{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24333", "assignerOrgId": "b48c3b8f-639e-4c16-8725-497bc411dad0", "state": "PUBLISHED", "assignerShortName": "Nokia", "dateReserved": "2025-01-20T05:33:25.524Z", "datePublished": "2025-07-02T08:32:57.271Z", "dateUpdated": "2025-07-02T14:13:31.539Z"}, "containers": {"cna": {"title": "Administrative user shell input validation fault", "descriptions": [{"lang": "en", "value": "Nokia Single RAN baseband software earlier than 24R1-SR 1.0 MP contains administrative shell input validation fault, which authenticated admin user can, in theory, potentially use for injecting arbitrary commands for unprivileged baseband OAM service process execution via special characters added to baseband internal COMA_config.xml file.\n\nThis issue has been corrected starting from release 24R1-SR 1.0 MP and later, by adding proper input validation to OAM service process which prevents injecting special characters via baseband internal COMA_config.xml file."}], "affected": [{"vendor": "Nokia", "product": "Nokia Single RAN", "versions": [{"version": "All the releases prior to 24R1-SR 1.0 MP", "status": "affected"}, {"version": "24R1-SR 1.0 MP and later", "status": "unaffected"}]}], "references": [{"url": "https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2025-24333/", "name": "Nokia Security Advisory"}], "providerMetadata": {"orgId": "b48c3b8f-639e-4c16-8725-497bc411dad0", "shortName": "Nokia", "dateUpdated": "2025-07-02T08:32:57.271Z"}, "x_generator": {"engine": "cveClient/1.0.15"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-07-02T14:13:27.212792Z", "id": "CVE-2025-24333", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T14:13:31.539Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-24333", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-02T14:13:27.212792Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T14:13:06.188Z"}}], "cna": {"title": "Administrative user shell input validation fault", "affected": [{"vendor": "Nokia", "product": "Nokia Single RAN", "versions": [{"status": "affected", "version": "All the releases prior to 24R1-SR 1.0 MP"}, {"status": "unaffected", "version": "24R1-SR 1.0 MP and later"}]}], "references": [{"url": "https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2025-24333/", "name": "Nokia Security Advisory"}], "x_generator": {"engine": "cveClient/1.0.15"}, "descriptions": [{"lang": "en", "value": "Nokia Single RAN baseband software earlier than 24R1-SR 1.0 MP contains administrative shell input validation fault, which authenticated admin user can, in theory, potentially use for injecting arbitrary commands for unprivileged baseband OAM service process execution via special characters added to baseband internal COMA_config.xml file.\n\nThis issue has been corrected starting from release 24R1-SR 1.0 MP and later, by adding proper input validation to OAM service process which prevents injecting special characters via baseband internal COMA_config.xml file."}], "providerMetadata": {"orgId": "b48c3b8f-639e-4c16-8725-497bc411dad0", "shortName": "Nokia", "dateUpdated": "2025-07-02T08:32:57.271Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24333", "state": "PUBLISHED", "dateUpdated": "2025-07-02T14:13:31.539Z", "dateReserved": "2025-01-20T05:33:25.524Z", "assignerOrgId": "b48c3b8f-639e-4c16-8725-497bc411dad0", "datePublished": "2025-07-02T08:32:57.271Z", "assignerShortName": "Nokia"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Nokia Single RAN baseband software earlier than 24R1-SR 1.0 MP contains administrative shell input validation fault, which authenticated admin user can, in theory, potentially use for injecting arbitrary commands for unprivileged baseband OAM service process execution via special characters added to baseband internal COMA_config.xml file.\n\nThis issue has been corrected starting from release 24R1-SR 1.0 MP and later, by adding proper input validation to OAM service process which prevents injecting special characters via baseband internal COMA_config.xml file."}, {"lang": "es", "value": "El software de banda base de Nokia Single RAN anterior a la versi\u00f3n 24R1-SR 1.0 MP presenta un fallo de validaci\u00f3n de entrada en el shell administrativo. Este fallo, en teor\u00eda, podr\u00eda ser utilizado por un usuario administrador autenticado para inyectar comandos arbitrarios y ejecutar procesos de servicio OAM de banda base sin privilegios mediante la adici\u00f3n de caracteres especiales al archivo interno COMA_config.xml de banda base. Este problema se ha corregido a partir de la versi\u00f3n 24R1-SR 1.0 MP, a\u00f1adiendo una validaci\u00f3n de entrada adecuada al proceso de servicio OAM, lo que impide la inyecci\u00f3n de caracteres especiales mediante el archivo interno COMA_config.xml de banda base."}], "id": "CVE-2025-24333", "lastModified": "2025-07-03T15:13:53.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-07-02T09:15:24.800", "references": [{"source": "b48c3b8f-639e-4c16-8725-497bc411dad0", "url": "https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2025-24333/"}], "sourceIdentifier": "b48c3b8f-639e-4c16-8725-497bc411dad0", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}