CVE-2025-5467 PUBLISHED

Ubuntu Apport Insecure File Permissions Vulnerability

Assigner: canonical
Reserved: 02.06.2025 Published: 10.12.2025 Updated: 10.12.2025

It was discovered that process_crash() in data/apport in Canonical's Apport crash reporting tool may create crash files with incorrect group ownership, possibly exposing crash information beyond expected or intended groups.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
CVSS Score: 1.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Canonical
Product	apport
Versions	Default: unaffected affected from 2.20.11-0ubuntu82 to 2.20.11-0ubuntu82.7 (excl.) affected from 2.32.0 to 2.32.0-0ubuntu5.1 (excl.) affected from 2.20.9 to 2.20.9-0ubuntu7.29+esm1 (excl.) affected from 2.28.1 to 2.28.1-0ubuntu3.6 (excl.) affected from 2.33.0 to 2.33.0-0ubuntu1 (excl.) affected from 2.20.1 to 2.20.1-0ubuntu2.30+esm5 (excl.) affected from 2.20.11-0ubuntu27 to 2.20.11-0ubuntu27.28 (excl.)

Credits

Rich Mirch finder

References

Problem Types

CWE-708: Incorrect Ownership Assignment CWE

Impacts

CAPEC-639: Probe System Files