CVE-2025-47220
Local file enumeration
Issue summary
The property VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH, which exists in the PDFSigner and the PAdESSigner, can be set to any path without any restrictions by an admin user. In the case that the provided path points to an existing file, readable by the user running the application server, but is not a recognized image format, it will return this as an error to the clientside, confirming the existences of the file.
Severity
Keyfactor rates the severity as low with a CVSS score of CVSS 2.4. Assigned CVE-2025-47220.
Who is affected?
All SignServer users prior to 7.3.2.
Risk assessment
An authorized Admin user can get information on the client side if the set file path points to an existing file on the server.
Mitigation
Upgrade to SignServer 7.3.2 or later.
Additional information
Should you have any additional questions, please reach out to support@keyfactor.com.
Articles in this section
- EJBCA compliance issue: Potential CA/B Forum compliance issue for customers using EJBCA ACME and MPIC functionality
- SignServer CVE-2025-47222: Class name enumeration
- SignServer CVE-2025-47221: Arbitrary file write
- SignServer CVE-2025-47220: Local file enumeration
- SignServer security advisory: Container vulnerability CVE-2025-26787 fixed in version 7.2
- EJBCA security advisory: EJBCA standalone CMP CLI client
- Security Advisory: EJBCA - Partial denial of service attack on certificate distribution servlet /ejbca/ra/cert
- Security Advisory: SignServer - Cross-site scripting issue in Admin Web
Add comment
Article is closed for comments.