CVE-2025-24355
HIGHDescription
Updatecli is a tool used to apply file update strategies. Prior to version 0.93.0, private maven repository credentials may be leaked in application logs in case of unsuccessful retrieval operation. During the execution of an updatecli pipeline which contains a `maven` source configured with basic auth credentials, the credentials are being leaked in the application execution logs in case of failure. Credentials are properly sanitized when the operation is successful but not when for whatever reason there is a failure in the maven repository, e.g. wrong coordinates provided, not existing artifact or version. Version 0.93.0 contains a patch for the issue.
How to fix
No published remediation has been found for this vulnerability's affected products yet.
Mitigation guidance may be in the linked vendor advisories in the References section below.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Exploit Intelligence
Low risk: more likely to be exploited than 13% of all known CVEs.
References
Related Vulnerabilities
Other CWE-359 vulnerabilities, ordered by exploit likelihood. View all
| CVE | Severity | CVSS | EPSS | Exploited | Fix |
|---|---|---|---|---|---|
| CVE-2023-50719 | High | 7.5 | 84% | - | Fix |
| CVE-2022-0482 | Critical | 9.1 | 38% | - | Fix |
| CVE-2023-36052 | High | 8.6 | 22% | - | Fix |
| CVE-2021-22876 | Medium | 5.3 | 5.3% | - | Fix |
| CVE-2024-45591 | Medium | 5.3 | 3.4% | - | Fix |
| CVE-2022-24819 | Medium | 5.3 | 3.3% | - | Fix |
Embed a live status badge for CVE-2025-24355
Markdown
[](https://tridentstack.com/cve/CVE-2025-24355)HTML
<a href="https://tridentstack.com/cve/CVE-2025-24355"><img src="https://tridentstack.com/cve/badge/CVE-2025-24355.svg" alt="CVE-2025-24355"></a>Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-01-24.