Skip to main content

Ubuntu CVE-2025-52555

| EUVDEUVD-2025-19240 MEDIUM
Improper Privilege Management (CWE-269)
2025-06-26 security-advisories@github.com
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Ubuntu
MEDIUM
qualitative
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 15, 2026 - 23:54 euvd
EUVD-2025-19240
Analysis Generated
Mar 15, 2026 - 23:54 vuln.today
CVE Published
Jun 26, 2025 - 21:15 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Ceph is a distributed object, block, and file storage platform. In versions 17.2.7, 18.2.1 through 18.2.4, and 19.0.0 through 19.2.2, an unprivileged user can escalate to root privileges in a ceph-fuse mounted CephFS by chmod 777 a directory owned by root to gain access. The result of this is that a user could read, write and execute to any directory owned by root as long as they chmod 777 it. This impacts confidentiality, integrity, and availability. It is patched in versions 17.2.8, 18.2.5, and 19.2.3.

Analysis

Ceph is a distributed object, block, and file storage platform. In versions 17.2.7, 18.2.1 through 18.2.4, and 19.0.0 through 19.2.2, an unprivileged user can escalate to root privileges in a ceph-fuse mounted CephFS by chmod 777 a directory owned by root to gain access. The result of this is that a user could read, write and execute to any directory owned by root as long as they chmod 777 it. This impacts confidentiality, integrity, and availability. It is patched in versions 17.2.8, 18.2.5, and 19.2.3.

Technical ContextAI

Privilege escalation allows a low-privileged user or process to gain elevated permissions beyond what was originally authorized. This vulnerability is classified as Improper Privilege Management (CWE-269).

RemediationAI

Apply the principle of least privilege. Keep systems patched. Monitor for suspicious privilege changes. Use mandatory access controls (SELinux, AppArmor).

Vendor StatusVendor

Ubuntu

Priority: Medium
ceph
Release Status Version
upstream released 17.2.8,18.2.5,19.2.3
oracular ignored end of life, was needs-triage
jammy not-affected 17.2.9-0ubuntu0.22.04.1
bionic not-affected code not present
noble not-affected 19.2.3-0ubuntu1.24.04.1
focal not-affected code not present
plucky not-affected 19.2.3-0ubuntu1.25.04.1
trusty not-affected code not present
questing not-affected 19.2.3-0ubuntu1.25.10.1
xenial not-affected code not present

Debian

Bug #1108410
ceph
Release Status Fixed Version Urgency
bullseye fixed 14.2.21-1+deb11u1 -
bullseye (security) fixed 14.2.21-1+deb11u3 -
bookworm, bookworm (security) vulnerable 16.2.15+ds-0+deb12u1 -
trixie fixed 18.2.7+ds-1 -
forky, sid fixed 18.2.7+ds-1.1 -
(unstable) fixed 18.2.6-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed

Share

CVE-2025-52555 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy