CVE-2025-46826 (GCVE-0-2025-46826)
Vulnerability from cvelistv5 – Published: 2025-05-07 21:32 – Updated: 2025-05-08 13:42
VLAI?
Title
insa-auth Open-Redirect on provided CAS server login endpoint
Summary
insa-auth is an authentication server for INSA Rouen. A minor issue allowed third-party websites to access the server's secondary authentication bridge, potentially revealing basic student information (name and number). However, the issue posed minimal risk, was never exploited, and had limited impact. A fix was implemented promptly on May 3, 2025.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46826",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T13:41:37.345558Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T13:42:58.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "insa-auth",
"vendor": "INSAgenda",
"versions": [
{
"status": "affected",
"version": "\u003c 2025-05-03"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "insa-auth is an authentication server for INSA Rouen. A minor issue allowed third-party websites to access the server\u0027s secondary authentication bridge, potentially revealing basic student information (name and number). However, the issue posed minimal risk, was never exploited, and had limited impact. A fix was implemented promptly on May 3, 2025."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/S:N/AU:Y/R:A/V:D/RE:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T21:32:30.865Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/INSAgenda/insa-auth/security/advisories/GHSA-63xr-gvjv-r6xv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/INSAgenda/insa-auth/security/advisories/GHSA-63xr-gvjv-r6xv"
},
{
"name": "https://github.com/INSAgenda/insa-auth/commit/8c1e68b2fb55aa952f522ead55a6587526982a2c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/INSAgenda/insa-auth/commit/8c1e68b2fb55aa952f522ead55a6587526982a2c"
},
{
"name": "https://github.com/INSAgenda/insa-auth/commit/b0e7508e6ca4360e39fb1fd931f8d47b1f992ced",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/INSAgenda/insa-auth/commit/b0e7508e6ca4360e39fb1fd931f8d47b1f992ced"
},
{
"name": "https://github.com/INSAgenda/insa-auth/commit/c77cf2e25778f83ebf5c4fdb4ded3ffcc8cfd74d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/INSAgenda/insa-auth/commit/c77cf2e25778f83ebf5c4fdb4ded3ffcc8cfd74d"
}
],
"source": {
"advisory": "GHSA-63xr-gvjv-r6xv",
"discovery": "UNKNOWN"
},
"title": "insa-auth Open-Redirect on provided CAS server login endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46826",
"datePublished": "2025-05-07T21:32:30.865Z",
"dateReserved": "2025-04-30T19:41:58.135Z",
"dateUpdated": "2025-05-08T13:42:58.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-46826\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-07T22:15:21.320\",\"lastModified\":\"2025-05-08T14:39:09.683\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"insa-auth is an authentication server for INSA Rouen. A minor issue allowed third-party websites to access the server\u0027s secondary authentication bridge, potentially revealing basic student information (name and number). However, the issue posed minimal risk, was never exploited, and had limited impact. A fix was implemented promptly on May 3, 2025.\"},{\"lang\":\"es\",\"value\":\"insa-auth es un servidor de autenticaci\u00f3n para INSA Rouen. Un peque\u00f1o problema permiti\u00f3 que sitios web de terceros accedieran al puente de autenticaci\u00f3n secundario del servidor, lo que podr\u00eda revelar informaci\u00f3n b\u00e1sica del estudiante (nombre y n\u00famero). Sin embargo, el problema represent\u00f3 un riesgo m\u00ednimo, nunca fue explotado y tuvo un impacto limitado. Se implement\u00f3 una soluci\u00f3n r\u00e1pidamente el 3 de mayo de 2025.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:L/U:X\",\"baseScore\":1.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NEGLIGIBLE\",\"Automatable\":\"YES\",\"Recovery\":\"AUTOMATIC\",\"valueDensity\":\"DIFFUSE\",\"vulnerabilityResponseEffort\":\"LOW\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"references\":[{\"url\":\"https://github.com/INSAgenda/insa-auth/commit/8c1e68b2fb55aa952f522ead55a6587526982a2c\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/INSAgenda/insa-auth/commit/b0e7508e6ca4360e39fb1fd931f8d47b1f992ced\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/INSAgenda/insa-auth/commit/c77cf2e25778f83ebf5c4fdb4ded3ffcc8cfd74d\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/INSAgenda/insa-auth/security/advisories/GHSA-63xr-gvjv-r6xv\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-46826\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-08T13:41:37.345558Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-08T13:42:47.492Z\"}}], \"cna\": {\"title\": \"insa-auth Open-Redirect on provided CAS server login endpoint\", \"source\": {\"advisory\": \"GHSA-63xr-gvjv-r6xv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 1.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/S:N/AU:Y/R:A/V:D/RE:L\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"INSAgenda\", \"product\": \"insa-auth\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2025-05-03\"}]}], \"references\": [{\"url\": \"https://github.com/INSAgenda/insa-auth/security/advisories/GHSA-63xr-gvjv-r6xv\", \"name\": \"https://github.com/INSAgenda/insa-auth/security/advisories/GHSA-63xr-gvjv-r6xv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/INSAgenda/insa-auth/commit/8c1e68b2fb55aa952f522ead55a6587526982a2c\", \"name\": \"https://github.com/INSAgenda/insa-auth/commit/8c1e68b2fb55aa952f522ead55a6587526982a2c\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/INSAgenda/insa-auth/commit/b0e7508e6ca4360e39fb1fd931f8d47b1f992ced\", \"name\": \"https://github.com/INSAgenda/insa-auth/commit/b0e7508e6ca4360e39fb1fd931f8d47b1f992ced\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/INSAgenda/insa-auth/commit/c77cf2e25778f83ebf5c4fdb4ded3ffcc8cfd74d\", \"name\": \"https://github.com/INSAgenda/insa-auth/commit/c77cf2e25778f83ebf5c4fdb4ded3ffcc8cfd74d\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"insa-auth is an authentication server for INSA Rouen. A minor issue allowed third-party websites to access the server\u0027s secondary authentication bridge, potentially revealing basic student information (name and number). However, the issue posed minimal risk, was never exploited, and had limited impact. A fix was implemented promptly on May 3, 2025.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-601\", \"description\": \"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-07T21:32:30.865Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-46826\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-08T13:42:58.179Z\", \"dateReserved\": \"2025-04-30T19:41:58.135Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-07T21:32:30.865Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…