CVE-2025-48955 – com.erudika:para-server

Package

Manager: maven
Name: com.erudika:para-server
Vulnerable Version: >=0 <1.50.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00019 pctl0.03232

Details

Para Server Logs Sensitive Information CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 7.5 (High) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N **Affected Component:** Para Server Initialization Logging **Version:** Para v1.50.6 **File Path:** `para-1.50.6/para-server/src/main/java/com/erudika/para/server/utils/HealthUtils.java` **Vulnerable Line(s):** Line 132 (via `logger.info(...)` with root credentials) Technical Details: The vulnerability is located in the HealthUtils.java file, where a failed configuration file write triggers the following logging statement: ```java logger.info("Initialized root app with access key '{}' and secret '{}', but could not write these to {}.", rootAppCredentials.get("accessKey"), rootAppCredentials.get("secretKey"), confFile); ``` This exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes.

Metadata

Created: 2025-05-30T20:01:10Z
Modified: 2025-06-03T01:10:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-v75g-77vf-6jjq/GHSA-v75g-77vf-6jjq.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-v75g-77vf-6jjq
Finding: F009
Auto approve: 1