CVE-2025-27446

CWE-732 — Incorrect Permission Assignment4 documents4 sources

Severity

7.8HIGH

EPSS

0.0%

top 96.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Apisix Java Plugin Runner Apache Apisix

Timeline

PublishedJul 6

Description

Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0. Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_apisix_java_plugin_runner0.2.0 — 0.5.0

▶NVDapache/apisix0.2 — 0.5

🔴Vulnerability Details

CVEList

Apache APISIX Java Plugin Runner: Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges↗2025-07-06

▶

GHSA

GHSA-xm8v-g828-5x9r: Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner)↗2025-07-06

▶

📋Vendor Advisories

Microsoft

MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_cmpfunc.h.↗2022-04-12

▶