CVE-2025-54882

Опубликовано: 07 авг. 2025

Источник: nvd

CVSS3: 7.1

EPSS Низкий

Описание

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. In versions 0.8.0 through 0.9.21 and 1.0.0-beta through 1.1.0, Himmelblau stores the cloud TGT received during logon in the Kerberos credential cache. The created credential cache collection and received credentials are stored as world readable. This is fixed in versions 0.9.22 and 1.2.0. To work around this issue, remove all read access to Himmelblau caches for all users except for owners.

Ссылки

https://github.com/himmelblau-idm/himmelblau/commit/b562053df3dffb1dd9ab3d09af986886773be2ad
Patch
https://github.com/himmelblau-idm/himmelblau/commit/faae58b0384aca8b21b4be5f1c507412eec3778a
Patch
https://github.com/himmelblau-idm/himmelblau/releases/tag/0.9.22
Release Notes
https://github.com/himmelblau-idm/himmelblau/releases/tag/1.2.0
Release Notes
https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-phfx-rjfw-wj83
Exploit
Vendor Advisory
https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-phfx-rjfw-wj83
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:himmelblau-idm:himmelblau:*:*:*:*:*:*:*:*

Версия от 0.8.0 (включая) до 0.9.22 (исключая)

cpe:2.3:a:himmelblau-idm:himmelblau:*:*:*:*:*:*:*:*

Версия от 1.0.0 (включая) до 1.2.0 (исключая)

EPSS

Процентиль: 4%

0.00018

Низкий

7.1 High

CVSS3

Дефекты

CWE-522