-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/canonical/lxd | go | >= 4.0, < 5.21.4 | 5.21.4 |
| github.com/canonical/lxd | go | >= 6.0, < 6.5 | 6.5 |
| github.com/canonical/lxd | go | >= 0.0.0-20200331193331-03aab09f5b5c, < 0.0.0-20250827065555-0494f5d47e41 | 0.0.0-20250827065555-0494f5d47e41 |
GoGoMiggo AIRoot Cause AnalysisThe vulnerability allows unauthenticated users to determine the existence of projects in LXD by observing different HTTP status codes from the /1.0/images API endpoint. A request for a non-existent project would yield a 404 error, while a request for an existing but unauthorized project would result in a 403 error. This information leak is caused by improper error handling in the imagesGet function located in lxd/images.go. The provided patch addresses this by reorganizing the logic to handle untrusted users early. Specifically, for an unauthenticated user requesting a non-default project, the patched code now consistently returns a generic 404 Not Found response, regardless of the project's actual existence. This makes it impossible to distinguish between non-existent and unauthorized projects, thus mitigating the vulnerability. The primary vulnerable function is lxd.imagesGet as it is the API handler containing the flawed logic that was patched.
curl -k "https://lxd-host:8443/1.0/images?project=exist-project"
Reponse:
{"type":"error","status":"","status_code":0,"operation":"","error_code":403,"error":"Untrusted callers may only access public images in the default project","metadata":null}
The attack requires only network access to the LXD API endpoint, with no authentication needed.
The attack allows confirming the existence of projects within the LXD system by exploiting differences in HTTP status codes. This could potentially increase the exploitability of othervulnerabilities.
Additionally, since project IDs often use meaningful names set by users, this could lead to leakage of unpublished product information. However, resource information within projects cannot be obtained, limiting the impact to existence confirmation only.
It is recommended to modify the error handling in the imagesGet function to return consistent responses regardless of project existence. Specifically, when an error occurs during project existence verification, the implementation should be changed to always return a 403 (Untrusted callers may only access public images in the default project) error to unauthenticated users.
This ensures that the same error response is returned for both existing and non-existing projects, preventing determination of project existence.
| LXD Series | Status | | ------------- | ------------- | | 6 | Fixed in LXD 6.5 | | 5.21 | Fixed in LXD 5.21.4 | | 5.0 | Ignored - Not critical | | 4.0 | Ignored - EOL and not critical |
Reported by GMO Flatt Security Inc.
Ongoing coverage of React2Shell