{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-27791","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2025-03-06T18:06:54.462Z","datePublished":"2025-04-15T19:09:18.774Z","dateUpdated":"2025-04-15T20:27:04.827Z"},"containers":{"cna":{"title":"Collabora Online Vulnerable to Arbitrary File Write","problemTypes":[{"descriptions":[{"cweId":"CWE-23","lang":"en","description":"CWE-23: Relative Path Traversal","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":8.3,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N","version":"4.0"}}],"references":[{"name":"https://github.com/CollaboraOnline/online/security/advisories/GHSA-9j32-gg3j-8w25","tags":["x_refsource_CONFIRM"],"url":"https://github.com/CollaboraOnline/online/security/advisories/GHSA-9j32-gg3j-8w25"}],"affected":[{"vendor":"CollaboraOnline","product":"online","versions":[{"version":">= 24.04.1.1, < 24.04.13.1","status":"affected"},{"version":">= 23.05.0, < 23.05.19","status":"affected"},{"version":"< 22.05.25","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2025-04-15T19:09:18.774Z"},"descriptions":[{"lang":"en","value":"Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions prior to 24.04.12.4, 23.05.19, and 22.05.25, there is a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers. This allows for a file to be written anywhere the uid running Collabora Online can write, if such a response was supplied by a malicious WOPI server. By combining this flaw with a Time of Check, Time of Use DNS lookup issue with a WOPI server address under attacker control, it is possible to present such a response to be processed by a Collabora Online instance. This issue has been patched in versions 24.04.13.1, 23.05.19, and 22.05.25."}],"source":{"advisory":"GHSA-9j32-gg3j-8w25","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-04-15T20:26:54.283025Z","id":"CVE-2025-27791","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-04-15T20:27:04.827Z"}}]}}