CVE-2025-7079

A vulnerability, which was classified as problematic, has been found in mao888 bluebell-plus up to 2.3.0. This issue affects some unknown processing of the file bluebell_backend/pkg/jwt/jwt.go of the component JWT Token Handler. The manipulation of the argument mySecret with the input bluebell-plus leads to use of hard-coded password. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

CVSS v3 3.7 LOW
CVSS v2.0 2.6 LOW

3.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.6^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:H/Au:N/C:P/I:N/A:N

Exploitability : 4.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/mao888/bluebell-plus/issues/35	Exploit
https://vuldb.com/?ctiid.314993	Permissions Required VDB Entry
https://vuldb.com/?id.314993	Third Party Advisory VDB Entry
https://vuldb.com/?submit.603726	Third Party Advisory VDB Entry
https://github.com/mao888/bluebell-plus/issues/35	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:mao888:bluebell-plus:*:*:*:*:*:*:*:*

History

01 Oct 2025, 18:51

Type	Values Removed	Values Added
References	~~() https://github.com/mao888/bluebell-plus/issues/35 -~~	() https://github.com/mao888/bluebell-plus/issues/35 - Exploit
References	~~() https://vuldb.com/?ctiid.314993 -~~	() https://vuldb.com/?ctiid.314993 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.314993 -~~	() https://vuldb.com/?id.314993 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.603726 -~~	() https://vuldb.com/?submit.603726 - Third Party Advisory, VDB Entry
CPE		cpe:2.3:a:mao888:bluebell-plus::::::::
CWE		CWE-798
First Time		Mao888 bluebell-plus Mao888

07 Jul 2025, 17:15

Type	Values Removed	Values Added
References	~~() https://github.com/mao888/bluebell-plus/issues/35 -~~	() https://github.com/mao888/bluebell-plus/issues/35 -
Summary		(es) Se ha detectado una vulnerabilidad clasificada como problemática en mao888 bluebell-plus hasta la versión 2.3.0. Este problema afecta a un procesamiento desconocido del archivo bluebell_backend/pkg/jwt/jwt.go del componente JWT Token Handler. La manipulación del argumento mySecret con la entrada bluebell-plus da lugar al uso de una contraseña predefinida. El ataque puede ejecutarse en remoto. Es un ataque de complejidad bastante alta. Parece difícil de explotar. Se ha hecho público el exploit y puede que sea utilizado.

06 Jul 2025, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-06 13:15

Updated : 2025-10-01 18:51

NVD link : CVE-2025-7079

Mitre link : CVE-2025-7079

CVE.ORG link : CVE-2025-7079

JSON object : View

Products Affected

mao888

bluebell-plus

CWE

CWE-255

Credentials Management Errors

CWE-259

Use of Hard-coded Password

CWE-798

Use of Hard-coded Credentials

3.7 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.6 /10

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2025-7079

3.7^/10

2.6^/10

Attach tags to `CVE-2025-7079`