CVE-2025-15107

Опубликовано: 27 дек. 2025

Источник: nvd

CVSS3: 3.7

CVSS3: 8.1

CVSS2: 2.6

EPSS Низкий

Описание

A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release.

Ссылки

https://github.com/actiontech/sqle/issues/3186
Exploit
Third Party Advisory
https://github.com/actiontech/sqle/milestone/53
Exploit
https://vuldb.com/?ctiid.338478
Permissions Required
VDB Entry
https://vuldb.com/?id.338478
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.710380
Third Party Advisory
VDB Entry

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:actionsky:sqle:*:*:*:*:*:*:*:*

Версия до 4.2511.0 (включая)

EPSS

Процентиль: 10%

0.00034

Низкий

3.7 Low

CVSS3

8.1 High

CVSS3

2.6 Low

CVSS2

Дефекты

CWE-320

CWE-798

Связанные уязвимости

GHSA-43h9-hc38-qph5

CVSS3: 3.7

github

около 1 месяца назад

SQLE's JWT Secret Handler can be manipulated to use hard-coded cryptographic key

EPSS

Процентиль: 10%

0.00034

Низкий

3.7 Low

CVSS3

8.1 High

CVSS3

2.6 Low

CVSS2

Дефекты

CWE-320

CWE-798