oss-security - Re: CVE-2025-27446: Apache APISIX Java Plugin Runner: Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <CALoKeQ8dLkkx+oUnNuZ3D1-=1HRERpozAQxFDCFXQOqOS=JfwQ@mail.gmail.com>
Date: Sun, 6 Jul 2025 22:58:27 +0900
From: Cuong Duy <duycuong200798@...il.com>
To: dev@...six.apache.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE-2025-27446: Apache APISIX Java Plugin Runner: Local listening
 file permissions in APISIX plugin runner allow a local attacker to elevate privileges

Hi

Vào CN, 6 thg 7, 2025 lúc 12:37 YuanSheng Wang <membphis@...che.org> đã
viết:

> Severity: low
>
> Affected versions:
>
> - Apache APISIX Java Plugin Runner
> (org.apache.apisix:apisix-plugin-runner) 0.2.0 through 0.5.0
>
> Description:
>
> Incorrect Permission Assignment for Critical Resource vulnerability in
> Apache APISIX(java-plugin-runner).
>
> Local listening file permissions in APISIX plugin runner allow a local
> attacker to elevate privileges.
> This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through
> 0.5.0.
>
> Users are recommended to upgrade to version 0.6.0 or higher, which
> fixes the issue.
>
> Credit:
>
> Benoit TELLIER (reporter)
>
> References:
> https://apisix.apache.orghttps://www.cve.org/CVERecord?id=CVE-2025-27446
>
>
> --
>
> *MembPhis*
> My GitHub: https://github.com/membphis
> Apache APISIX: https://github.com/apache/apisix
>

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.