CVE-2025-54955
Publication date 3 August 2025
Last updated 4 August 2025
Ubuntu priority
Description
OpenNebula Community Edition (CE) before 7.0.0 and Enterprise Edition (EE) before 6.10.3 have a critical FireEdge race condition that can lead to full account takeover. By exploiting this, an unauthenticated attacker can obtain a valid JSON Web Token (JWT) belonging to a legitimate user without knowledge of their credentials.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| opennebula | ||
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.1 · High
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-54955
- https://docs.opennebula.io/6.10/intro_release_notes/release_notes_enterprise/resolved_issues_6103.html
- https://github.com/OpenNebula/one
- https://github.com/OpenNebula/one/commit/81058d9705e7ac619d294423de28b76d88f613b6
- https://github.com/OpenNebula/one/releases/tag/release-7.0.0
- https://github.com/Stolichnayer/OpenNebula-Account-Takeover