Overview
CVE-2025-0504 is a medium severity vulnerability affecting Black Duck Software Composition Analysis (SCA) versions prior to 2025.10.0. This security flaw arises from overly broad user role permissions, specifically within the Project Manager role when coupled with Global User Read access. This combination allows Project Managers to access certain Project Administrator functionalities that should be restricted to users with higher privileges. While this vulnerability does not grant full system control, it poses a risk of unauthorized modification of project configurations and potential access to sensitive system information.
Technical Details
The vulnerability stems from the configuration of user role permissions within Black Duck SCA. Prior to version 2025.10.0, the combination of the “Project Manager” user role and the “Global User Read” access permission inadvertently granted access to Project Administrator-level features. This likely resulted from a misconfiguration or oversight in the permission model, where the “Global User Read” permission unintentionally broadened the scope of the “Project Manager” role. An attacker with a valid Project Manager account and Global User Read access could exploit this to perform actions beyond their intended scope.
CVSS Analysis
This vulnerability has been assigned a CVSS score of 5.4, indicating a MEDIUM severity. The CVSS vector likely includes factors such as:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low (Requires a valid Project Manager account with Global User Read access)
- User Interaction: None
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
This score reflects the relatively low barrier to entry (a valid Project Manager account), the potential for unauthorized modification of project configurations (integrity impact), and potential access to sensitive information (confidentiality impact).
Possible Impact
The exploitation of CVE-2025-0504 could lead to the following potential impacts:
- Unauthorized Modification of Project Configurations: An attacker could alter project settings, potentially impacting build processes, security policies, or vulnerability reporting.
- Access to Sensitive System Information: Depending on the specific functionalities accessible, an attacker might gain access to information that should be restricted to Project Administrators, such as user management details or system configuration data.
- Compromised Security Posture: Altered project configurations could weaken the overall security posture of the analyzed software projects.
Mitigation or Patch Steps
The recommended mitigation is to upgrade to Black Duck SCA version 2025.10.0 or later. This version includes a fix that corrects the overly broad user role permissions, ensuring that Project Managers with Global User Read access are appropriately restricted to their intended functionalities. Synopsys strongly advises all Black Duck SCA users to apply this update as soon as possible. If upgrading is not immediately feasible, consider temporarily disabling the “Global User Read” permission for Project Manager accounts as a workaround, but this may impact legitimate user workflows.
