CVE-2025-27446

Опубликовано: 06 июл. 2025

Источник: nvd

CVSS3: 7.8

EPSS Низкий

Описание

Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner).

Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0.

Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue.

Ссылки

https://lists.apache.org/thread/qwxnxolt0j5nvjfpr0mlz6h7nrtvyzng
Mailing List
Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/07/06/1
http://www.openwall.com/lists/oss-security/2025/07/07/1

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*

Версия от 0.2 (включая) до 0.5 (включая)

EPSS

Процентиль: 2%

0.00014

Низкий

7.8 High

CVSS3

Дефекты

CWE-732

Связанные уязвимости

GHSA-xm8v-g828-5x9r

CVSS3: 7.8

github

7 месяцев назад

Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0. Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue.

BDU:2026-00212

CVSS3: 5.3

fstec

10 месяцев назад

Уязвимость плагина java-plugin-runner облачного API-шлюза Apache APISIX, позволяющая нарушителю повысить свои привилегии