Vulnerabilites related to Apache Software Foundation - Apache APISIX Java Plugin Runner
CVE-2025-27446 (GCVE-0-2025-27446)
Vulnerability from cvelistv5
Published
2025-07-06 06:05
Modified
2025-07-11 03:55
Severity ?
CWE
  • CWE-732 - Incorrect Permission Assignment for Critical Resource
Summary
Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0. Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue.
References
Impacted products
Vendor Product Version
Apache Software Foundation Apache APISIX Java Plugin Runner Version: 0.2.0    0.5.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-27446",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-10T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-11T03:55:32.760Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/apache/apisix-java-plugin-runner",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.apisix:apisix-plugin-runner",
          "product": "Apache APISIX Java Plugin Runner",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "0.5.0",
              "status": "affected",
              "version": "0.2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Benoit TELLIER"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIncorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner).\u003c/p\u003eLocal listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges.\u003cbr\u003e\u003cp\u003eThis issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.6.0 or higher, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner).\n\nLocal listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges.\nThis issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0.\n\nUsers are recommended to upgrade to version 0.6.0 or higher, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-732",
              "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-06T06:05:15.144Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/qwxnxolt0j5nvjfpr0mlz6h7nrtvyzng"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache APISIX Java Plugin Runner: Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-27446",
    "datePublished": "2025-07-06T06:05:15.144Z",
    "dateReserved": "2025-02-26T05:18:04.477Z",
    "dateUpdated": "2025-07-11T03:55:32.760Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}