CVE-2025-29992
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-26

Last updated on: 2025-09-05

Assigner: MITRE

Description
Mahara before 24.04.9 exposes database connection information if the database becomes unreachable, e.g., due to the database server being temporarily down or too busy.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-26
Last Modified
2025-09-05
Generated
2026-06-16
AI Q&A
2025-08-26
EPSS Evaluated
2026-06-14
NVD
CVE-2025-29992
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mahara mahara to 24.04.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-29992 is a vulnerability in Mahara ePortfolio System versions before 24.04.9 where, if the database server becomes temporarily unreachable (due to being down or overloaded), the system exposes sensitive database connection information. This includes the database host's IP address, database name, and database username, leading to local information disclosure. [1]

Impact Analysis

This vulnerability can impact you by exposing sensitive database connection details such as the database host IP, database name, and username when the database is unreachable. This information disclosure could aid attackers in further compromising the system or gaining unauthorized access. [1]

Detection Guidance

This vulnerability can be detected by monitoring Mahara application behavior when the database server is unreachable or overloaded. Specifically, if accessing Mahara during such database issues results in exposure of database connection details such as the database host IP, database name, or username in error messages or logs, the system is vulnerable. Commands to simulate detection include temporarily stopping or overloading the database server and then accessing Mahara to observe any sensitive information disclosure. For example, you can stop the database service (e.g., using 'sudo systemctl stop mysql' or 'sudo systemctl stop postgresql') and then access the Mahara web interface to check for exposed database details in error messages. Additionally, reviewing web server logs or application logs for database connection information leakage can help detect the vulnerability. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update Mahara to version 24.04.9 or later. This update addresses the information disclosure issue along with other high or critical security fixes. Users should obtain the update via Git or downloadable packages containing compiled code with all necessary libraries and stylesheets, avoiding source code packages. Following the Mahara wiki for detailed update instructions is also recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-29992. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart