github.com/canonical/subiquity",
"vendor": "Canonical",
"versions": [
{
"lessThanOrEqual": "24.04.4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "25.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "25.04",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user\u0027s plaintext Wi-Fi password, in the attached logs."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1258",
"description": "CWE-1258 Exposure of sensitive system information due to uncleared debug information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T15:03:58.798Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"name": "noble backport - stop logging network config and identity data",
"tags": [
"patch",
"issue-tracking"
],
"url": "https://github.com/canonical/subiquity/pull/2358"
},
{
"name": "Stop logging identity data and network secrets",
"tags": [
"patch",
"issue-tracking"
],
"url": "https://github.com/canonical/subiquity/pull/2357"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Senstive information disclosure was affecting subiquity"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-14551",
"datePublished": "2026-04-09T15:03:58.798Z",
"dateReserved": "2025-12-11T20:32:58.130Z",
"dateUpdated": "2026-04-10T13:54:40.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15480 (GCVE-0-2025-15480)
Vulnerability from cvelistv5 – Published: 2026-04-09 15:02 – Updated: 2026-04-10 13:57
VLAI?
Title
Senstive information disclosure was affecting ubuntu-desktop-provision
Summary
In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs.
Severity ?
CWE
- CWE-1258 - Exposure of sensitive system information due to uncleared debug information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15480",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T13:56:33.119234Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T13:57:17.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/canonical",
"defaultStatus": "unaffected",
"packageName": "ubuntu-desktop-provision",
"platforms": [
"Linux"
],
"product": "Ubuntu",
"repo": "https://github.com/canonical/ubuntu-desktop-provision",
"vendor": "Canonical",
"versions": [
{
"lessThanOrEqual": "24.04.4",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "25.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "25.04",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user\u0027s password hash in the attached logs."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1258",
"description": "CWE-1258 Exposure of sensitive system information due to uncleared debug information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T15:02:14.066Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"name": "feat: don\u0027t log identity data (noble backport)",
"tags": [
"patch",
"issue-tracking"
],
"url": "https://github.com/canonical/ubuntu-desktop-provision/pull/1400"
},
{
"name": "feat: don\u0027t log identity data",
"tags": [
"patch",
"issue-tracking"
],
"url": "https://github.com/canonical/ubuntu-desktop-provision/pull/1399"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Senstive information disclosure was affecting ubuntu-desktop-provision"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-15480",
"datePublished": "2026-04-09T15:02:14.066Z",
"dateReserved": "2026-01-07T14:28:47.147Z",
"dateUpdated": "2026-04-10T13:57:17.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34179 (GCVE-0-2026-34179)
Vulnerability from cvelistv5 – Published: 2026-04-09 09:22 – Updated: 2026-04-09 11:54
VLAI?
Title
Update of type field in restricted TLS certificate allows privilege escalation to cluster admin
Summary
In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin.
Severity ?
9.1 (Critical)
CWE
- CWE-915 - Improperly controlled modification of Dynamically-Determined object attributes
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
Miha Purg
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34179",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T11:54:14.860013Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T11:54:18.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/canonical",
"defaultStatus": "unaffected",
"packageName": "lxd",
"platforms": [
"Linux"
],
"product": "lxd",
"programFiles": [
"permissions.go"
],
"repo": "https://github.com/canonical/lxd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "5.0.7",
"status": "affected",
"version": "4.12.0",
"versionType": "semver"
},
{
"lessThan": "5.21.5",
"status": "affected",
"version": "5.1.0",
"versionType": "semver"
},
{
"lessThan": "6.8.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Miha Purg"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly controlled modification of Dynamically-Determined object attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T09:22:14.693Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"name": "Update of type field in restricted TLS certificate allows privilege escalation to cluster admin",
"tags": [
"vdb-entry",
"vendor-advisory"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-c3h3-89qf-jqm5"
},
{
"name": "Improve validation on certificate edit",
"tags": [
"patch",
"issue-tracking"
],
"url": "https://github.com/canonical/lxd/pull/17936"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Update of type field in restricted TLS certificate allows privilege escalation to cluster admin"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-34179",
"datePublished": "2026-04-09T09:22:14.693Z",
"dateReserved": "2026-03-26T09:24:08.449Z",
"dateUpdated": "2026-04-09T11:54:18.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34178 (GCVE-0-2026-34178)
Vulnerability from cvelistv5 – Published: 2026-04-09 09:18 – Updated: 2026-04-09 11:55
VLAI?
Title
Importing a crafted backup leads to project restriction bypass
Summary
In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise.
Severity ?
9.1 (Critical)
CWE
- CWE-20 - Improper input validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
Miha Purg
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34178",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T11:54:57.626476Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T11:55:20.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-q96j-3fmm-7fv4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/canonical",
"defaultStatus": "unaffected",
"packageName": "lxd",
"platforms": [
"Linux"
],
"product": "lxd",
"programFiles": [
"permissions.go"
],
"repo": "https://github.com/canonical/lxd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "5.0.7",
"status": "affected",
"version": "4.12.0",
"versionType": "semver"
},
{
"lessThan": "5.21.5",
"status": "affected",
"version": "5.1.0",
"versionType": "semver"
},
{
"lessThan": "6.8.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Miha Purg"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T09:18:58.404Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"name": "Importing a crafted backup leads to project restriction bypass",
"tags": [
"vdb-entry",
"vendor-advisory"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-q96j-3fmm-7fv4"
},
{
"name": "Import: Create backup config from index",
"tags": [
"patch",
"issue-tracking"
],
"url": "https://github.com/canonical/lxd/pull/17921"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Importing a crafted backup leads to project restriction bypass"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-34178",
"datePublished": "2026-04-09T09:18:58.404Z",
"dateReserved": "2026-03-26T09:24:08.449Z",
"dateUpdated": "2026-04-09T11:55:20.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34177 (GCVE-0-2026-34177)
Vulnerability from cvelistv5 – Published: 2026-04-09 09:15 – Updated: 2026-04-09 12:12
VLAI?
Title
VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf
Summary
Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root.
Severity ?
9.1 (Critical)
CWE
- CWE-184 - Incomplete list of disallowed inputs
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
Miha Purg
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34177",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T12:12:43.482752Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T12:12:48.251Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-fm2x-c5qw-4h6f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/canonical",
"defaultStatus": "unaffected",
"packageName": "lxd",
"platforms": [
"Linux"
],
"product": "lxd",
"programFiles": [
"permissions.go"
],
"repo": "https://github.com/canonical/lxd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "5.0.7",
"status": "affected",
"version": "4.12.0",
"versionType": "semver"
},
{
"lessThan": "5.21.5",
"status": "affected",
"version": "5.1.0",
"versionType": "semver"
},
{
"lessThan": "6.8.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Miha Purg"
}
],
"descriptions": [
{
"lang": "en",
"value": "Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184 Incomplete list of disallowed inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T09:15:27.532Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"name": "VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf",
"tags": [
"vdb-entry",
"vendor-advisory"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-fm2x-c5qw-4h6f"
},
{
"name": "lxd: Prevent use of raw.apparmor and raw.qemu.conf when low level options are blocked",
"tags": [
"patch",
"issue-tracking"
],
"url": "https://github.com/canonical/lxd/pull/17909"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-34177",
"datePublished": "2026-04-09T09:15:27.532Z",
"dateReserved": "2026-03-26T09:24:08.448Z",
"dateUpdated": "2026-04-09T12:12:48.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4370 (GCVE-0-2026-4370)
Vulnerability from cvelistv5 – Published: 2026-04-01 08:09 – Updated: 2026-04-08 07:27
VLAI?
Title
Improper TLS Client/Server authentication and certificate verification on Database Cluster
Summary
A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise.
Severity ?
10 (Critical)
CWE
Assigner
References
Impacted products
Credits
Harry Pidcock
Thomas Miller
Joseph Phillips
Ian Booth
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4370",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T13:00:31.628747Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T13:01:08.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/juju/",
"defaultStatus": "unaffected",
"packageName": "juju",
"platforms": [
"Linux"
],
"product": "Juju",
"repo": "https://github.com/juju/juju",
"vendor": "Canonical",
"versions": [
{
"lessThan": "3.6.20",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
},
{
"lessThan": "4.0.4",
"status": "affected",
"version": "4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Harry Pidcock"
},
{
"lang": "en",
"type": "analyst",
"value": "Thomas Miller"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joseph Phillips"
},
{
"lang": "en",
"type": "coordinator",
"value": "Ian Booth"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller\u0027s database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller\u0027s Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-94",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-94 Adversary in the Middle (AiTM)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper certificate validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing authentication for critical function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T07:27:16.821Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/juju/juju/security/advisories/GHSA-gvrj-cjch-728p"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Improper TLS Client/Server authentication and certificate verification on Database Cluster"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-4370",
"datePublished": "2026-04-01T08:09:17.570Z",
"dateReserved": "2026-03-18T08:46:09.947Z",
"dateUpdated": "2026-04-08T07:27:16.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32694 (GCVE-0-2026-32694)
Vulnerability from cvelistv5 – Published: 2026-03-18 12:55 – Updated: 2026-03-18 13:40
VLAI?
Title
Insecure Direct Object Reference attack via predictable secret ID in Juju
Summary
In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.
Severity ?
6.6 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
Dima Tisnek
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32694",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-18T13:39:10.787656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T13:40:33.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/juju/",
"defaultStatus": "unaffected",
"packageName": "juju",
"platforms": [
"Linux"
],
"product": "Juju",
"repo": "https://github.com/juju/juju",
"vendor": "Canonical",
"versions": [
{
"lessThan": "3.6.19",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dima Tisnek"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker."
}
],
"impacts": [
{
"capecId": "CAPEC-59",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-59: Session Credential Falsification through Prediction"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-343",
"description": "CWE-343 Predictable value range from previous values",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T12:55:42.948Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vendor-advisory",
"vdb-entry"
],
"url": "https://github.com/juju/juju/security/advisories/GHSA-5cj2-rqqf-hx9p"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Insecure Direct Object Reference attack via predictable secret ID in Juju"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-32694",
"datePublished": "2026-03-18T12:55:42.948Z",
"dateReserved": "2026-03-13T12:53:34.544Z",
"dateUpdated": "2026-03-18T13:40:33.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32693 (GCVE-0-2026-32693)
Vulnerability from cvelistv5 – Published: 2026-03-18 12:47 – Updated: 2026-03-18 13:19
VLAI?
Title
Unauthorized access to Kubernetes secrets in Juju
Summary
In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee.
Severity ?
8.8 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
Dima Tisnek
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32693",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-18T13:16:08.879696Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T13:19:58.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/juju/",
"defaultStatus": "unaffected",
"packageName": "juju",
"platforms": [
"Linux"
],
"product": "Juju",
"repo": "https://github.com/juju/juju",
"vendor": "Canonical",
"versions": [
{
"lessThan": "3.6.19",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dima Tisnek"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Juju from version 3.0.0 through 3.6.18, the authorization of the \"secret-set\" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the \"secret-set\" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee."
}
],
"impacts": [
{
"capecId": "CAPEC-124",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-124: Shared Resource Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-778",
"description": "CWE-778 Insufficient logging",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T12:47:02.982Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vendor-advisory",
"vdb-entry"
],
"url": "https://github.com/juju/juju/security/advisories/GHSA-439w-v2p7-pggc"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unauthorized access to Kubernetes secrets in Juju"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-32693",
"datePublished": "2026-03-18T12:47:02.982Z",
"dateReserved": "2026-03-13T12:53:34.544Z",
"dateUpdated": "2026-03-18T13:19:58.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32692 (GCVE-0-2026-32692)
Vulnerability from cvelistv5 – Published: 2026-03-18 12:35 – Updated: 2026-03-18 13:42
VLAI?
Title
Unauthorized update of out-of-scope Vault secrets
Summary
An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within the scope of that Vault secret back-end.
Severity ?
7.6 (High)
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
Harry Pidcock
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32692",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-18T13:26:45.654119Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T13:42:54.697Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/juju/",
"defaultStatus": "unaffected",
"packageName": "juju",
"platforms": [
"Linux"
],
"product": "Juju",
"repo": "https://github.com/juju/juju",
"vendor": "Canonical",
"versions": [
{
"lessThan": "3.6.19",
"status": "affected",
"version": "3.1.6",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Harry Pidcock"
}
],
"descriptions": [
{
"lang": "en",
"value": "An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within the scope of that Vault secret back-end."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T12:35:29.274Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vendor-advisory",
"vdb-entry"
],
"url": "https://github.com/juju/juju/security/advisories/GHSA-89x7-5m5m-mcmm"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unauthorized update of out-of-scope Vault secrets"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-32692",
"datePublished": "2026-03-18T12:35:29.274Z",
"dateReserved": "2026-03-13T12:53:34.544Z",
"dateUpdated": "2026-03-18T13:42:54.697Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32691 (GCVE-0-2026-32691)
Vulnerability from cvelistv5 – Published: 2026-03-18 12:28 – Updated: 2026-03-18 13:49
VLAI?
Title
Timing ownership claim attack on new external back-end secrets
Summary
A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision.
Severity ?
5.3 (Medium)
CWE
- CWE-708 - Incorrect ownership assignment
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
Harry Pidcock
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32691",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-18T13:46:45.894829Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T13:49:09.338Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/juju/",
"defaultStatus": "unaffected",
"packageName": "juju",
"platforms": [
"Linux"
],
"product": "Juju",
"repo": "https://github.com/juju/juju",
"vendor": "Canonical",
"versions": [
{
"lessThan": "3.6.19",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Harry Pidcock"
}
],
"descriptions": [
{
"lang": "en",
"value": "A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret\u0027s first revision, an attacker authenticated as another unit agent can claim ownership of a known secret. This leads to the attacking unit being able to read the content of the initial secret revision."
}
],
"impacts": [
{
"capecId": "CAPEC-29",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-708",
"description": "CWE-708 Incorrect ownership assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T12:28:11.546Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vendor-advisory",
"vdb-entry"
],
"url": "https://github.com/juju/juju/security/advisories/GHSA-gfgr-6hrj-85ww"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Timing ownership claim attack on new external back-end secrets"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-32691",
"datePublished": "2026-03-18T12:28:11.546Z",
"dateReserved": "2026-03-13T12:53:34.544Z",
"dateUpdated": "2026-03-18T13:49:09.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3888 (GCVE-0-2026-3888)
Vulnerability from cvelistv5 – Published: 2026-03-17 14:02 – Updated: 2026-03-18 08:59
VLAI?
Title
Local Privilege Escalation in snapd
Summary
Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.
Severity ?
7.8 (High)
CWE
- CWE-268 - Privilege chaining
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Affected:
0 , < 2.75.1
(semver)
|
|||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
Date Public ?
2026-03-17 14:00
Credits
Qualys Security Advisory Team
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T03:55:45.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-03-18T03:02:10.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/18/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/canonical",
"defaultStatus": "unaffected",
"packageName": "snapd",
"repo": "https://github.com/canonical/snapd/",
"versions": [
{
"lessThan": "2.75.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/xenial",
"defaultStatus": "affected",
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "Ubuntu 16.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/snapd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.61.4ubuntu0.16.04.1+esm2",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/bionic",
"defaultStatus": "affected",
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "Ubuntu 18.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/snapd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.61.4ubuntu0.18.04.1+esm2",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/focal",
"defaultStatus": "affected",
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "Ubuntu 20.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/snapd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.67.1+20.04ubuntu1~esm1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/jammy",
"defaultStatus": "affected",
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "Ubuntu 22.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/snapd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.73+ubuntu22.04.1",
"versionType": "dpkg"
}
]
},
{
"collectionURL": "https://launchpad.net/ubuntu/noble",
"defaultStatus": "affected",
"packageName": "snapd",
"platforms": [
"Linux"
],
"product": "Ubuntu 24.04 LTS",
"repo": "https://launchpad.net/ubuntu/+source/snapd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.73+ubuntu24.04.2",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qualys Security Advisory Team"
}
],
"datePublic": "2026-03-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap\u0027s private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-268",
"description": "CWE-268 Privilege chaining",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T08:59:07.522Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vdb-entry",
"issue-tracking"
],
"url": "https://ubuntu.com/security/CVE-2026-3888"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://ubuntu.com/security/notices/USN-8102-1"
},
{
"tags": [
"technical-description",
"vendor-advisory"
],
"url": "https://discourse.ubuntu.com/t/snapd-local-privilege-escalation-cve-2026-3888"
},
{
"tags": [
"technical-description",
"media-coverage"
],
"url": "https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root"
},
{
"tags": [
"technical-description",
"media-coverage"
],
"url": "https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Local Privilege Escalation in snapd"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-3888",
"datePublished": "2026-03-17T14:02:08.475Z",
"dateReserved": "2026-03-10T16:03:08.583Z",
"dateUpdated": "2026-03-18T08:59:07.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3497 (GCVE-0-2026-3497)
Vulnerability from cvelistv5 – Published: 2026-03-12 18:27 – Updated: 2026-03-18 18:20
VLAI?
Summary
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
Severity ?
CWE
- CWE-908 - Use of Uninitialized Resource
Assigner
References
Impacted products
Date Public ?
2026-03-12 18:00
Credits
Jeremy Brown
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3497",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T19:04:05.760026Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T19:04:27.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-03-18T18:20:11.514Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/12/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/14/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/14/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/18/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/18/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/18/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/18/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://launchpad.net/ubuntu/",
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "openssh",
"repo": "https://launchpad.net/ubuntu/+source/openssh",
"vendor": "Ubuntu",
"versions": [
{
"lessThan": "1:10.0p1-5ubuntu5.1",
"status": "affected",
"version": "1:10.0p1-5ubuntu5",
"versionType": "dpkg"
},
{
"lessThan": "1:9.6p1-3ubuntu13.15",
"status": "affected",
"version": "1:9.6p1-3ubuntu13",
"versionType": "dpkg"
},
{
"lessThan": "1:8.9p1-3ubuntu0.14",
"status": "affected",
"version": "1:8.9p1-3",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeremy Brown"
}
],
"datePublic": "2026-03-12T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T18:44:06.073Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://ubuntu.com/security/CVE-2026-3497"
},
{
"url": "https://www.openwall.com/lists/oss-security/2026/03/12/3"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-3497",
"datePublished": "2026-03-12T18:27:44.917Z",
"dateReserved": "2026-03-03T19:33:05.664Z",
"dateUpdated": "2026-03-18T18:20:11.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28384 (GCVE-0-2026-28384)
Vulnerability from cvelistv5 – Published: 2026-03-12 14:51 – Updated: 2026-03-13 16:30
VLAI?
Title
Authenticated RCE via unsanitized compression_algorithm
Summary
An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10.
Severity ?
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
Assigner
References
Impacted products
Date Public ?
2026-03-12 15:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28384",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:30:00.719316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:30:06.396Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-4rmf-rcp8-2r9g"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "lxd",
"platforms": [
"Linux"
],
"product": "lxd",
"programFiles": [
"images.go",
"instance_backup.go"
],
"repo": "https://github.com/canonical/lxd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.7",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "5.21.4",
"status": "affected",
"version": "5.21.0",
"versionType": "semver"
},
{
"lessThan": "5.0.6",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "4.12"
}
]
}
],
"datePublic": "2026-03-12T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper sanitization of the \u003ctt\u003ecompression_algorithm\u003c/tt\u003e parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10."
}
],
"value": "An improper sanitization of the compression_algorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the snap versions 5.0.6-e49d9f4 (channel 5.0/stable), 5.21.4-1374f39 (channel 5.21/stable), and 6.7-1f11451 (channel 6.0 stable). The channel 4.0/stable is not affected as it contains version 4.0.10."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T15:02:57.074Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-4rmf-rcp8-2r9g"
},
{
"tags": [
"patch"
],
"url": "https://github.com/canonical/lxd/commit/043696a13171ace7dd4c2b32d34ce039ab629052"
},
{
"tags": [
"patch"
],
"url": "https://github.com/canonical/lxd/commit/7046979645c2ce1b63b2f9e60ddf6cbc4c4b78f9"
},
{
"tags": [
"patch"
],
"url": "https://github.com/canonical/lxd/commit/b7b411caf5c4971bfe2386c72128f44d7e2aaf4f"
},
{
"tags": [
"media-coverage"
],
"url": "https://discourse.ubuntu.com/t/lxd-authenticated-remote-code-execution-fixes-available/78365"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Authenticated RCE via unsanitized compression_algorithm"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-28384",
"datePublished": "2026-03-12T14:51:29.991Z",
"dateReserved": "2026-02-27T11:06:14.064Z",
"dateUpdated": "2026-03-13T16:30:06.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13350 (GCVE-0-2025-13350)
Vulnerability from cvelistv5 – Published: 2026-03-05 18:56 – Updated: 2026-03-06 10:37
VLAI?
Title
Use-after-free of orphaned AF_UNIX in Ubuntu builds of Linux kernel
Summary
Ubuntu Linux 6.8 GA retains the legacy AF_UNIX garbage collector but backports upstream commit 8594d9b85c07 ("af_unix: Don’t call skb_get() for OOB skb"). When orphaned MSG_OOB sockets hit unix_gc(), the garbage collector still calls kfree_skb() as if OOB SKBs held two references; on Ubuntu Linux 6.8 (Noble Numbat) kernel tree, they have only the queue reference, so the buffer is freed while still reachable and subsequent queue walks dereference freed memory, yielding a reliable local privilege escalation (LPE) caused by a use-after-free (UAF). Ubuntu builds that have already taken the new GC stack from commit 4090fa373f0e, and mainline Linux kernels shipping that infrastructure are unaffected because they no longer execute the legacy collector path. This issue affects Ubuntu Linux from 6.8.0-56.58 before 6.8.0-84.84.
Severity ?
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Ubuntu Linux |
Affected:
6.8.0-56.58 , < 6.8.0-84.84
(dpkg)
|
Credits
Noam Rathaus
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-05T20:11:41.411Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/05/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13350",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T10:37:26.433118Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T10:37:47.858Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://launchpad.net/ubuntu/+source/",
"defaultStatus": "unaffected",
"modules": [
"AF_UNIX"
],
"packageName": "linux",
"product": "Ubuntu Linux",
"programFiles": [
"net/unix/garbage.c"
],
"programRoutines": [
{
"name": "unix_gc()"
}
],
"repo": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.8.0-84.84",
"status": "affected",
"version": "6.8.0-56.58",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Noam Rathaus"
}
],
"descriptions": [
{
"lang": "en",
"value": "Ubuntu Linux 6.8 GA retains the legacy AF_UNIX garbage collector but backports upstream commit 8594d9b85c07 (\"af_unix: Don\u2019t call skb_get() for OOB skb\"). When orphaned MSG_OOB sockets hit unix_gc(), the garbage collector still calls kfree_skb() as if OOB SKBs held two references; on Ubuntu Linux 6.8 (Noble Numbat) kernel tree, they have only the queue reference, so the buffer is freed while still reachable and subsequent queue walks dereference freed memory, yielding a reliable local privilege escalation (LPE) caused by a use-after-free (UAF). Ubuntu builds that have already taken the new GC stack from commit 4090fa373f0e, and mainline Linux kernels shipping that infrastructure are unaffected because they no longer execute the legacy collector path. This issue affects Ubuntu Linux from 6.8.0-56.58 before 6.8.0-84.84."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T18:56:03.433Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2121515"
},
{
"tags": [
"patch"
],
"url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=79cbc2a1d4f61e492ddac5da65b075836675f94d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Use-after-free of orphaned AF_UNIX in Ubuntu builds of Linux kernel",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-13350",
"datePublished": "2026-03-05T18:56:03.433Z",
"dateReserved": "2025-11-18T09:33:14.643Z",
"dateUpdated": "2026-03-06T10:37:47.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3351 (GCVE-0-2026-3351)
Vulnerability from cvelistv5 – Published: 2026-03-03 12:49 – Updated: 2026-03-05 17:20
VLAI?
Title
Authorization Bypass in LXD GET /1.0/certificates Endpoint
Summary
Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3351",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-03T14:46:45.446167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T14:47:00.765Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/canonical/lxd",
"defaultStatus": "unaffected",
"packageName": "lxd",
"platforms": [
"Linux"
],
"product": "lxd",
"programFiles": [
"certificates.go"
],
"repo": "https://github.com/canonical/lxd",
"vendor": "Canonical",
"versions": [
{
"status": "affected",
"version": "6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T17:20:25.645Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vdb-entry",
"vendor-advisory"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-crmg-9m86-636r"
},
{
"name": "lxd/certificates: Return only allowed certificates in non-recursive list",
"tags": [
"patch",
"issue-tracking"
],
"url": "https://github.com/canonical/lxd/pull/17738"
},
{
"tags": [
"patch"
],
"url": "https://github.com/canonical/lxd/commit/d936c90d47cf0be1e9757df897f769e9887ebde1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Authorization Bypass in LXD GET /1.0/certificates Endpoint",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-3351",
"datePublished": "2026-03-03T12:49:25.034Z",
"dateReserved": "2026-02-27T16:38:38.974Z",
"dateUpdated": "2026-03-05T17:20:25.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1237 (GCVE-0-2026-1237)
Vulnerability from cvelistv5 – Published: 2026-01-28 15:01 – Updated: 2026-01-28 15:06
VLAI?
Summary
Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing.
Severity ?
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T15:05:47.431871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:06:23.120Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "juju",
"vendor": "Canonical",
"versions": [
{
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerable cross-model authorization in juju. If a charm\u0027s cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-672",
"description": "CWE-672 Operation on a Resource after Expiration or Release",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:01:46.364Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/juju/juju/security/advisories/GHSA-j477-6vpg-6c8x"
}
],
"source": {
"discovery": "INTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2026-1237",
"datePublished": "2026-01-28T15:01:46.364Z",
"dateReserved": "2026-01-20T16:56:24.051Z",
"dateUpdated": "2026-01-28T15:06:23.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5467 (GCVE-0-2025-5467)
Vulnerability from cvelistv5 – Published: 2025-12-10 18:00 – Updated: 2025-12-10 18:45
VLAI?
Title
Ubuntu Apport Insecure File Permissions Vulnerability
Summary
It was discovered that process_crash() in data/apport in Canonical's Apport crash reporting tool may create crash files with incorrect group ownership, possibly exposing crash information beyond expected or intended groups.
Severity ?
CWE
- CWE-708 - Incorrect Ownership Assignment
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | apport |
Affected:
2.20.11-0ubuntu82 , < 2.20.11-0ubuntu82.7
(dpkg)
Affected: 2.32.0 , < 2.32.0-0ubuntu5.1 (dpkg) Affected: 2.20.9 , < 2.20.9-0ubuntu7.29+esm1 (dpkg) Affected: 2.28.1 , < 2.28.1-0ubuntu3.6 (dpkg) Affected: 2.33.0 , < 2.33.0-0ubuntu1 (dpkg) Affected: 2.20.1 , < 2.20.1-0ubuntu2.30+esm5 (dpkg) Affected: 2.20.11-0ubuntu27 , < 2.20.11-0ubuntu27.28 (dpkg) |
Date Public ?
2025-06-02 17:36
Credits
Rich Mirch
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5467",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-10T18:33:45.578963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T18:45:08.960Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://launchpad.net/ubuntu/+source/",
"defaultStatus": "unaffected",
"packageName": "apport",
"product": "apport",
"programFiles": [
"data/apport"
],
"programRoutines": [
{
"name": "process_crash()"
}
],
"vendor": "Canonical",
"versions": [
{
"lessThan": "2.20.11-0ubuntu82.7",
"status": "affected",
"version": "2.20.11-0ubuntu82",
"versionType": "dpkg"
},
{
"lessThan": "2.32.0-0ubuntu5.1",
"status": "affected",
"version": "2.32.0",
"versionType": "dpkg"
},
{
"lessThan": "2.20.9-0ubuntu7.29+esm1",
"status": "affected",
"version": "2.20.9",
"versionType": "dpkg"
},
{
"lessThan": "2.28.1-0ubuntu3.6",
"status": "affected",
"version": "2.28.1",
"versionType": "dpkg"
},
{
"lessThan": "2.33.0-0ubuntu1",
"status": "affected",
"version": "2.33.0",
"versionType": "dpkg"
},
{
"lessThan": "2.20.1-0ubuntu2.30+esm5",
"status": "affected",
"version": "2.20.1",
"versionType": "dpkg"
},
{
"lessThan": "2.20.11-0ubuntu27.28",
"status": "affected",
"version": "2.20.11-0ubuntu27",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rich Mirch"
}
],
"datePublic": "2025-06-02T17:36:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It was discovered that process_crash() in data/apport in Canonical\u0027s Apport crash reporting tool may create crash files with incorrect group ownership, possibly exposing crash information beyond expected or intended groups."
}
],
"value": "It was discovered that process_crash() in data/apport in Canonical\u0027s Apport crash reporting tool may create crash files with incorrect group ownership, possibly exposing crash information beyond expected or intended groups."
}
],
"impacts": [
{
"capecId": "CAPEC-639",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-639: Probe System Files"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 1.9,
"baseSeverity": "LOW",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-708",
"description": "CWE-708: Incorrect Ownership Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T18:00:35.967Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://www.stratascale.com/resource/cve-2025-32462-ubuntu-apport-vulnerability/"
},
{
"url": "https://bugs.launchpad.net/apport/+bug/2106338"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Ubuntu Apport Insecure File Permissions Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-5467",
"datePublished": "2025-12-10T18:00:35.967Z",
"dateReserved": "2025-06-02T12:03:56.269Z",
"dateUpdated": "2025-12-10T18:45:08.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6966 (GCVE-0-2025-6966)
Vulnerability from cvelistv5 – Published: 2025-12-05 12:59 – Updated: 2025-12-15 22:04
VLAI?
Title
Null-pointer dereference in python-apt TagSection.keys()
Summary
NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.
Severity ?
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | python-apt |
Affected:
3.0 , < 3.0.0ubuntu1.1
(custom)
Affected: 3.0 , < 3.0.0ubuntu0.25.04.1 (custom) Affected: 2.7 , < 2.7.7ubuntu5.1 (custom) Affected: 2.4 , < 2.4.0ubuntu4.1 (custom) Affected: 2.0 , < 2.0.1ubuntu0.20.04.1+esm1 (custom) Affected: 1.6 , < 1.6.6ubuntu0.1~esm1 (custom) Affected: 1.1 , < 1.1.0~beta1ubuntu0.16.04.12+esm1 (custom) Affected: 0 , < 0.9.3.5ubuntu3+esm5 (custom) |
Date Public ?
2025-12-05 12:00
Credits
Julian Andres Klode
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6966",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T14:01:32.250030Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T14:01:38.476Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-12-15T22:04:15.781Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00019.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://launchpad.net/ubuntu/+source/python-apt",
"defaultStatus": "unaffected",
"packageName": "python-apt",
"platforms": [
"Linux"
],
"product": "python-apt",
"vendor": "Canonical",
"versions": [
{
"lessThan": "3.0.0ubuntu1.1",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "3.0.0ubuntu0.25.04.1",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "2.7.7ubuntu5.1",
"status": "affected",
"version": "2.7",
"versionType": "custom"
},
{
"lessThan": "2.4.0ubuntu4.1",
"status": "affected",
"version": "2.4",
"versionType": "custom"
},
{
"lessThan": "2.0.1ubuntu0.20.04.1+esm1",
"status": "affected",
"version": "2.0",
"versionType": "custom"
},
{
"lessThan": "1.6.6ubuntu0.1~esm1",
"status": "affected",
"version": "1.6",
"versionType": "custom"
},
{
"lessThan": "1.1.0~beta1ubuntu0.16.04.12+esm1",
"status": "affected",
"version": "1.1",
"versionType": "custom"
},
{
"lessThan": "0.9.3.5ubuntu3+esm5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Julian Andres Klode"
}
],
"datePublic": "2025-12-05T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T13:14:27.526Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/2091865"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Null-pointer dereference in python-apt TagSection.keys()"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-6966",
"datePublished": "2025-12-05T12:59:41.320Z",
"dateReserved": "2025-07-01T09:59:55.552Z",
"dateUpdated": "2025-12-15T22:04:15.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-7044 (GCVE-0-2025-7044)
Vulnerability from cvelistv5 – Published: 2025-12-03 15:45 – Updated: 2025-12-03 16:42
VLAI?
Title
Privilege Escalation in MAAS via Websocket Request Manipulation
Summary
An Improper Input Validation vulnerability exists in the user websocket handler of MAAS. An authenticated, unprivileged attacker can intercept a user.update websocket request and inject the is_superuser property set to true. The server improperly validates this input, allowing the attacker to self-promote to an administrator role. This results in full administrative control over the MAAS deployment.
Severity ?
7.7 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Credits
Jacopo Rota
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7044",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T16:41:56.792010Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T16:42:52.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://canonical.com/maas",
"defaultStatus": "unaffected",
"packageName": "maas",
"platforms": [
"Linux"
],
"product": "MAAS",
"repo": "https://launchpad.net/maas",
"vendor": "Ubuntu",
"versions": [
{
"lessThan": "3.3.11",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"lessThan": "3.4.9",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
},
{
"lessThan": "3.5.9",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
},
{
"lessThan": "3.6.2",
"status": "affected",
"version": "3.6.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "3.7.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "3.8.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jacopo Rota"
}
],
"descriptions": [
{
"lang": "en",
"value": "An Improper Input Validation vulnerability exists in the user websocket handler of MAAS. An authenticated, unprivileged attacker can intercept a user.update websocket request and inject the is_superuser property set to true. The server improperly validates this input, allowing the attacker to self-promote to an administrator role. This results in full administrative control over the MAAS deployment."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T15:45:47.494Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://bugs.launchpad.net/maas/+bug/2115714"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Privilege Escalation in MAAS via Websocket Request Manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-7044",
"datePublished": "2025-12-03T15:45:47.494Z",
"dateReserved": "2025-07-03T08:57:34.048Z",
"dateUpdated": "2025-12-03T16:42:52.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-2486 (GCVE-0-2025-2486)
Vulnerability from cvelistv5 – Published: 2025-11-26 17:33 – Updated: 2025-11-26 18:25
VLAI?
Title
UEFI Shell accessible in AAVMF with Secure Boot enabled on Ubuntu
Summary
The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.
Severity ?
CWE
- CWE-489 - Active Debug Code
Assigner
References
Impacted products
Credits
Dann Frazier
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2486",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-26T18:25:19.164474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T18:25:29.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"AAVMF UEFI Shell"
],
"platforms": [
"aarch64"
],
"product": "edk2",
"vendor": "Ubuntu",
"versions": [
{
"lessThan": "2024.05-2ubuntu0.3",
"status": "affected",
"version": "2024.05",
"versionType": "dpkg"
},
{
"lessThan": "2024.02-2ubuntu0.3",
"status": "affected",
"version": "2024.02",
"versionType": "dpkg"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dann Frazier"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733."
}
],
"value": "The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 3.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-489",
"description": "CWE-489: Active Debug Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T17:33:17.506Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "UEFI Shell accessible in AAVMF with Secure Boot enabled on Ubuntu"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-2486",
"datePublished": "2025-11-26T17:33:17.506Z",
"dateReserved": "2025-03-18T01:16:20.240Z",
"dateUpdated": "2025-11-26T18:25:29.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11230 (GCVE-0-2025-11230)
Vulnerability from cvelistv5 – Published: 2025-11-19 09:28 – Updated: 2025-11-19 17:09
VLAI?
Title
Denial of service vulnerability in HAProxy mjson library
Summary
Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests.
Severity ?
7.5 (High)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HAProxy Technologies | HAProxy Community Edition |
Affected:
2.4.0 , < 2.4.30
(semver)
Affected: 2.6.0 , < 2.6.23 (semver) Affected: 2.8.0 , < 2.8.16 (semver) Affected: 3.0.0 , < 3.0.12 (semver) Affected: 3.1.0 , < 3.1.9 (semver) Affected: 3.2.0 , < 3.2.6 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11230",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T17:06:27.675545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T17:09:15.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HAProxy Community Edition",
"programFiles": [
"src/mjson.c"
],
"repo": "https://git.haproxy.org/",
"vendor": "HAProxy Technologies",
"versions": [
{
"lessThan": "2.4.30",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
},
{
"lessThan": "2.6.23",
"status": "affected",
"version": "2.6.0",
"versionType": "semver"
},
{
"lessThan": "2.8.16",
"status": "affected",
"version": "2.8.0",
"versionType": "semver"
},
{
"lessThan": "3.0.12",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.9",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.2.6",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests."
}
],
"value": "Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407 Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T09:28:39.750Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://www.haproxy.com/blog/october-2025-cve-2025-11230-haproxy-mjson-library-denial-of-service-vulnerability"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Denial of service vulnerability in HAProxy mjson library"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-11230",
"datePublished": "2025-11-19T09:28:39.750Z",
"dateReserved": "2025-10-01T13:10:26.249Z",
"dateUpdated": "2025-11-19T17:09:15.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54293 (GCVE-0-2025-54293)
Vulnerability from cvelistv5 – Published: 2025-10-02 10:43 – Updated: 2025-10-02 15:53
VLAI?
Title
Path Traversal in LXD Instance Log File Retrieval
Summary
Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
Credits
GMO Flatt Security Inc.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54293",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T15:29:32.525667Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T15:53:20.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-472f-vmf2-pr3h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LXD",
"repo": "https://github.com/canonical/lxd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.5",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "5.21.4",
"status": "affected",
"version": "5.21",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "GMO Flatt Security Inc."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links."
}
],
"value": "Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T10:43:58.246Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-472f-vmf2-pr3h"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Path Traversal in LXD Instance Log File Retrieval"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-54293",
"datePublished": "2025-10-02T10:43:58.246Z",
"dateReserved": "2025-07-18T07:59:07.917Z",
"dateUpdated": "2025-10-02T15:53:20.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54292 (GCVE-0-2025-54292)
Vulnerability from cvelistv5 – Published: 2025-10-02 09:26 – Updated: 2025-10-02 15:53
VLAI?
Title
Client-Side Path Traversal in LXD-UI
Summary
Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
Credits
GMO Flatt Security Inc.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54292",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T15:29:53.977916Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T15:53:35.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-7425-4qpj-v4w3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LXD",
"repo": "https://github.com/canonical/lxd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.5",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "5.21.4",
"status": "affected",
"version": "5.21",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "GMO Flatt Security Inc."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths."
}
],
"value": "Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T10:43:57.080Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-7425-4qpj-v4w3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Client-Side Path Traversal in LXD-UI"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-54292",
"datePublished": "2025-10-02T09:26:39.228Z",
"dateReserved": "2025-07-18T07:59:07.917Z",
"dateUpdated": "2025-10-02T15:53:35.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54291 (GCVE-0-2025-54291)
Vulnerability from cvelistv5 – Published: 2025-10-02 09:25 – Updated: 2025-10-02 17:29
VLAI?
Title
Project existence disclosure in LXD images API
Summary
Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.
Severity ?
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
Credits
GMO Flatt Security Inc.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54291",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T17:29:40.781427Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T17:29:54.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LXD",
"repo": "https://github.com/canonical/lxd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.5",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "5.21.4",
"status": "affected",
"version": "5.21",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "GMO Flatt Security Inc."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses."
}
],
"value": "Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses."
}
],
"impacts": [
{
"capecId": "CAPEC-497",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-497 File Discovery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T10:43:55.396Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-xch9-h8qw-85c7"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Project existence disclosure in LXD images API"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-54291",
"datePublished": "2025-10-02T09:25:42.466Z",
"dateReserved": "2025-07-18T07:59:07.917Z",
"dateUpdated": "2025-10-02T17:29:54.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54290 (GCVE-0-2025-54290)
Vulnerability from cvelistv5 – Published: 2025-10-02 09:24 – Updated: 2025-10-02 17:31
VLAI?
Title
Project Existence Disclosure via Error Handling in LXD Image Export
Summary
Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
Credits
GMO Flatt Security Inc.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54290",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T17:30:50.760985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T17:31:02.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LXD",
"repo": "https://github.com/canonical/lxd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.5",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "5.21.4",
"status": "affected",
"version": "5.21",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "GMO Flatt Security Inc."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints."
}
],
"value": "Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints."
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T10:43:53.703Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-p3x5-mvmp-5f35"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Project Existence Disclosure via Error Handling in LXD Image Export"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-54290",
"datePublished": "2025-10-02T09:24:12.894Z",
"dateReserved": "2025-07-18T07:59:07.917Z",
"dateUpdated": "2025-10-02T17:31:02.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54289 (GCVE-0-2025-54289)
Vulnerability from cvelistv5 – Published: 2025-10-02 09:23 – Updated: 2026-02-26 17:48
VLAI?
Title
Privilege Escalation via WebSocket Connection Hijacking in LXD Operations API
Summary
Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format
Severity ?
CWE
- CWE-1385 - Missing Origin Validation in WebSockets
Assigner
References
Impacted products
Credits
GMO Flatt Security Inc.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-03T03:55:37.907288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:48:23.663Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-3g72-chj4-2228"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LXD",
"repo": "https://github.com/canonical/lxd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.5",
"status": "affected",
"version": "6",
"versionType": "semver"
},
{
"lessThan": "5.21.4",
"status": "affected",
"version": "5.21",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "GMO Flatt Security Inc."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Privilege Escalation in operations API in Canonical LXD \u0026lt;6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format"
}
],
"value": "Privilege Escalation in operations API in Canonical LXD \u003c6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format"
}
],
"impacts": [
{
"capecId": "CAPEC-593",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-593 Session Hijacking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "CWE-1385: Missing Origin Validation in WebSockets",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-03T13:15:54.374Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-3g72-chj4-2228"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Privilege Escalation via WebSocket Connection Hijacking in LXD Operations API"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-54289",
"datePublished": "2025-10-02T09:23:03.238Z",
"dateReserved": "2025-07-18T07:59:07.917Z",
"dateUpdated": "2026-02-26T17:48:23.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54288 (GCVE-0-2025-54288)
Vulnerability from cvelistv5 – Published: 2025-10-02 09:20 – Updated: 2025-10-02 13:22
VLAI?
Title
Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server
Summary
Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line.
Severity ?
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
Impacted products
Credits
GMO Flatt Security Inc.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54288",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T13:22:52.637179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:22:55.575Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-7232-97c6-j525"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LXD",
"repo": "https://github.com/canonical/lxd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.5",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "5.21.4",
"status": "affected",
"version": "5.21",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "GMO Flatt Security Inc."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line."
}
],
"value": "Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line."
}
],
"impacts": [
{
"capecId": "CAPEC-154",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-154 Resource Location Spoofing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T10:43:50.400Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-7232-97c6-j525"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-54288",
"datePublished": "2025-10-02T09:20:33.135Z",
"dateReserved": "2025-07-18T07:59:07.917Z",
"dateUpdated": "2025-10-02T13:22:55.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54287 (GCVE-0-2025-54287)
Vulnerability from cvelistv5 – Published: 2025-10-02 09:16 – Updated: 2025-10-02 13:27
VLAI?
Title
Arbitrary File Read via Template Injection in Snapshot Patterns
Summary
Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration
permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine.
Severity ?
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
Impacted products
Credits
GMO Flatt Security Inc.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54287",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T13:27:39.753650Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:27:42.957Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-w2hg-2v4p-vmh6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LXD",
"repo": "https://github.com/canonical/lxd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.5",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "5.21.4",
"status": "affected",
"version": "5.21",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "GMO Flatt Security Inc."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Template Injection in instance snapshot creation component in Canonical LXD (\u0026gt;= 4.0) allows an attacker with instance configuration \npermissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine."
}
],
"value": "Template Injection in instance snapshot creation component in Canonical LXD (\u003e= 4.0) allows an attacker with instance configuration \npermissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine."
}
],
"impacts": [
{
"capecId": "CAPEC-165",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-165 File Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T10:43:48.716Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-w2hg-2v4p-vmh6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Arbitrary File Read via Template Injection in Snapshot Patterns"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-54287",
"datePublished": "2025-10-02T09:16:02.241Z",
"dateReserved": "2025-07-18T07:59:07.917Z",
"dateUpdated": "2025-10-02T13:27:42.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}