ByteOS Network

Vulnerability Details :

CVE-2025-24807

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-11 Feb, 2025 | 15:31

Updated At-11 Feb, 2025 | 16:12

Fast DDS does not verify Permissions CA

eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0, per design, PermissionsCA is not full chain validated, nor is the expiration date validated. Access control plugin validates only the S/MIME signature which causes an expired PermissionsCA to be taken as valid. Even though this issue is responsible for allowing `governance/permissions` from an expired PermissionsCA and having the system crash when PermissionsCA is not self-signed and contains the full-chain, the impact is low. Versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0 contain a fix for the issue.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:GitHub_M

Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa

Published At:11 Feb, 2025 | 15:31

Updated At:11 Feb, 2025 | 16:12

▼CVE Numbering Authority (CNA)

Fast DDS does not verify Permissions CA

Affected Products

Vendor

eProsima

Product

Fast-DDS

Versions

Affected

< 2.6.10
>= 2.7.0, < 2.10.7
>= 2.11.0, < 2.14.5
>= 3.0.0, < 3.0.2
>= 3.1.0, < 3.1.2

Problem Types

Type	CWE ID	Description
CWE	CWE-345	CWE-345: Insufficient Verification of Data Authenticity

Type: CWE

CWE ID: CWE-345

Description: CWE-345: Insufficient Verification of Data Authenticity

Metrics

Version	Base score	Base severity	Vector
4.0	4.5	MEDIUM	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

Version: 4.0

Base score: 4.5

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

References

Hyperlink	Resource
https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-w33g-jmm2-8983	x_refsource_CONFIRM
https://github.com/eProsima/Fast-DDS/pull/5530	x_refsource_MISC
https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/accesscontrol/Permissions.cpp#L390-L396	x_refsource_MISC
https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/accesscontrol/Permissions.cpp#L412	x_refsource_MISC
https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/authentication/PKIDH.cpp#L241	x_refsource_MISC
https://www.omg.org/spec/DDS-SECURITY/1.1/PDF	x_refsource_MISC

Hyperlink: https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-w33g-jmm2-8983

Resource:

x_refsource_CONFIRM

Hyperlink: https://github.com/eProsima/Fast-DDS/pull/5530

Resource:

x_refsource_MISC

Hyperlink: https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/accesscontrol/Permissions.cpp#L390-L396

Resource:

x_refsource_MISC

Hyperlink: https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/accesscontrol/Permissions.cpp#L412

Resource:

x_refsource_MISC

Hyperlink: https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/authentication/PKIDH.cpp#L241

Resource:

x_refsource_MISC

Hyperlink: https://www.omg.org/spec/DDS-SECURITY/1.1/PDF

Resource:

x_refsource_MISC

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:security-advisories@github.com

Published At:11 Feb, 2025 | 16:15

Updated At:21 Feb, 2025 | 15:26

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	4.5	MEDIUM	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary	3.1	7.1	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Type: Secondary

Version: 4.0

Base score: 4.5

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Primary

Version: 3.1

Base score: 7.1

Base severity: HIGH

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CPE Matches

eprosima>>fast_dds>>Versions before 2.6.10(exclusive)

cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*

eprosima>>fast_dds>>Versions from 2.10.0(inclusive) to 2.10.7(exclusive)

cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*

eprosima>>fast_dds>>Versions from 2.14.0(inclusive) to 2.14.5(exclusive)

cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*

eprosima>>fast_dds>>Versions from 3.0.0(inclusive) to 3.0.2(exclusive)

cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*

eprosima>>fast_dds>>Versions from 3.1.0(inclusive) to 3.1.2(exclusive)

cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*