CVE-2025-12744
BaseFortify
Publication date: 2025-12-03
Last updated on: 2025-12-04
Assigner: Fedora Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| red_hat | abrt | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in the ABRT daemon on Linux systems. ABRT takes up to 12 characters from user-supplied mount information and inserts them directly into a shell command (docker inspect) without validating or sanitizing the input. This allows a local unprivileged user to inject shell metacharacters and execute arbitrary commands with root privileges, leading to full system compromise. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows a local unprivileged user to escalate their privileges to root by injecting malicious commands into the ABRT daemon's shell command. This can lead to complete system compromise, including unauthorized access, data manipulation, and control over the affected system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking for the presence of the vulnerable ABRT daemon and monitoring for suspicious usage of the 'docker inspect' command with unusual or malformed container IDs that may include shell metacharacters. Since exploitation requires local access to ABRT's UNIX socket, inspecting local user activity and ABRT logs for unexpected command executions or errors related to 'docker inspect' may help. Specific commands could include: 1) Checking for ABRT process: `ps aux | grep abrt` 2) Monitoring recent commands involving docker inspect: `journalctl -u abrt | grep 'docker inspect'` or searching shell history for suspicious docker inspect usage. However, no explicit detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting local user access to the ABRT UNIX socket to prevent unprivileged users from interacting with the ABRT daemon, applying any available patches or updates from the vendor that address this vulnerability, and disabling or limiting the use of ABRT if it is not essential. Since the vulnerability involves unsanitized input in ABRT's handling of mount information, ensuring that ABRT runs with least privilege and monitoring for unusual activity can also help reduce risk until a patch is applied. [1]