Bug 2367495 (CVE-2025-32802)
| Summary: | CVE-2025-32802 kea: Insecure handling of file paths allows multiple local attacks | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | mbenatto, mosvald, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A vulnerability was found in the Kea package. If an attacker has access to a local user account and the Kea API entry points are not secured, the attacker may use the API to modify Kea's configuration files or overwrite any system's file which a Kea running user has write access. This may be leveraged to cause system-wide denial of service or to achieve a local privilege escalation. Additionally, if Kea's control sockets are enabled and placed in an insecure location, any local user may impersonate the Kea service and prevent the real Kea service from starting.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2370277, 2370278, 2370279 | ||
| Bug Blocks: | |||
| Deadline: | 2025-05-28 | ||
|
Description
OSIDB Bzimport
2025-05-20 15:08:47 UTC
|