Π›ΠΎΠ³ΠΎΡ‚ΠΈΠΏ exploitDog
Консоль
Π›ΠΎΠ³ΠΎΡ‚ΠΈΠΏ exploitDog

exploitDog

fstec Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

BDU:2025-10922

ΠžΠΏΡƒΠ±Π»ΠΈΠΊΠΎΠ²Π°Π½ΠΎ: 28 Π°ΠΏΡ€. 2025
Π˜ΡΡ‚ΠΎΡ‡Π½ΠΈΠΊ: fstec
CVSS3: 4.3
CVSS2: 5
EPSS Низкий

ОписаниС

Π£ΡΠ·Π²ΠΈΠΌΠΎΡΡ‚ΡŒ Π±ΠΈΠ±Π»ΠΈΠΎΡ‚Π΅ΠΊΠΈ libsoup графичСского интСрфСйса GNOME связана с нСдостаточной ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΊΠΎΠΉ рСгистра. Эксплуатация уязвимости ΠΌΠΎΠΆΠ΅Ρ‚ ΠΏΠΎΠ·Π²ΠΎΠ»ΠΈΡ‚ΡŒ Π½Π°Ρ€ΡƒΡˆΠΈΡ‚Π΅Π»ΡŽ, Π΄Π΅ΠΉΡΡ‚Π²ΡƒΡŽΡ‰Π΅ΠΌΡƒ ΡƒΠ΄Π°Π»Π΅Π½Π½ΠΎ, ΠΎΠΊΠ°Π·Π°Ρ‚ΡŒ воздСйствиС Π½Π° Ρ†Π΅Π»ΠΎΡΡ‚Π½ΠΎΡΡ‚ΡŒ Π·Π°Ρ‰ΠΈΡ‰Π°Π΅ΠΌΠΎΠΉ ΠΈΠ½Ρ„ΠΎΡ€ΠΌΠ°Ρ†ΠΈΠΈ

Π’Π΅Π½Π΄ΠΎΡ€

Red Hat Inc.
Canonical Ltd.
АО Β«Π‘Π±Π΅Ρ€Π’Π΅Ρ…Β»
GNOME Foundation

НаимСнованиС ПО

Red Hat Enterprise Linux
Ubuntu
Platform V SberLinux OS Server
libsoup

ВСрсия ПО

6 (Red Hat Enterprise Linux)
7 (Red Hat Enterprise Linux)
16.04 LTS (Ubuntu)
18.04 LTS (Ubuntu)
8 (Red Hat Enterprise Linux)
20.04 LTS (Ubuntu)
22.04 LTS (Ubuntu)
9 (Red Hat Enterprise Linux)
24.04 LTS (Ubuntu)
25.04 (Ubuntu)
10 (Red Hat Enterprise Linux)
9.1 (Platform V SberLinux OS Server)
2.72.0 (libsoup)

Вип ПО

ΠžΠΏΠ΅Ρ€Π°Ρ†ΠΈΠΎΠ½Π½Π°Ρ систСма
Π‘Π΅Ρ‚Π΅Π²ΠΎΠ΅ ΠΏΡ€ΠΎΠ³Ρ€Π°ΠΌΠΌΠ½ΠΎΠ΅ срСдство

ΠžΠΏΠ΅Ρ€Π°Ρ†ΠΈΠΎΠ½Π½Ρ‹Π΅ систСмы ΠΈ Π°ΠΏΠΏΠ°Ρ€Π°Ρ‚Π½Ρ‹Π΅ ΠΏΠ»Π°Ρ‚Ρ„ΠΎΡ€ΠΌΡ‹

Red Hat Inc. Red Hat Enterprise Linux 6
Red Hat Inc. Red Hat Enterprise Linux 7
Canonical Ltd. Ubuntu 16.04 LTS
Canonical Ltd. Ubuntu 18.04 LTS
Red Hat Inc. Red Hat Enterprise Linux 8
Canonical Ltd. Ubuntu 20.04 LTS
Canonical Ltd. Ubuntu 22.04 LTS
Red Hat Inc. Red Hat Enterprise Linux 9
Canonical Ltd. Ubuntu 24.04 LTS
Canonical Ltd. Ubuntu 25.04
Red Hat Inc. Red Hat Enterprise Linux 10
АО Β«Π‘Π±Π΅Ρ€Π’Π΅Ρ…Β» Platform V SberLinux OS Server 9.1

Π£Ρ€ΠΎΠ²Π΅Π½ΡŒ опасности уязвимости

Π‘Ρ€Π΅Π΄Π½ΠΈΠΉ ΡƒΡ€ΠΎΠ²Π΅Π½ΡŒ опасности (базовая ΠΎΡ†Π΅Π½ΠΊΠ° CVSS 2.0 составляСт 5)
Π‘Ρ€Π΅Π΄Π½ΠΈΠΉ ΡƒΡ€ΠΎΠ²Π΅Π½ΡŒ опасности (базовая ΠΎΡ†Π΅Π½ΠΊΠ° CVSS 3.1 составляСт 4,3)

Π’ΠΎΠ·ΠΌΠΎΠΆΠ½Ρ‹Π΅ ΠΌΠ΅Ρ€Ρ‹ ΠΏΠΎ ΡƒΡΡ‚Ρ€Π°Π½Π΅Π½ΠΈΡŽ уязвимости

ИспользованиС Ρ€Π΅ΠΊΠΎΠΌΠ΅Π½Π΄Π°Ρ†ΠΈΠΉ производитСля:
https://bugzilla.redhat.com/show_bug.cgi?id=2362651
Для ΠΏΡ€ΠΎΠ³Ρ€Π°ΠΌΠΌΠ½Ρ‹Ρ… ΠΏΡ€ΠΎΠ΄ΡƒΠΊΡ‚ΠΎΠ² Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2025-4035
Для ΠΏΡ€ΠΎΠ³Ρ€Π°ΠΌΠΌΠ½Ρ‹Ρ… ΠΏΡ€ΠΎΠ΄ΡƒΠΊΡ‚ΠΎΠ² Ubuntu:
https://ubuntu.com/security/CVE-2025-4035
ΠšΠΎΠΌΠΏΠ΅Π½ΡΠΈΡ€ΡƒΡŽΡ‰ΠΈΠ΅ ΠΌΠ΅Ρ€Ρ‹:
- минимизация ΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»ΡŒΡΠΊΠΈΡ… ΠΏΡ€ΠΈΠ²ΠΈΠ»Π΅Π³ΠΈΠΉ;
- ΠΎΡ‚ΠΊΠ»ΡŽΡ‡Π΅Π½ΠΈΠ΅/ΡƒΠ΄Π°Π»Π΅Π½ΠΈΠ΅ Π½Π΅ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠ΅ΠΌΡ‹Ρ… ΡƒΡ‡Ρ‘Ρ‚Π½Ρ‹Ρ… записСй ΠΏΠΎΠ»ΡŒΠ·ΠΎΠ²Π°Ρ‚Π΅Π»Π΅ΠΉ;
- ΠΊΠΎΠ½Ρ‚Ρ€ΠΎΠ»ΡŒ ΠΆΡƒΡ€Π½Π°Π»ΠΎΠ² Π°ΡƒΠ΄ΠΈΡ‚Π° кластСра для отслСТивания ΠΏΠΎΠΏΡ‹Ρ‚ΠΎΠΊ эксплуатации уязвимости.

Бтатус уязвимости

ΠŸΠΎΠ΄Ρ‚Π²Π΅Ρ€ΠΆΠ΄Π΅Π½Π° ΠΏΡ€ΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡ‚Π΅Π»Π΅ΠΌ

НаличиС эксплойта

Π”Π°Π½Π½Ρ‹Π΅ ΡƒΡ‚ΠΎΡ‡Π½ΡΡŽΡ‚ΡΡ

Π˜Π½Ρ„ΠΎΡ€ΠΌΠ°Ρ†ΠΈΡ ΠΎΠ± устранСнии

Π£ΡΠ·Π²ΠΈΠΌΠΎΡΡ‚ΡŒ устранСна

Бсылки Π½Π° источники

Π˜Π΄Π΅Π½Ρ‚ΠΈΡ„ΠΈΠΊΠ°Ρ‚ΠΎΡ€Ρ‹ Π΄Ρ€ΡƒΠ³ΠΈΡ… систСм описаний уязвимостСй

EPSS

ΠŸΡ€ΠΎΡ†Π΅Π½Ρ‚ΠΈΠ»ΡŒ: 7%
0.00028
Низкий

4.3 Medium

CVSS3

5 Medium

CVSS2

БвязанныС уязвимости

ubuntu Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

CVE-2025-4035

CVSS3: 4.3
ubuntu
6 мСсяцСв Π½Π°Π·Π°Π΄

A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set cookies for domains it does not own, potentially leading to integrity issues such as session fixation.

redhat Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

CVE-2025-4035

CVSS3: 4.3
redhat
6 мСсяцСв Π½Π°Π·Π°Π΄

A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set cookies for domains it does not own, potentially leading to integrity issues such as session fixation.

nvd Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

CVE-2025-4035

CVSS3: 4.3
nvd
6 мСсяцСв Π½Π°Π·Π°Π΄

A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set cookies for domains it does not own, potentially leading to integrity issues such as session fixation.

msrc Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

CVE-2025-4035

msrc
2 мСсяца Π½Π°Π·Π°Π΄

Libsoup: cookie domain validation bypass via uppercase characters in libsoup

debian Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

CVE-2025-4035

CVSS3: 4.3
debian
6 мСсяцСв Π½Π°Π·Π°Π΄

A flaw was found in libsoup. When handling cookies, libsoup clients mi ...

EPSS

ΠŸΡ€ΠΎΡ†Π΅Π½Ρ‚ΠΈΠ»ΡŒ: 7%
0.00028
Низкий

4.3 Medium

CVSS3

5 Medium

CVSS2

Π£ΡΠ·Π²ΠΈΠΌΠΎΡΡ‚ΡŒ BDU:2025-10922