Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAKzgDd0uOByqN49wgrb0BXfAZcqCzm7_Sb8CSH2qY-BQBXsYEQ@mail.gmail.com>
Date: Sun, 6 Jul 2025 11:36:32 +0800
From: YuanSheng Wang <membphis@...che.org>
To: oss-security@...ts.openwall.com
Cc: "dev@...six.apache.org" <dev@...six.apache.org>
Subject: CVE-2025-27446: Apache APISIX Java Plugin Runner: Local listening
 file permissions in APISIX plugin runner allow a local attacker to elevate privileges

Severity: low

Affected versions:

- Apache APISIX Java Plugin Runner
(org.apache.apisix:apisix-plugin-runner) 0.2.0 through 0.5.0

Description:

Incorrect Permission Assignment for Critical Resource vulnerability in
Apache APISIX(java-plugin-runner).

Local listening file permissions in APISIX plugin runner allow a local
attacker to elevate privileges.
This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0.

Users are recommended to upgrade to version 0.6.0 or higher, which
fixes the issue.

Credit:

Benoit TELLIER (reporter)

References:
https://apisix.apache.orghttps://www.cve.org/CVERecord?id=CVE-2025-27446


-- 

*MembPhis*
My GitHub: https://github.com/membphis
Apache APISIX: https://github.com/apache/apisix

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.