Bug 2432045 (CVE-2025-15523)
| Summary: | CVE-2025-15523 inkscape: TCC Bypass via Inherited Permissions in Bundled Interpreter in Inkscape.app | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the MacOS version of Inkscape. This issue allows a local attacker to bypass Transparency, Consent, and Control (TCC) permissions by invoking the bundled Python interpreter with arbitrary commands or scripts. This enables unauthorized access to user files in privacy-protected directories without triggering user prompts. Also, accessing resources beyond previously granted TCC permissions will prompt the user for approval in the name of Inkscape, potentially disguising malicious actions as legitimate operations.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-01-22 15:01:35 UTC
|