CVE-2025-12405

An improper privilege management vulnerability was found in Looker Studio. It impacted all JDBC-based connectors. A Looker Studio user with report view access could make a copy of the report and execute arbitrary SQL that would run on the data source database due to the stored credentials attached to the report. This vulnerability was patched on 21 July 2025, and no customer action is needed.

CVSS

No CVSS.

References

Link	Resource
https://cloud.google.com/support/bulletins#gcp-2025-053
https://www.tenable.com/security/research/tra-2025-29

Configurations

No configuration.

History

10 Nov 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-10 10:15

Updated : 2025-11-12 16:19

NVD link : CVE-2025-12405

Mitre link : CVE-2025-12405

CVE.ORG link : CVE-2025-12405

JSON object : View

Products Affected

No product.

CWE

CWE-269

Improper Privilege Management

{"id": "CVE-2025-12405", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "CLEAR", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-11-10T10:15:34.920", "references": [{"url": "https://cloud.google.com/support/bulletins#gcp-2025-053", "source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c"}, {"url": "https://www.tenable.com/security/research/tra-2025-29", "source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "An improper privilege management vulnerability was found in Looker Studio.\u00a0It impacted all JDBC-based connectors.\n\nA Looker Studio user with report view access could make a copy of the report and execute arbitrary SQL that would run on the data source database due to the stored credentials attached to the report.\n\nThis vulnerability was patched on 21 July 2025, and no customer action is needed."}], "lastModified": "2025-11-12T16:19:59.103", "sourceIdentifier": "f45cbf4e-4146-4068-b7e1-655ffc2c548c"}

CVE-2025-12405

JSON object

Attach tags to CVE-2025-12405

Attach tags to `CVE-2025-12405`