{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-12742","assignerOrgId":"f45cbf4e-4146-4068-b7e1-655ffc2c548c","state":"PUBLISHED","assignerShortName":"GoogleCloud","dateReserved":"2025-11-05T10:50:53.509Z","datePublished":"2025-11-25T05:38:47.907Z","dateUpdated":"2025-11-25T14:39:05.212Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["Looker-hosted"],"product":"Looker","vendor":"Google Cloud","versions":[{"lessThan":"24.12.108","status":"affected","version":"0","versionType":"custom"},{"lessThan":"24.18.200","status":"affected","version":"0","versionType":"custom"},{"lessThan":"25.0.78","status":"affected","version":"0","versionType":"custom"},{"lessThan":"25.6.65","status":"affected","version":"0","versionType":"custom"},{"lessThan":"25.8.47","status":"affected","version":"0","versionType":"custom"},{"lessThan":"25.12.10","status":"affected","version":"0","versionType":"custom"},{"lessThan":"25.14","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","platforms":["Self-hosted"],"product":"Looker","vendor":"Google Cloud","versions":[{"lessThan":"24.12.108","status":"affected","version":"0","versionType":"custom"},{"lessThan":"24.18.200","status":"affected","version":"0","versionType":"custom"},{"lessThan":"25.0.78","status":"affected","version":"0","versionType":"custom"},{"lessThan":"25.6.65","status":"affected","version":"0","versionType":"custom"},{"lessThan":"25.8.47","status":"affected","version":"0","versionType":"custom"},{"lessThan":"25.12.10","status":"affected","version":"0","versionType":"custom"},{"lessThan":"25.14","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Sivanesh Ashok"},{"lang":"en","type":"finder","value":"Sreeram KL"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters.<br><br>Looker-hosted and Self-hosted were found to be vulnerable.<br>This issue has already been mitigated for Looker-hosted instances.&nbsp;No user action is required for these.<div><br></div><span style=\"background-color: rgb(252, 252, 252);\">Self-hosted instances must be upgraded <span style=\"background-color: rgb(252, 252, 252);\">as soon as possible</span>. This vulnerability has been patched in all supported versions of Self-hosted.</span><br><div><span style=\"background-color: rgb(252, 252, 252);\">The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://download.looker.com/\">https://download.looker.com/</a><span style=\"background-color: rgb(252, 252, 252);\">:<br><ul><li><span style=\"background-color: rgb(252, 252, 252);\">24.12.108+</span></li><li><span style=\"background-color: rgb(252, 252, 252);\">24.18.200+</span></li><li><span style=\"background-color: rgb(252, 252, 252);\">25.0.78+</span></li><li><span style=\"background-color: rgb(252, 252, 252);\">25.6.65+</span></li><li><span style=\"background-color: rgb(252, 252, 252);\">25.8.47+</span></li><li><span style=\"background-color: rgb(252, 252, 252);\">25.12.10+</span></li><li><span style=\"background-color: rgb(252, 252, 252);\">25.14+</span></li></ul></span></div>"}],"value":"A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters.\n\nLooker-hosted and Self-hosted were found to be vulnerable.\nThis issue has already been mitigated for Looker-hosted instances. No user action is required for these.\n\n\nSelf-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.\nThe versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page  https://download.looker.com/ :\n  *  24.12.108+\n  *  24.18.200+\n  *  25.0.78+\n  *  25.6.65+\n  *  25.8.47+\n  *  25.12.10+\n  *  25.14+"}],"impacts":[{"capecId":"CAPEC-242","descriptions":[{"lang":"en","value":"CAPEC-242 Code Injection"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"HIGH","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":7.5,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"HIGH","providerUrgency":"RED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Red","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-78","description":"CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f45cbf4e-4146-4068-b7e1-655ffc2c548c","shortName":"GoogleCloud","dateUpdated":"2025-11-25T05:38:47.907Z"},"references":[{"url":"https://cloud.google.com/support/bulletins#gcp-2025-052"}],"source":{"discovery":"UNKNOWN"},"title":"Remote Code Execution in Looker via Teradata JDBC Driver","x_generator":{"engine":"Vulnogram 0.4.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-11-25T14:38:27.546926Z","id":"CVE-2025-12742","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-11-25T14:39:05.212Z"}}]}}