CVE-2025-23386 — Incorrect Default Permissions in Opensuse Tumbleweed

CWE-276 — Incorrect Default Permissions5 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 81.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Suse Opensuse Tumbleweed

Timeline

PublishedApr 10

Description

A Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed package gerbera allows the service user gerbera to escalate to root.,This issue affects gerbera on openSUSE Tumbleweed before 2.5.0-1.1.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

▶CVEListV5suse/opensuse_tumbleweed? — 2.5.0-1.1

🔴Vulnerability Details

CVEList

gerbera: Privilege escalation from user gerbera to root because of insecure %post script↗2025-04-10

▶

GHSA

GHSA-jrg3-gh37-h96x: A Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed package gerbera allows the service user gerbera to escalate to root↗2025-04-10

▶

OSV

CVE-2025-23386: A Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed package gerbera allows the service user gerbera to escalate to root↗2025-04-10

▶

📋Vendor Advisories

Debian

CVE-2025-23386: gerbera - A Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed package...↗2025

▶