{"id":"UBUNTU-CVE-2025-54293","details":"Path Traversal in the log file retrieval function in Canonical LXD 5.0 LTS on Linux allows authenticated remote attackers to read arbitrary files on the host system via crafted log file names or symbolic links.","modified":"2025-12-12T09:00:52.260820Z","published":"2025-10-02T11:15:00Z","upstream":["CVE-2025-54293"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-54293"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2025-54293"},{"type":"REPORT","url":"https://github.com/canonical/lxd/security/advisories/GHSA-472f-vmf2-pr3h"}],"affected":[{"package":{"name":"lxd","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/lxd@2.0.11-0ubuntu1~16.04.4+esm1?arch=source&distro=esm-infra/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.20-0ubuntu4","0.21-0ubuntu3","0.21-0ubuntu5","0.22-0ubuntu1","0.22-0ubuntu2","0.23-0ubuntu1","0.23-0ubuntu2","0.23-0ubuntu3","0.24-0ubuntu2","0.24-0ubuntu3","0.24-0ubuntu4","0.25-0ubuntu1","0.26-0ubuntu2","0.26-0ubuntu3","0.27-0ubuntu1","0.27-0ubuntu2","2.0.0~beta1-0ubuntu3","2.0.0~beta1-0ubuntu4","2.0.0~beta2-0ubuntu1","2.0.0~beta2-0ubuntu2","2.0.0~beta3-0ubuntu1","2.0.0~beta3-0ubuntu2","2.0.0~beta3-0ubuntu3","2.0.0~beta3-0ubuntu4","2.0.0~beta4-0ubuntu1","2.0.0~beta4-0ubuntu2","2.0.0~beta4-0ubuntu3","2.0.0~beta4-0ubuntu4","2.0.0~beta4-0ubuntu5","2.0.0~beta4-0ubuntu6","2.0.0~beta4-0ubuntu7","2.0.0~rc1-0ubuntu1","2.0.0~rc1-0ubuntu2","2.0.0~rc1-0ubuntu3","2.0.0~rc2-0ubuntu2","2.0.0~rc2-0ubuntu3","2.0.0~rc3-0ubuntu1","2.0.0~rc3-0ubuntu2","2.0.0~rc3-0ubuntu3","2.0.0~rc3-0ubuntu4","2.0.0~rc4-0ubuntu1","2.0.0~rc5-0ubuntu1","2.0.0~rc6-0ubuntu1","2.0.0~rc6-0ubuntu2","2.0.0~rc7-0ubuntu1","2.0.0~rc7-0ubuntu2","2.0.0~rc8-0ubuntu1","2.0.0~rc8-0ubuntu2","2.0.0~rc8-0ubuntu3","2.0.0~rc8-0ubuntu5","2.0.0~rc8-0ubuntu6","2.0.0~rc8-0ubuntu7","2.0.0~rc9-0ubuntu2","2.0.0~rc9-0ubuntu3","2.0.0~rc9-0ubuntu4","2.0.0~rc9-0ubuntu5","2.0.0-0ubuntu1","2.0.0-0ubuntu2","2.0.0-0ubuntu3","2.0.0-0ubuntu4","2.0.1-0ubuntu1~16.04.1","2.0.2-0ubuntu1~16.04.1","2.0.3-0ubuntu1~ubuntu16.04.2","2.0.4-0ubuntu1~ubuntu16.04.1","2.0.5-0ubuntu1~ubuntu16.04.1","2.0.8-0ubuntu1~ubuntu16.04.1","2.0.8-0ubuntu1~ubuntu16.04.2","2.0.9-0ubuntu1~16.04.1","2.0.9-0ubuntu1~16.04.2","2.0.10-0ubuntu1~16.04.1","2.0.10-0ubuntu1~16.04.2","2.0.11-0ubuntu1~16.04.2","2.0.11-0ubuntu1~16.04.4","2.0.11-0ubuntu1~16.04.4+esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.0.11-0ubuntu1~16.04.4+esm1","binary_name":"golang-github-lxc-lxd-dev"},{"binary_version":"2.0.11-0ubuntu1~16.04.4+esm1","binary_name":"lxc2"},{"binary_version":"2.0.11-0ubuntu1~16.04.4+esm1","binary_name":"lxd"},{"binary_version":"2.0.11-0ubuntu1~16.04.4+esm1","binary_name":"lxd-client"},{"binary_version":"2.0.11-0ubuntu1~16.04.4+esm1","binary_name":"lxd-tools"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-54293.json"}},{"package":{"name":"lxd","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/lxd@3.0.3-0ubuntu1~18.04.2+esm1?arch=source&distro=esm-infra/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.18-0ubuntu6","2.19-0ubuntu1","2.20-0ubuntu3","2.20-0ubuntu4","2.21-0ubuntu1","2.21-0ubuntu2","2.21-0ubuntu3","2.21-0ubuntu4","3.0.0~beta2-0ubuntu3","3.0.0~beta3-0ubuntu3","3.0.0~beta5-0ubuntu2","3.0.0~beta7-0ubuntu1","3.0.0-0ubuntu1","3.0.0-0ubuntu2","3.0.0-0ubuntu3","3.0.0-0ubuntu4","3.0.1-0ubuntu1~18.04.1","3.0.2-0ubuntu1~18.04.1","3.0.3-0ubuntu1~18.04.1","3.0.3-0ubuntu1~18.04.2","3.0.3-0ubuntu1~18.04.2+esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"3.0.3-0ubuntu1~18.04.2+esm1","binary_name":"lxd"},{"binary_version":"3.0.3-0ubuntu1~18.04.2+esm1","binary_name":"lxd-client"},{"binary_version":"3.0.3-0ubuntu1~18.04.2+esm1","binary_name":"lxd-tools"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-54293.json"}},{"package":{"name":"lxd","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/lxd@1:0.10?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:0.7","1:0.8","1:0.9","1:0.10"],"ecosystem_specific":{"binaries":[{"binary_version":"1:0.10","binary_name":"lxd"},{"binary_version":"1:0.10","binary_name":"lxd-client"},{"binary_version":"1:0.10","binary_name":"lxd-tools"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-54293.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}