Canonical Maas vulnerabilities

CVE-2025-7044 [HIGH] CWE-269 CVE-2025-7044: An Improper Input Validation vulnerability exists in the user websocket handler of MAAS. An authenti An Improper Input Validation vulnerability exists in the user websocket handler of MAAS. An authenticated, unprivileged attacker can intercept a user.update websocket request and inject the is_superuser property set to true. The server improperly validates this input, allowing the attacker to self-promote to an administrator role. This results in full a

CVE-2024-6107 [CRITICAL] CWE-287 CVE-2024-6107: Due to insufficient verification, an attacker could use a malicious client to bypass authentication Due to insufficient verification, an attacker could use a malicious client to bypass authentication checks and run RPC commands in a region. This has been addressed in MAAS and updated in the corresponding snaps.

CVE-2013-1058 [MEDIUM] CWE-310 CVE-2013-1058: maas-import-pxe-files in MAAS before 13.10 does not verify the integrity of downloaded files, which maas-import-pxe-files in MAAS before 13.10 does not verify the integrity of downloaded files, which allows remote attackers to modify these files via a man-in-the-middle (MITM) attack.

CVE-2013-1057 [MEDIUM] CWE-20 CVE-2013-1057: Untrusted search path vulnerability in maas-import-pxe-files in MAAS before 13.10 allows local users Untrusted search path vulnerability in maas-import-pxe-files in MAAS before 13.10 allows local users to execute arbitrary code via a Trojan horse import_pxe_files configuration file in the current working directory.