{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/88302?format=json","vulnerability_id":"VCID-yab7-pnah-2bbx","summary":"OpenNebula Community Edition (CE) before 7.0.0 and Enterprise Edition (EE) before 6.10.3 have a critical FireEdge race condition that can lead to full account takeover. By exploiting this, an unauthenticated attacker can obtain a valid JSON Web Token (JWT) belonging to a legitimate user without knowledge of their credentials.","aliases":[{"alias":"CVE-2025-54955"}],"fixed_packages":[],"affected_packages":[],"references":[{"reference_url":"https://github.com/OpenNebula/one/commit/81058d9705e7ac619d294423de28b76d88f613b6","reference_id":"81058d9705e7ac619d294423de28b76d88f613b6","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-04T15:20:50Z/"}],"url":"https://github.com/OpenNebula/one/commit/81058d9705e7ac619d294423de28b76d88f613b6"},{"reference_url":"https://github.com/OpenNebula/one","reference_id":"one","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-04T15:20:50Z/"}],"url":"https://github.com/OpenNebula/one"},{"reference_url":"https://github.com/Stolichnayer/OpenNebula-Account-Takeover","reference_id":"OpenNebula-Account-Takeover","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-04T15:20:50Z/"}],"url":"https://github.com/Stolichnayer/OpenNebula-Account-Takeover"},{"reference_url":"https://github.com/OpenNebula/one/releases/tag/release-7.0.0","reference_id":"release-7.0.0","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-04T15:20:50Z/"}],"url":"https://github.com/OpenNebula/one/releases/tag/release-7.0.0"},{"reference_url":"https://docs.opennebula.io/6.10/intro_release_notes/release_notes_enterprise/resolved_issues_6103.html","reference_id":"resolved_issues_6103.html","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-04T15:20:50Z/"}],"url":"https://docs.opennebula.io/6.10/intro_release_notes/release_notes_enterprise/resolved_issues_6103.html"}],"weaknesses":[{"cwe_id":362,"name":"Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","description":"The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently."}],"exploits":[],"severity_range_score":"8.1 - 8.1","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yab7-pnah-2bbx"}