CVE-2025-1077

{"id": "CVE-2025-1077", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "incident@nbu.gov.sk", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 9.5, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "HIGH", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "HIGH", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2025-02-07T09:15:08.380", "references": [{"url": "https://www.iblsoft.com/security/advisory-isec-2024-001/", "source": "incident@nbu.gov.sk"}], "vulnStatus": "Received", "weaknesses": [{"type": "Secondary", "source": "incident@nbu.gov.sk", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been identified in the IBL Software Engineering Visual Weather and derived products (NAMIS, Aero Weather, Satellite Weather).\u00a0The vulnerability is present in the Product Delivery Service (PDS) component in specific server configurations where the PDS pipeline utilizes the IPDS pipeline with Message Editor Output Filters enabled.\n\nA remote\u00a0unauthenticated\n\nattacker can exploit this vulnerability to send unauthenticated requests to execute the IPDS\u00a0pipeline\u00a0with specially crafted Form Properties, enabling remote execution of arbitrary Python code.\u00a0This vulnerability could lead to a full system compromise of the affected server, particularly if Visual Weather services\u00a0are run under a privileged user account\u2014contrary to the documented installation best practices.\n\n\n\nUpgrade to the patched versions 7.3.10 (or higher), 8.6.0 (or higher)."}], "lastModified": "2025-02-07T09:15:08.380", "sourceIdentifier": "incident@nbu.gov.sk"}