CVE-2025-48955
Para Server Logs Sensitive Information
描述
CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 7.5 (High) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N **Affected Component:** Para Server Initialization Logging **Version:** Para v1.50.6 **File Path:** `para-1.50.6/para-server/src/main/java/com/erudika/para/server/utils/HealthUtils.java` **Vulnerable Line(s):** Line 132 (via `logger.info(...)` with root credentials) Technical Details: The vulnerability is located in the HealthUtils.java file, where a failed configuration file write triggers the following logging statement: ```java logger.info("Initialized root app with access key '{}' and secret '{}', but could not write these to {}.", rootAppCredentials.get("accessKey"), rootAppCredentials.get("secretKey"), confFile); ``` This exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes.
如何修補 CVE-2025-48955
要修補 CVE-2025-48955,請將受影響套件升級到下列已修補版本。
- —升級至 1.50.8 或更新版本
CVE-2025-48955 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 1.50.8
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |