CVE-2025-35431

Опубликовано: 17 сент. 2025

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

CISA Thorium does not escape user controlled strings used in LDAP queries. An authenticated remote attacker can modify LDAP authorization data such as group memberships. Fixed in 1.1.1.

Ссылки

https://github.com/cisagov/thorium/commit/7c94a0b9bc2dc55e0c307360452f348bac06820c#diff-45e1e58dfb6faacf9efe778c31ead287d8e13ae07c5dad084c792bc4a0605a68R1007-R1008
Patch
https://github.com/cisagov/thorium/releases/tag/1.1.1
Release Notes
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-259-01.json
Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-35431
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:cisa:thorium:*:*:*:*:*:*:*:*

Версия от 1.0.0 (включая) до 1.1.1 (исключая)

EPSS

Процентиль: 23%

0.00078

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-90

Связанные уязвимости

GHSA-pcvx-8r6m-5h8r