U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

CVE-2025-24034 Detail

Description

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Starting in version 0.7.0 and prior to versions 0.7.15 and 0.8.3, Himmelblau is vulnerable to leaking credentials in debug logs. When debug logging is enabled, user access tokens are inadvertently logged, potentially exposing sensitive authentication data. Similarly, Kerberos Ticket-Granting Tickets (TGTs) are logged when debug logging is enabled. Both issues pose a risk of exposing sensitive credentials, particularly in environments where debug logging is enabled. Himmelblau versions 0.7.15 and 0.8.3 contain a patch that fixes both issues. Some workarounds are available for users who are unable to upgrade. For the **logon compliance script issue**, disable the `logon_script` option in `/etc/himmelblau/himmelblau.conf`, and avoid using the `-d` flag when starting the `himmelblaud` daemon. For the Kerberos CCache issue, one may disable debug logging globally by setting the `debug` option in `/etc/himmelblau/himmelblau.conf` to `false` and avoiding the `-d` parameter when starting `himmelblaud`.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 3.x Severity and Vector Strings:

NIST CVSS score
NIST: NVD
Base Score:  N/A
NVD assessment not yet provided.

Nist CVSS score does not match with CNA score
CNA:  GitHub, Inc.
Base Score:  3.2 LOW
Vector:  CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource
https://github.com/himmelblau-idm/himmelblau/commit/1216804f15ce5dc74bb5da48b5508c41d2ece8fa
https://github.com/himmelblau-idm/himmelblau/releases/tag/0.7.15
https://github.com/himmelblau-idm/himmelblau/releases/tag/0.8.3
https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-p989-2f5w-9cf6
https://manpages.opensuse.org/Tumbleweed/himmelblau/himmelblau.conf.5.en.html
https://manpages.opensuse.org/Tumbleweed/himmelblau/himmelblaud.8.en.html

Weakness Enumeration

CWE-ID CWE Name Source
CWE-532 Insertion of Sensitive Information into Log File GitHub, Inc.  

Change History

1 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2025-24034
NVD Published Date:
01/23/2025
NVD Last Modified:
01/23/2025
Source:
GitHub, Inc.