CVE-2025-29992
BaseFortify
Publication date: 2025-08-26
Last updated on: 2025-09-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mahara | mahara | to 24.04.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-29992 is a vulnerability in Mahara ePortfolio System versions before 24.04.9 where, if the database server becomes temporarily unreachable (due to being down or overloaded), the system exposes sensitive database connection information. This includes the database host's IP address, database name, and database username, leading to local information disclosure. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive database connection details such as the database host IP, database name, and username when the database is unreachable. This information disclosure could aid attackers in further compromising the system or gaining unauthorized access. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring Mahara application behavior when the database server is unreachable or overloaded. Specifically, if accessing Mahara during such database issues results in exposure of database connection details such as the database host IP, database name, or username in error messages or logs, the system is vulnerable. Commands to simulate detection include temporarily stopping or overloading the database server and then accessing Mahara to observe any sensitive information disclosure. For example, you can stop the database service (e.g., using 'sudo systemctl stop mysql' or 'sudo systemctl stop postgresql') and then access the Mahara web interface to check for exposed database details in error messages. Additionally, reviewing web server logs or application logs for database connection information leakage can help detect the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update Mahara to version 24.04.9 or later. This update addresses the information disclosure issue along with other high or critical security fixes. Users should obtain the update via Git or downloadable packages containing compiled code with all necessary libraries and stylesheets, avoiding source code packages. Following the Mahara wiki for detailed update instructions is also recommended. [1]