CVE-2025-24034

Jan. 23, 2025, 6:15 p.m.

3.2
Low

Description

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Starting in version 0.7.0 and prior to versions 0.7.15 and 0.8.3, Himmelblau is vulnerable to leaking credentials in debug logs. When debug logging is enabled, user access tokens are inadvertently logged, potentially exposing sensitive authentication data. Similarly, Kerberos Ticket-Granting Tickets (TGTs) are logged when debug logging is enabled. Both issues pose a risk of exposing sensitive credentials, particularly in environments where debug logging is enabled. Himmelblau versions 0.7.15 and 0.8.3 contain a patch that fixes both issues. Some workarounds are available for users who are unable to upgrade. For the **logon compliance script issue**, disable the `logon_script` option in `/etc/himmelblau/himmelblau.conf`, and avoid using the `-d` flag when starting the `himmelblaud` daemon. For the Kerberos CCache issue, one may disable debug logging globally by setting the `debug` option in `/etc/himmelblau/himmelblau.conf` to `false` and avoiding the `-d` parameter when starting `himmelblaud`.

Product(s) Impacted

Product Versions
Himmelblau
  • 0.7.0 - 0.7.14
  • 0.8.0 - 0.8.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-532
Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References

https://github.com/himmelblau-idm/himmelblau/commit/1216804f15ce5dc74bb5da48b5508c41d2ece8fa
https://github.com/himmelblau-idm/himmelblau/releases/tag/0.7.15
https://github.com/himmelblau-idm/himmelblau/releases/tag/0.8.3
https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-p989-2f5w-9cf6
https://manpages.opensuse.org/Tumbleweed/himmelblau/himmelblau.conf.5.en.html
https://manpages.opensuse.org/Tumbleweed/himmelblau/himmelblaud.8.en.html

Tags

security-advisories@github.com
CWE-532
2025-01-23
CVE-2025-24034

CVSS Score

3.2 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: HIGH
  • Scope: CHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

    View Vector String

Timeline

Published: Jan. 23, 2025, 6:15 p.m.
Last Modified: Jan. 23, 2025, 6:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.