CVE-2025-54290

MEDIUM5.3EPSS 0.12%

Canonical LXD Project Existence Determination Through Error Handling in Image Export Function in github.com/canonical/lxd

發布日:2025/10/2修改日:2026/4/28

描述

Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.

受影響套件(4)

Debian/incusfrom 0, < 6.0.4-2+deb13u1
Debian/lxdfrom 0
Go/github.com/canonical/lxd>= 4.0, < 5.21.4
Go/github.com/canonical/lxd>= 0.0.0-20200331193331-03aab09f5b5c, < 0.0.0-20250827065555-0494f5d47e41

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-54290
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-54290
PATCHhttps://github.com/canonical/lxd
WEBhttps://github.com/canonical/lxd/security/advisories/GHSA-p3x5-mvmp-5f35
WEBhttps://pkg.go.dev/vuln/GO-2025-4002