DEBIAN-CVE-2025-54290

Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.

References

https://security-tracker.debian.org/tracker/CVE-2025-54290

Affected packages

Debian:13 / incus

Package

Name: incus
Purl: pkg:deb/debian/incus?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.4-2+deb13u1

Affected versions

6.*

6.0.4-2

6.0.4-2+deb13u1~bpo12+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / incus

Package

Name: incus
Purl: pkg:deb/debian/incus?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.5-1

Affected versions

6.*

6.0.4-2

6.0.4-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / lxd

Package

Name: lxd
Purl: pkg:deb/debian/lxd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.0.2-5

5.0.2-5+deb12u1

5.0.2-6

5.0.2+git20231211.1364ae4-1

5.0.2+git20231211.1364ae4-2

5.0.2+git20231211.1364ae4-3

5.0.2+git20231211.1364ae4-4

5.0.2+git20231211.1364ae4-5

5.0.2+git20231211.1364ae4-6

5.0.2+git20231211.1364ae4-7

5.0.2+git20231211.1364ae4-8

5.0.2+git20231211.1364ae4-9

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / lxd

Package

Name: lxd
Purl: pkg:deb/debian/lxd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.0.2+git20231211.1364ae4-9

5.0.2+git20231211.1364ae4-9+deb13u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}