CVE-2025-49012 (GCVE-0-2025-49012)
Vulnerability from cvelistv5
Published
2025-06-05 22:29
Modified
2025-06-09 14:47
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE
  • CWE-287 - Improper Authentication
Summary
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Himmelblau versions 0.9.0 through 0.9.14 and 1.00-alpha are vulnerable to a privilege escalation issue when Entra ID group-based access restrictions are configured using group display names instead of object IDs. Starting in version 0.9.0, Himmelblau introduced support for specifying group names in the `pam_allow_groups` configuration option. However, Microsoft Entra ID permits the creation of multiple groups with the same `displayName` via the Microsoft Graph API—even by non-admin users, depending on tenant settings. As a result, a user could create a personal group with the same name as a legitimate access group (e.g., `"Allow-Linux-Login"`), add themselves to it, and be granted authentication or `sudo` rights by Himmelblau. Because affected Himmelblau versions compare group names by either `displayName` or by the immutable `objectId`, this allows bypassing access control mechanisms intended to restrict login to members of official, centrally-managed groups. This issue is fixed in Himmelblau version **0.9.15** and later. In these versions, group name matching in `pam_allow_groups` has been deprecated and removed, and only group `objectId`s (GUIDs) may be specified for secure group-based filtering. To mitigate the issue without upgrading, replace all entries in `pam_allow_groups` with the objectId of the target Entra ID group(s) and/or audit your tenant for groups with duplicate display names using the Microsoft Graph API.
References
Impacted products
Vendor Product Version
himmelblau-idm himmelblau Version: >= 0.9.0, < 0.9.15
Version: = 1.0.0-alpha
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49012",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-09T14:47:15.271416Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-09T14:47:19.431Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "himmelblau",
          "vendor": "himmelblau-idm",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.9.0, \u003c 0.9.15"
            },
            {
              "status": "affected",
              "version": "= 1.0.0-alpha"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Himmelblau versions 0.9.0 through 0.9.14 and 1.00-alpha are vulnerable to a privilege escalation issue when Entra ID group-based access restrictions are configured using group display names instead of object IDs. Starting in version 0.9.0, Himmelblau introduced support for specifying group names in the `pam_allow_groups` configuration option. However, Microsoft Entra ID permits the creation of multiple groups with the same `displayName` via the Microsoft Graph API\u2014even by non-admin users, depending on tenant settings. As a result, a user could create a personal group with the same name as a legitimate access group (e.g., `\"Allow-Linux-Login\"`), add themselves to it, and be granted authentication or `sudo` rights by Himmelblau. Because affected Himmelblau versions compare group names by either `displayName` or by the immutable `objectId`, this allows bypassing access control mechanisms intended to restrict login to members of official, centrally-managed groups. This issue is fixed in Himmelblau version **0.9.15** and later. In these versions, group name matching in `pam_allow_groups` has been deprecated and removed, and only group `objectId`s (GUIDs) may be specified for secure group-based filtering. To mitigate the issue without upgrading, replace all entries in `pam_allow_groups` with the objectId of the target Entra ID group(s) and/or audit your tenant for groups with duplicate display names using the Microsoft Graph API."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-05T22:29:40.744Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-gcxr-m95v-qcf7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-gcxr-m95v-qcf7"
        },
        {
          "name": "https://github.com/himmelblau-idm/himmelblau/issues/554",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/himmelblau-idm/himmelblau/issues/554"
        },
        {
          "name": "https://github.com/himmelblau-idm/himmelblau/commit/918577f6a8392a71d9d3d67f20962c372a0c01c6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/himmelblau-idm/himmelblau/commit/918577f6a8392a71d9d3d67f20962c372a0c01c6"
        },
        {
          "name": "https://learn.microsoft.com/en-us/answers/questions/1035045/azure-ad-b2c-creates-groups-with-the-same-name-usi?utm_source=chatgpt.com",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://learn.microsoft.com/en-us/answers/questions/1035045/azure-ad-b2c-creates-groups-with-the-same-name-usi?utm_source=chatgpt.com"
        }
      ],
      "source": {
        "advisory": "GHSA-gcxr-m95v-qcf7",
        "discovery": "UNKNOWN"
      },
      "title": "Himmelblau\u0027s Name-Based Group Matching in `pam_allow_groups` Leads to Potential Security Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49012",
    "datePublished": "2025-06-05T22:29:40.744Z",
    "dateReserved": "2025-05-29T16:34:07.176Z",
    "dateUpdated": "2025-06-09T14:47:19.431Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-49012\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-05T23:15:21.303\",\"lastModified\":\"2025-06-06T14:07:28.330\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Himmelblau versions 0.9.0 through 0.9.14 and 1.00-alpha are vulnerable to a privilege escalation issue when Entra ID group-based access restrictions are configured using group display names instead of object IDs. Starting in version 0.9.0, Himmelblau introduced support for specifying group names in the `pam_allow_groups` configuration option. However, Microsoft Entra ID permits the creation of multiple groups with the same `displayName` via the Microsoft Graph API\u2014even by non-admin users, depending on tenant settings. As a result, a user could create a personal group with the same name as a legitimate access group (e.g., `\\\"Allow-Linux-Login\\\"`), add themselves to it, and be granted authentication or `sudo` rights by Himmelblau. Because affected Himmelblau versions compare group names by either `displayName` or by the immutable `objectId`, this allows bypassing access control mechanisms intended to restrict login to members of official, centrally-managed groups. This issue is fixed in Himmelblau version **0.9.15** and later. In these versions, group name matching in `pam_allow_groups` has been deprecated and removed, and only group `objectId`s (GUIDs) may be specified for secure group-based filtering. To mitigate the issue without upgrading, replace all entries in `pam_allow_groups` with the objectId of the target Entra ID group(s) and/or audit your tenant for groups with duplicate display names using the Microsoft Graph API.\"},{\"lang\":\"es\",\"value\":\"Himmelblau es una suite de interoperabilidad para Microsoft Azure Entra ID e Intune. Las versiones de Himmelblau de la 0.9.0 a la 0.9.14 y la 1.00-alfa son vulnerables a un problema de escalada de privilegios cuando las restricciones de acceso basadas en grupos de Entra ID se configuran con nombres para mostrar de grupo en lugar de identificadores de objeto. A partir de la versi\u00f3n 0.9.0, Himmelblau introdujo la posibilidad de especificar nombres de grupo en la opci\u00f3n de configuraci\u00f3n `pam_allow_groups`. Sin embargo, Microsoft Entra ID permite la creaci\u00f3n de varios grupos con el mismo `displayName` mediante la API de Microsoft Graph, incluso por parte de usuarios no administradores, seg\u00fan la configuraci\u00f3n del inquilino. Como resultado, un usuario podr\u00eda crear un grupo personal con el mismo nombre que un grupo de acceso leg\u00edtimo (p. ej., `\\\"Allow-Linux-Login\\\"`), agregarse a \u00e9l y obtener permisos de autenticaci\u00f3n o `sudo` de Himmelblau. Dado que las versiones afectadas de Himmelblau comparan los nombres de grupo mediante `displayName` o el inmutable `objectId`, esto permite eludir los mecanismos de control de acceso dise\u00f1ados para restringir el inicio de sesi\u00f3n a los miembros de grupos oficiales administrados centralmente. Este problema se solucion\u00f3 en la versi\u00f3n **0.9.15** de Himmelblau y posteriores. En estas versiones, la coincidencia de nombres de grupo en `pam_allow_groups` se ha descontinuado y eliminado, y solo se pueden especificar `objectId` (GUID) de grupo para el filtrado seguro basado en grupos. Para mitigar el problema sin actualizar, reemplace todas las entradas en `pam_allow_groups` con el objectId del grupo o grupos de Entra ID de destino o audite su inquilino para detectar grupos con nombres para mostrar duplicados mediante la API de Microsoft Graph.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"references\":[{\"url\":\"https://github.com/himmelblau-idm/himmelblau/commit/918577f6a8392a71d9d3d67f20962c372a0c01c6\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/himmelblau-idm/himmelblau/issues/554\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-gcxr-m95v-qcf7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://learn.microsoft.com/en-us/answers/questions/1035045/azure-ad-b2c-creates-groups-with-the-same-name-usi?utm_source=chatgpt.com\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-49012\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-09T14:47:15.271416Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-09T14:47:16.872Z\"}}], \"cna\": {\"title\": \"Himmelblau\u0027s Name-Based Group Matching in `pam_allow_groups` Leads to Potential Security Bypass\", \"source\": {\"advisory\": \"GHSA-gcxr-m95v-qcf7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"himmelblau-idm\", \"product\": \"himmelblau\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.9.0, \u003c 0.9.15\"}, {\"status\": \"affected\", \"version\": \"= 1.0.0-alpha\"}]}], \"references\": [{\"url\": \"https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-gcxr-m95v-qcf7\", \"name\": \"https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-gcxr-m95v-qcf7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/himmelblau-idm/himmelblau/issues/554\", \"name\": \"https://github.com/himmelblau-idm/himmelblau/issues/554\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/himmelblau-idm/himmelblau/commit/918577f6a8392a71d9d3d67f20962c372a0c01c6\", \"name\": \"https://github.com/himmelblau-idm/himmelblau/commit/918577f6a8392a71d9d3d67f20962c372a0c01c6\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://learn.microsoft.com/en-us/answers/questions/1035045/azure-ad-b2c-creates-groups-with-the-same-name-usi?utm_source=chatgpt.com\", \"name\": \"https://learn.microsoft.com/en-us/answers/questions/1035045/azure-ad-b2c-creates-groups-with-the-same-name-usi?utm_source=chatgpt.com\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Himmelblau versions 0.9.0 through 0.9.14 and 1.00-alpha are vulnerable to a privilege escalation issue when Entra ID group-based access restrictions are configured using group display names instead of object IDs. Starting in version 0.9.0, Himmelblau introduced support for specifying group names in the `pam_allow_groups` configuration option. However, Microsoft Entra ID permits the creation of multiple groups with the same `displayName` via the Microsoft Graph API\\u2014even by non-admin users, depending on tenant settings. As a result, a user could create a personal group with the same name as a legitimate access group (e.g., `\\\"Allow-Linux-Login\\\"`), add themselves to it, and be granted authentication or `sudo` rights by Himmelblau. Because affected Himmelblau versions compare group names by either `displayName` or by the immutable `objectId`, this allows bypassing access control mechanisms intended to restrict login to members of official, centrally-managed groups. This issue is fixed in Himmelblau version **0.9.15** and later. In these versions, group name matching in `pam_allow_groups` has been deprecated and removed, and only group `objectId`s (GUIDs) may be specified for secure group-based filtering. To mitigate the issue without upgrading, replace all entries in `pam_allow_groups` with the objectId of the target Entra ID group(s) and/or audit your tenant for groups with duplicate display names using the Microsoft Graph API.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-06-05T22:29:40.744Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-49012\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-09T14:47:19.431Z\", \"dateReserved\": \"2025-05-29T16:34:07.176Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-06-05T22:29:40.744Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.