CVE-2025-31959
HCL BigFix SM Image EXIF Metadata Exposure
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: HCL Software
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hcl | bigfix_service_management | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1230 | The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in HCL BigFix Service Management (SM) application is that it fails to remove EXIF metadata from uploaded images.
EXIF metadata can contain sensitive information such as location data, which may be unintentionally shared when images are uploaded.
This failure to strip metadata could lead to confidentiality and privacy risks.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive location information embedded in images you upload.
If such metadata is not removed, it could lead to unintended disclosure of private or confidential information.
This may result in privacy breaches or confidentiality risks depending on the nature of the data shared.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in HCL BigFix Service Management (SM) involves failure to strip EXIF metadata from uploaded images, which can lead to confidentiality and privacy risks by unintentionally sharing sensitive location information.
Such exposure of sensitive personal data could potentially impact compliance with privacy regulations and standards like GDPR and HIPAA, which require protection of personal and sensitive information to prevent unauthorized disclosure.
Therefore, organizations using this application may face challenges in maintaining compliance with these regulations if the vulnerability is exploited.