CVE-2025-30205
Published: 24 March 2025
Summary
CVE-2025-30205 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-3 (Content of Audit Records) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the faulty instrumentation in kanidm patches that logs admin credentials.
Specifies the content of audit records to exclude sensitive information like admin credentials, preventing their insertion into system logs.
Protects audit information in system logs from unauthorized access by high-privilege attackers seeking leaked credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly causes admin credentials to be inserted into the system log file (CWE-532), enabling an attacker to read and obtain them from local files.
NVD Description
kanidim-provision is a helper utility that uses kanidm's API to provision users, groups and oauth2 systems. Prior to version 1.2.0, a faulty function intrumentation in the (optional) kanidm patches provided by kandim-provision will cause the provisioned admin credentials to be…
more
leaked to the system log. This only impacts users which both use the provided patches and provision their `admin` or `idm_admin` account credentials this way. No other credentials are affected. Users should recompile kanidm with the newest patchset from tag `v1.2.0` or higher. As a workaround, the user can set the log level `KANIDM_LOG_LEVEL` to any level higher than `info`, for example `warn`.
Deeper analysisAI
CVE-2025-30205 is a vulnerability in kanidm-provision, a helper utility that uses Kanidm's API to provision users, groups, and OAuth2 systems. Prior to version 1.2.0, faulty function instrumentation in the optional Kanidm patches provided by kanidm-provision causes provisioned admin credentials to be leaked to the system log. This issue only affects users who both apply these provided patches and provision their `admin` or `idm_admin` account credentials this way; no other credentials are impacted. It is classified as CWE-532 (Insertion of Sensitive Information into Log File) with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N).
The vulnerability can be exploited by an attacker with high privileges (PR:H) on the affected system, where it is network-accessible with low attack complexity and no user interaction required. By triggering the provisioning process under these conditions, the attacker can cause the admin credentials to be written to the system log, allowing them to read and obtain those credentials from the logs. This results in low confidentiality impact from the leak itself but high integrity impact due to potential unauthorized modifications enabled by the stolen credentials, with a changed scope.
The GitHub security advisory (GHSA-57fc-pcqm-53rp) and fixing commit (a102b52e4a79be4263068577ba837f16c3e487a2) recommend recompiling Kanidm with the newest patchset from tag v1.2.0 or higher to mitigate the issue. As a workaround, users can set the `KANIDM_LOG_LEVEL` environment variable to any level higher than `info`, such as `warn`, to prevent the sensitive credentials from being logged.
Details
- CWE(s)