CVE-2025-49012
BaseFortify
Publication date: 2025-06-05
Last updated on: 2025-06-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Himmelblau versions 0.9.0 through 0.9.14 and 1.00-alpha, where group-based access restrictions configured using group display names instead of object IDs can be bypassed. Because Microsoft Entra ID allows multiple groups to have the same display name, a user can create a personal group with the same name as a legitimate access group, add themselves to it, and gain unauthorized authentication or sudo rights. This happens because Himmelblau compares group names by displayName or objectId, allowing privilege escalation by bypassing intended access controls.
How can this vulnerability impact me? :
This vulnerability can allow an attacker or unauthorized user to escalate their privileges by gaining authentication or sudo rights they should not have. By creating a group with the same display name as an official access group and adding themselves to it, they can bypass access restrictions and gain unauthorized access to systems or resources protected by Himmelblau.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by auditing your Microsoft Entra ID tenant for groups with duplicate display names using the Microsoft Graph API. Specifically, you should check if any non-admin users have created groups with the same displayName as legitimate access groups used in the pam_allow_groups configuration. There are no specific commands provided, but using Microsoft Graph API queries to list groups and identify duplicates by displayName is recommended.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately without upgrading, replace all entries in the pam_allow_groups configuration with the objectId (GUID) of the target Entra ID groups instead of using group display names. Additionally, audit your tenant for groups with duplicate display names using the Microsoft Graph API to identify and remove or rename any maliciously created groups that could grant unauthorized access.