{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-54992", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-08-04T17:34:24.420Z", "datePublished": "2025-08-11T21:34:48.750Z", "dateUpdated": "2025-08-12T15:44:24.225Z"}, "containers": {"cna": {"title": "OpenKilda XXE in SAML configuration", "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "lang": "en", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/telstra/open-kilda/security/advisories/GHSA-43rg-6r66-6hr7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/telstra/open-kilda/security/advisories/GHSA-43rg-6r66-6hr7"}, {"name": "https://github.com/telstra/open-kilda/pull/5778", "tags": ["x_refsource_MISC"], "url": "https://github.com/telstra/open-kilda/pull/5778"}, {"name": "https://github.com/telstra/open-kilda/commit/1eddb4983a6287d083e3e99a56dc4c291abd347e", "tags": ["x_refsource_MISC"], "url": "https://github.com/telstra/open-kilda/commit/1eddb4983a6287d083e3e99a56dc4c291abd347e"}], "affected": [{"vendor": "telstra", "product": "open-kilda", "versions": [{"version": "< 1.164.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-11T21:34:48.750Z"}, "descriptions": [{"lang": "en", "value": "OpenKilda is an open-source OpenFlow controller. Prior to version 1.164.0, an XML external entity (XXE) injection vulnerability was found in OpenKilda which in combination with GHSL-2025-024 allows unauthenticated attackers to exfiltrate information from the instance where the OpenKilda UI is running. This issue may lead to Information disclosure. This issue has been patched in version 1.164.0."}], "source": {"advisory": "GHSA-43rg-6r66-6hr7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-12T15:44:16.451111Z", "id": "CVE-2025-54992", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-12T15:44:24.225Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-54992", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-12T15:44:16.451111Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-12T15:44:20.844Z"}}], "cna": {"title": "OpenKilda XXE in SAML configuration", "source": {"advisory": "GHSA-43rg-6r66-6hr7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "telstra", "product": "open-kilda", "versions": [{"status": "affected", "version": "< 1.164.0"}]}], "references": [{"url": "https://github.com/telstra/open-kilda/security/advisories/GHSA-43rg-6r66-6hr7", "name": "https://github.com/telstra/open-kilda/security/advisories/GHSA-43rg-6r66-6hr7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/telstra/open-kilda/pull/5778", "name": "https://github.com/telstra/open-kilda/pull/5778", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/telstra/open-kilda/commit/1eddb4983a6287d083e3e99a56dc4c291abd347e", "name": "https://github.com/telstra/open-kilda/commit/1eddb4983a6287d083e3e99a56dc4c291abd347e", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenKilda is an open-source OpenFlow controller. Prior to version 1.164.0, an XML external entity (XXE) injection vulnerability was found in OpenKilda which in combination with GHSL-2025-024 allows unauthenticated attackers to exfiltrate information from the instance where the OpenKilda UI is running. This issue may lead to Information disclosure. This issue has been patched in version 1.164.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-11T21:34:48.750Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54992", "state": "PUBLISHED", "dateUpdated": "2025-08-12T15:44:24.225Z", "dateReserved": "2025-08-04T17:34:24.420Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-11T21:34:48.750Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenKilda is an open-source OpenFlow controller. Prior to version 1.164.0, an XML external entity (XXE) injection vulnerability was found in OpenKilda which in combination with GHSL-2025-024 allows unauthenticated attackers to exfiltrate information from the instance where the OpenKilda UI is running. This issue may lead to Information disclosure. This issue has been patched in version 1.164.0."}, {"lang": "es", "value": "OpenKilda es un controlador OpenFlow de c\u00f3digo abierto. Antes de la versi\u00f3n 1.164.0, se detect\u00f3 una vulnerabilidad de inyecci\u00f3n de entidades externas XML (XXE) en OpenKilda que, en combinaci\u00f3n con GHSL-2025-024, permite a atacantes no autenticados extraer informaci\u00f3n de la instancia donde se ejecuta la interfaz de usuario de OpenKilda. Este problema puede provocar la divulgaci\u00f3n de informaci\u00f3n. Este problema se ha corregido en la versi\u00f3n 1.164.0."}], "id": "CVE-2025-54992", "lastModified": "2025-08-12T14:25:33.177", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-08-11T22:15:27.693", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/telstra/open-kilda/commit/1eddb4983a6287d083e3e99a56dc4c291abd347e"}, {"source": "security-advisories@github.com", "url": "https://github.com/telstra/open-kilda/pull/5778"}, {"source": "security-advisories@github.com", "url": "https://github.com/telstra/open-kilda/security/advisories/GHSA-43rg-6r66-6hr7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}