{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3931", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-04-25T12:24:04.851Z", "datePublished": "2025-05-14T11:54:50.290Z", "dateUpdated": "2025-05-14T13:27:01.903Z"}, "containers": {"cna": {"title": "Yggdrasil: local privilege escalation in yggdrasil", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's \"worker\" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorization checks, allowing every system user to call it. One available Yggdrasil worker acts as a package manager with capabilities to create and enable new repositories and install or remove packages. \n\nThis flaw allows an attacker with access to the system to leverage the lack of authentication on the dispatch message to force the Yggdrasil worker to install arbitrary RPM packages. This issue results in local privilege escalation, enabling the attacker to access and modify sensitive system data."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "yggdrasil", "defaultStatus": "affected", "versions": [{"version": "0:0.4.5-3.el10_0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:10.0"]}, {"vendor": "Red Hat", "product": "Red Hat Satellite 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "yggdrasil", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:satellite:6"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:7592", "name": "RHSA-2025:7592", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-3931", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362345", "name": "RHBZ#2362345", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2025-05-14T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-280", "description": "Improper Handling of Insufficient Permissions or Privileges", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-280: Improper Handling of Insufficient Permissions or Privileges", "workarounds": [{"lang": "en", "value": "Mitigation is either unavailable or does not meet Red Hat Product Security standards for usability, deployment, applicability, or stability."}], "timeline": [{"lang": "en", "time": "2025-04-25T17:06:52.161000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-05-14T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-05-14T11:54:50.290Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-14T13:26:50.331377Z", "id": "CVE-2025-3931", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T13:27:01.903Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3931", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-14T13:26:50.331377Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T13:26:57.471Z"}}], "cna": {"title": "Yggdrasil: local privilege escalation in yggdrasil", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/o:redhat:enterprise_linux:10.0"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "versions": [{"status": "unaffected", "version": "0:0.4.5-3.el10_0", "lessThan": "*", "versionType": "rpm"}], "packageName": "yggdrasil", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:satellite:6"], "vendor": "Red Hat", "product": "Red Hat Satellite 6", "packageName": "yggdrasil", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-25T17:06:52.161000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-05-14T00:00:00+00:00", "value": "Made public."}], "datePublic": "2025-05-14T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:7592", "name": "RHSA-2025:7592", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-3931", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362345", "name": "RHBZ#2362345", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation is either unavailable or does not meet Red Hat Product Security standards for usability, deployment, applicability, or stability."}], "descriptions": [{"lang": "en", "value": "A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's \"worker\" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorization checks, allowing every system user to call it. One available Yggdrasil worker acts as a package manager with capabilities to create and enable new repositories and install or remove packages. \n\nThis flaw allows an attacker with access to the system to leverage the lack of authentication on the dispatch message to force the Yggdrasil worker to install arbitrary RPM packages. This issue results in local privilege escalation, enabling the attacker to access and modify sensitive system data."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-280", "description": "Improper Handling of Insufficient Permissions or Privileges"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-05-14T11:54:50.290Z"}, "x_redhatCweChain": "CWE-280: Improper Handling of Insufficient Permissions or Privileges"}}, "cveMetadata": {"cveId": "CVE-2025-3931", "state": "PUBLISHED", "dateUpdated": "2025-05-14T13:27:01.903Z", "dateReserved": "2025-04-25T12:24:04.851Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-05-14T11:54:50.290Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's \"worker\" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorization checks, allowing every system user to call it. One available Yggdrasil worker acts as a package manager with capabilities to create and enable new repositories and install or remove packages. \n\nThis flaw allows an attacker with access to the system to leverage the lack of authentication on the dispatch message to force the Yggdrasil worker to install arbitrary RPM packages. This issue results in local privilege escalation, enabling the attacker to access and modify sensitive system data."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Yggdrasil, que act\u00faa como intermediario del sistema, permitiendo que los procesos se comuniquen con los procesos \"worker\" de otros subordinados a trav\u00e9s del componente DBus. Yggdrasil crea un m\u00e9todo DBus para enviar mensajes a los trabajadores. Sin embargo, omite las comprobaciones de autenticaci\u00f3n y autorizaci\u00f3n, lo que permite que cualquier usuario del sistema lo invoque. Un trabajador de Yggdrasil disponible act\u00faa como gestor de paquetes, con la capacidad de crear y habilitar nuevos repositorios e instalar o eliminar paquetes. Esta falla permite a un atacante con acceso al sistema aprovechar la falta de autenticaci\u00f3n en el mensaje de env\u00edo para forzar al trabajador de Yggdrasil a instalar paquetes RPM arbitrarios. Este problema provoca una escalada de privilegios local, lo que permite al atacante acceder y modificar datos confidenciales del sistema."}], "id": "CVE-2025-3931", "lastModified": "2025-05-16T14:43:56.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2025-05-14T12:15:19.493", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:7592"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-3931"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362345"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-280"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:7592", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "yggdrasil-0:0.4.5-3.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-14T00:00:00Z"}], "bugzilla": {"description": "yggdrasil: Local privilege escalation in yggdrasil", "id": "2362345", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362345"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-280", "details": ["A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's \"worker\" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorization checks, allowing every system user to call it. One available Yggdrasil worker acts as a package manager with capabilities to create and enable new repositories and install or remove packages. \nThis flaw allows an attacker with access to the system to leverage the lack of authentication on the dispatch message to force the Yggdrasil worker to install arbitrary RPM packages. This issue results in local privilege escalation, enabling the attacker to access and modify sensitive system data."], "mitigation": {"lang": "en:us", "value": "Mitigation is either unavailable or does not meet Red Hat Product Security standards for usability, deployment, applicability, or stability."}, "name": "CVE-2025-3931", "package_state": [{"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "yggdrasil", "product_name": "Red Hat Satellite 6"}], "public_date": "2025-05-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-3931\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-3931"], "statement": "This vulnerability qualifies as Important rather than Moderate due to its direct violation of privilege boundaries and its broad post-install attack surface. The core issue lies in the com.redhat.Yggdrasil1.Dispatch() method being exposed over the system DBus without any authentication or authorization, enabling any local unprivileged user to interface with a privileged backend (package-manager worker). By leveraging this unprotected method, an attacker can install arbitrary software, execute payloads, and gain full root access, thus achieving a complete Local Privilege Escalation (LPE). While exploitation requires local access, the flaw exists in a default service path (rhc connect) recommended during system registration, increasing its exposure. Furthermore, the ability to manipulate package installation flows \u2014 a highly privileged operation \u2014 indicates a severe trust boundary violation.", "threat_severity": "Important"}