Privilege Escalation Issue in Himmelblau Interoperability Suite for Microsoft Azure
CVE-2025-49012

5.4MEDIUM

Key Information:

Vendor

Himmelblau-idm

Status
Himmelblau
Vendor
CVE Published:
5 June 2025

What is CVE-2025-49012?

The Himmelblau interoperability suite for Microsoft Azure introduces a privilege escalation vulnerability affecting versions 0.9.0 through 0.9.14 and 1.00-alpha. This issue arises when group-based access restrictions are configured using display names rather than unique object IDs. Non-admin users can exploit this by creating groups with identical display names as legitimate access groups. Consequently, users can gain unauthorized authentication or sudo rights in Himmelblau. The vulnerability is addressed in version 0.9.15 and later, where matching group names has been removed, thus enforcing secure filtering through object IDs only. To mitigate the risk, users are advised to replace entries in the pam_allow_groups with object IDs and audit group names in their Azure tenant.

Affected Version(s)

himmelblau >= 0.9.0, < 0.9.15 < 0.9.0, 0.9.15

himmelblau = 1.0.0-alpha = 1.0.0-alpha

References

https://github.com/himmelblau-idm/himmelblau/security/adv...
x_refsource_CONFIRM
https://github.com/himmelblau-idm/himmelblau/issues/554
x_refsource_MISC
https://github.com/himmelblau-idm/himmelblau/commit/91857...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-49012 : Privilege Escalation Issue in Himmelblau Interoperability Suite for Microsoft Azure