CVE-2025-0504

Black Duck SCA Project Privilege Escalation

CVSS 5.3 MEDIUMEPSS 0.1%CWE-266

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 5.3EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

21 nov 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Black Duck SCA versions prior to 2025.10.0 had user role permissions configured in an overly broad manner. Users with the scoped Project Manager user role with the Global User Read access permission enabled access to certain Project Administrator functionalities which should have be inaccessible. Exploitation does not grant full system control, but it may enable unauthorized changes to project configurations or access to system sensitive information.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Produtos afetados

Black Duck · Black Duck SCA

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://community.blackduck.com/s/article/Black-Duck-Product-Security-Advisory-CVE-2025-0504