CVE-2025-0504 MEDIUM

CVE-2025-0504: Black Duck SCA Project Privilege Escalation

Vendor Black Duck
Product Black Duck SCA
Weakness CWE-266
Published November 21, 2025
Last update November 21, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Black Duck SCA versions prior to 2025.10.0 had user role permissions configured in an overly broad manner. Users with the scoped Project Manager user role with the Global User Read access permission enabled access to certain Project Administrator functionalities which should have be inaccessible. Exploitation does not grant full system control, but it may enable unauthorized changes to project configurations or access to system sensitive information.

Key dates

02Disclosure timeline

November 21, 2025 CVE published
November 21, 2025 Record updated