Home / Vulnerability Intelligence / CVE-2025-60012

CVE-2025-60012 - Vulnerability Analysis

MediumCVSS: 6.3

Last Updated: March 13, 2026

Apache Livy - Broken Access Control

Published: March 13, 2026Updated: March 13, 2026PoC AvailableRemote Exploitable

Overview

Apache Livy 0.7.0 and 0.8.0 contain an unauthorized file access vulnerability caused by malicious Spark configuration values in the REST or JDBC interface, letting users access unauthorized files, exploit requires user access to Livy's interfaces.

Severity & Score

Severity: Medium

CVSS Score: 6.3

Impact

Users can access files without proper permissions, potentially exposing sensitive data.

Mitigation

Upgrade to version 0.9.0 or later.

References

https://lists.apache.org/thread/gpc85fwrgrbglpk9gm8tmcjzqnctx64w
http://www.openwall.com/lists/oss-security/2026/03/12/1

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2025-60012
Severity: Medium
CVSS Score: 6.3
Type: misconfiguration
Status: new

CWE

CWE-20

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L