2371363 – (CVE-2025-5962) CVE-2025-5962 rhel-lightspeed: Improper Access Control in Lightspeed History Management Allows Local Privilege Manipulation

Bug 2371363 (CVE-2025-5962) - CVE-2025-5962 rhel-lightspeed: Improper Access Control in Lightspeed History Management Allows Local Privilege Manipulation

Summary: CVE-2025-5962 rhel-lightspeed: Improper Access Control in Lightspeed History ...

Keywords:
Status:	NEW
Alias:	CVE-2025-5962
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-10 06:13 UTC by OSIDB Bzimport
Modified:	2025-09-22 08:03 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-06-10 06:13:23 UTC

Improper Access Control vulnerability in the com.redhat.lightspeed.history service of the Lightspeed platform. The issue stems from a lack of proper authorization checks in the methods handling user history, allowing any local user to inject, retrieve, or delete the chat history of other users. An attacker can craft and insert a command such as sudo rm -rf / into another user's chat history, relying on trust in past prompts to trigger harmful command execution. This flaw can be exploited without authentication, user interaction, or elevated privileges, affecting all users on the shared system.

Note You need to log in before you can comment on or make changes to this bug.