CVE-2025-12952 (CNNVD-202512-2006)
中文标题:
Google Cloud Dialogflow CX 安全漏洞
英文标题:
Privilege Escalation in Dialogflow CX via Webhook Admin Role
漏洞描述
中文描述:
Google Cloud Dialogflow CX是美国谷歌(Google)公司的一个虚拟代理构建平台。 Google Cloud Dialogflow CX存在安全漏洞,该漏洞源于Webhook编辑器权限配置不当,可能导致权限提升。
英文描述:
A privilege escalation vulnerability exists in Google Cloud's Dialogflow CX. Dialogflow agent developers with Webhook editor permission are able to configure Webhooks using Dialogflow service agent access token authentication. This allows the attacker to escalate their privileges from agent-level to project-level, granting them unauthorized access to manage resources in services associated with the project, leading to unexpected costs and resource depletion for the producer project. A fix was applied on the server side to protect from this vulnerability in February 2025. No customer action is required.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| Google Cloud | Dialogflow CX | - | < 2025-02 | - |
cpe:2.3:a:google_cloud:dialogflow_cx:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
CVSS评分详情
4.0 (cna)
HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-12952 |
2025-12-11 03:30:12 | 2026-01-12 02:10:48 |
| NVD | nvd_CVE-2025-12952 |
2025-12-13 03:00:04 | 2026-01-12 02:27:27 |
| CNNVD | cnnvd_CNNVD-202512-2006 |
2026-01-11 06:15:05 | 2026-01-12 02:38:00 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202512-2006
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']