ByteOS Network

NVD Vulnerability Details :

CVE-2025-24807

Analyzed

Source-security-advisories@github.com

Published At-11 Feb, 2025 | 16:15

Updated At-21 Feb, 2025 | 15:26

eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0, per design, PermissionsCA is not full chain validated, nor is the expiration date validated. Access control plugin validates only the S/MIME signature which causes an expired PermissionsCA to be taken as valid. Even though this issue is responsible for allowing `governance/permissions` from an expired PermissionsCA and having the system crash when PermissionsCA is not self-signed and contains the full-chain, the impact is low. Versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0 contain a fix for the issue.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	4.5	MEDIUM	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary	3.1	7.1	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Type: Secondary

Version: 4.0

Base score: 4.5

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Primary

Version: 3.1

Base score: 7.1

Base severity: HIGH

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CPE Matches

eprosima>>fast_dds>>Versions before 2.6.10(exclusive)

cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*

eprosima>>fast_dds>>Versions from 2.10.0(inclusive) to 2.10.7(exclusive)

cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*

eprosima>>fast_dds>>Versions from 2.14.0(inclusive) to 2.14.5(exclusive)

cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*

eprosima>>fast_dds>>Versions from 3.0.0(inclusive) to 3.0.2(exclusive)

cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*

eprosima>>fast_dds>>Versions from 3.1.0(inclusive) to 3.1.2(exclusive)

cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-345	Primary	security-advisories@github.com

CWE ID: CWE-345

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/accesscontrol/Permissions.cpp#L390-L396	security-advisories@github.com	Product
https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/accesscontrol/Permissions.cpp#L412	security-advisories@github.com	Product
https://github.com/eProsima/Fast-DDS/blob/2.6.9/src/cpp/security/authentication/PKIDH.cpp#L241	security-advisories@github.com	Product
https://github.com/eProsima/Fast-DDS/pull/5530	security-advisories@github.com	Patch
https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-w33g-jmm2-8983	security-advisories@github.com	Vendor Advisory
https://www.omg.org/spec/DDS-SECURITY/1.1/PDF	security-advisories@github.com	Related