CVE-2025-14651

Summary

A vulnerability has been found in MartialBE one-hub up to 0.14.27. This vulnerability affects unknown code of the file docker-compose.yml. The manipulation of the argument SESSION_SECRET leads to use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The code maintainer recommends (translated from Chinese): "The default docker-compose example file is not recommended for production use. If you intend to use it in production, please carefully check and modify every configuration and environment variable yourself!"

Affected Software

VendorProductVersion RangeStatus
MartialBEone-hub0.14.0affected
MartialBEone-hub0.14.1affected
MartialBEone-hub0.14.2affected
MartialBEone-hub0.14.3affected
MartialBEone-hub0.14.4affected
MartialBEone-hub0.14.5affected
MartialBEone-hub0.14.6affected
MartialBEone-hub0.14.7affected
MartialBEone-hub0.14.8affected
MartialBEone-hub0.14.9affected
MartialBEone-hub0.14.10affected
MartialBEone-hub0.14.11affected
MartialBEone-hub0.14.12affected
MartialBEone-hub0.14.13affected
MartialBEone-hub0.14.14affected
MartialBEone-hub0.14.15affected
MartialBEone-hub0.14.16affected
MartialBEone-hub0.14.17affected
MartialBEone-hub0.14.18affected
MartialBEone-hub0.14.19affected
MartialBEone-hub0.14.20affected
MartialBEone-hub0.14.21affected
MartialBEone-hub0.14.22affected
MartialBEone-hub0.14.23affected
MartialBEone-hub0.14.24affected
MartialBEone-hub0.14.25affected
MartialBEone-hub0.14.26affected
MartialBEone-hub0.14.27affected

Weaknesses

  • CWE-321: Use of Hard-coded Cryptographic Key
  • CWE-320: Key Management Error

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References