CVE-2025-54291

MEDIUM5.3EPSS 0.11%

Canonical LXD Project Existence Determination Through Error Handling in Image Get Function in github.com/canonical/lxd

發布日:2025/10/2修改日:2026/4/28

描述

Information disclosure in images API in Canonical LXD before 6.5 and 5.21.4 on all platforms allows unauthenticated remote attackers to determine project existence via differing HTTP status code responses.

受影響套件(4)

Debian/incusfrom 0, < 6.0.4-2+deb13u1
Debian/lxdfrom 0
Go/github.com/canonical/lxd>= 4.0, < 5.21.4
Go/github.com/canonical/lxd>= 0.0.0-20200331193331-03aab09f5b5c, < 0.0.0-20250827065555-0494f5d47e41

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-54291
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-54291
PATCHhttps://github.com/canonical/lxd
WEBhttps://github.com/canonical/lxd/security/advisories/GHSA-xch9-h8qw-85c7
WEBhttps://pkg.go.dev/vuln/GO-2025-4005