CVE-2025-32803
MEDIUM
Published 2025-05-28T17:08:20.769Z
Actions:
CVSS Score
V3.1
4.0
/10
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score Metrics
Exploitability: N/A
Impact: N/A
Attack Vector Metrics
Impact Metrics
Description
In some cases, Kea log files or lease files may be world-readable.
This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.
Available Exploits
No exploits available for this CVE.
Related News
Re: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)
Posted by Matthias Gerstner on May 30Hi, I just checked this attack vector more closely. The resulting file receives the mode 0666, because bits missing in the `mode` argument passed to `openat()` are masked out. The strace of `kea-ctrl-agent` looks like th…
Seclists.org
2025-05-30 13:23
Re: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)
Posted by Matthias Gerstner on May 30Hi, very nice addition! We already felt like there was little left to succeed in the attack, but didn't think of ACLs. We will make an update to our blog post to reflect this. Cheers Matthias
Seclists.org
2025-05-30 08:14
References
Published: 2025-05-28T17:08:20.769Z
Last Modified: 2025-05-28T17:28:58.513Z
Copied to clipboard!