Bluechi: privilege escalation in bluechi via unrestricted cross-node systemd dependencies

A vulnerability was found in BlueChi, a multi-node systemd service controller used in RHIVOS. This flaw allows a user with root privileges on a managed node (qm) to create or override systemd service unit files that affect the host node. This issue can lead to privilege escalation, unauthorized service execution, and potential system compromise.

Problem type

Incorrect Authorization

Affected products

Eclipse Foundation

BlueChi

< 1.0.0 - AFFECTED

References

access.redhat.com

https://access.redhat.com/security/cve/CVE-2025-2515

vdb-entryx_refsource_REDHAT

RHBZ#2353313

https://bugzilla.redhat.com/show_bug.cgi?id=2353313

issue-trackingx_refsource_REDHAT

github.com

https://github.com/eclipse-bluechi/bluechi/commit/fe0d28301ce2bd45f0b1d8a98a94efef799fbc73#diff-64140c83db42a8888f346a40de293b80f79ebf7d75ce4137b22567e360bce607

github.com

https://github.com/eclipse-bluechi/bluechi/issues/1069

github.com

https://github.com/eclipse-bluechi/bluechi/pull/1073

GitHub Security Advisories

GHSA-hcr2-46j7-rjhp

A vulnerability was found in BlueChi, a multi-node systemd service controller used in RHIVOS....

https://github.com/advisories/GHSA-hcr2-46j7-rjhp

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2025-2515

github.com

https://github.com/eclipse-bluechi/bluechi/issues/1069

github.com

https://github.com/eclipse-bluechi/bluechi/pull/1073

github.com

https://github.com/eclipse-bluechi/bluechi/commit/fe0d28301ce2bd45f0b1d8a98a94efef799fbc73#diff-64140c83db42a8888f346a40de293b80f79ebf7d75ce4137b22567e360bce607

access.redhat.com

https://access.redhat.com/security/cve/CVE-2025-2515

bugzilla.redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2353313

github.com

https://github.com/advisories/GHSA-hcr2-46j7-rjhp

JSON source

https://cveawg.mitre.org/api/cve/CVE-2025-2515

Click to expand

{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2025-2515",
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "dateUpdated": "2025-12-24T16:48:19.891Z",
    "dateReserved": "2025-03-19T07:36:36.135Z",
    "datePublished": "2025-12-24T16:21:54.365Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat",
        "dateUpdated": "2025-12-24T16:21:54.365Z"
      },
      "datePublic": "2025-10-23T12:40:38.752Z",
      "title": "Bluechi: privilege escalation in bluechi via unrestricted cross-node systemd dependencies",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in BlueChi, a multi-node systemd service controller used in RHIVOS. This flaw allows a user with root privileges on a managed node (qm) to create or override systemd service unit files that affect the host node. This issue can lead to privilege escalation, unauthorized service execution, and potential system compromise."
        }
      ],
      "affected": [
        {
          "vendor": "Eclipse Foundation",
          "product": "BlueChi",
          "collectionURL": "https://github.com/eclipse-bluechi/bluechi",
          "packageName": "bluechi",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "1.0.0"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Incorrect Authorization",
              "cweId": "CWE-863",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-2515",
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ]
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353313",
          "name": "RHBZ#2353313",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ]
        },
        {
          "url": "https://github.com/eclipse-bluechi/bluechi/commit/fe0d28301ce2bd45f0b1d8a98a94efef799fbc73#diff-64140c83db42a8888f346a40de293b80f79ebf7d75ce4137b22567e360bce607"
        },
        {
          "url": "https://github.com/eclipse-bluechi/bluechi/issues/1069"
        },
        {
          "url": "https://github.com/eclipse-bluechi/bluechi/pull/1073"
        }
      ],
      "metrics": [
        {},
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "attackVector": "PHYSICAL",
            "attackComplexity": "LOW",
            "privilegesRequired": "HIGH",
            "userInteraction": "NONE",
            "scope": "CHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH"
          }
        }
      ],
      "timeline": [
        {
          "time": "2025-03-19T07:30:32.905000+00:00",
          "lang": "en",
          "value": "Reported to Red Hat."
        },
        {
          "time": "2025-10-23T12:40:38.752000+00:00",
          "lang": "en",
          "value": "Made public."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Thibault Guittet (RedHat) and Todd Cullum (RedHat) for reporting this issue."
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2025-12-24T16:48:19.891Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}