CVE-2025-58366
BaseFortify
Publication date: 2025-09-05
Last updated on: 2025-09-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| insee_fr_lab | onyxia-api | 4.8.0 |
| insee_fr_lab | onyxia-api | 4.9.0 |
| insee_fr_lab | onyxia-api | 4.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Onyxia versions 4.6.0 through 4.8.0 causes the Onyxia-API to leak credentials of private helm repositories through the public, unauthenticated /public/catalogs endpoint. Only instances using private helm repositories with configured usernames and passwords are affected. The issue is fixed in version 4.9.0.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of private helm repository credentials, potentially allowing attackers to access private repositories and sensitive data or deploy malicious software. This can compromise the security and integrity of your data science environment.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Onyxia to version 4.9.0 or later, as this version fixes the credential leak issue in the /public/catalogs endpoint. Additionally, avoid using private helm repositories with username and password in the catalogs configuration until the upgrade is applied.