CVE-2025-64179
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
lakeFS is an open-source tool that transforms object storage into a Git-like repositories. In versions 1.69.0 and below, missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime. This issue is fixed in version 1.71.0 . To workaround the vulnerability, use a load-balancer or application level firewall in order to block the request route /api/v1/usage-report/summary.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| treeverse | lakeFS | < 1.71.0 | affected |
Weaknesses
- CWE-862: CWE-862: Missing Authorization
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/treeverse/lakeFS/security/advisories/GHSA-h238-5mwf-8xw8
- https://github.com/treeverse/lakeFS/commit/1c8adab852dac2387fcb00a256402b308a610c60
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.