CVE-2025-30205
📋 TL;DR
A vulnerability in kanidm-provision versions before 1.2.0 causes admin credentials to be leaked to system logs when using optional patches to provision admin accounts. This affects users who both use the provided patches and provision their admin or idm_admin account credentials through kanidm-provision. No other credentials are impacted.
💻 Affected Systems
- kanidm-provision
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers with access to system logs could obtain admin credentials, leading to complete compromise of the Kanidm identity management system and potential lateral movement.
Likely Case
Administrators or users with log access could inadvertently expose admin credentials, potentially leading to unauthorized access if logs are not properly secured.
If Mitigated
With proper log security controls and monitoring, credential exposure would be detected and contained before exploitation.
🎯 Exploit Status
Exploitation requires access to system logs where credentials are leaked, and knowledge of the specific configuration and provisioning method used.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.0 or higher
Vendor Advisory: https://github.com/oddlama/kanidm-provision/security/advisories/GHSA-57fc-pcqm-53rp
Restart Required: No
Instructions:
1. Update kanidm-provision to version 1.2.0 or higher. 2. Recompile kanidm with the newest patchset from tag v1.2.0 or higher. 3. Re-provision admin credentials if they were previously provisioned with vulnerable versions.
🔧 Temporary Workarounds
Increase Log Level
allSet log level to warn or higher to prevent credential information from being logged
export KANIDM_LOG_LEVEL=warn
🧯 If You Can't Patch
- Review and secure system log access permissions to prevent unauthorized viewing
- Rotate all admin credentials that were provisioned using kanidm-provision with vulnerable versions
🔍 How to Verify
Check if Vulnerable:
Check kanidm-provision version and verify if admin credentials were provisioned using the optional patches before version 1.2.0Check Version:
kanidm-provision --versionVerify Fix Applied:
Verify kanidm-provision version is 1.2.0 or higher and check system logs for credential leakage after re-provisioning📡 Detection & Monitoring
Log Indicators:
- Admin credential strings appearing in system logs at info level
- Sensitive authentication data in kanidm-related log entries
Network Indicators:
- None - this is a local logging issue
SIEM Query:
source="kanidm*" AND (log_level="info" OR log_level="debug") AND (message CONTAINS "admin" OR message CONTAINS "password" OR message CONTAINS "credential")