A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Redhat
  • Enterprise Linux
  • Rhel Aus
  • Rhel E4s
  • Rhel Eus
  • Rhel Tus

No data.

Package CPE Advisory Released Date
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
yelp-2:3.28.1-3.el8_4.1 cpe:/a:redhat:rhel_aus:8.4 RHSA-2025:4451 2025-05-05T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
yelp-2:3.28.1-3.el8_4.1 cpe:/a:redhat:rhel_tus:8.4 RHSA-2025:4451 2025-05-05T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
yelp-2:3.28.1-3.el8_4.1 cpe:/a:redhat:rhel_e4s:8.4 RHSA-2025:4451 2025-05-05T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
yelp-2:3.28.1-3.el8_6.1 cpe:/a:redhat:rhel_aus:8.6 RHSA-2025:4455 2025-05-05T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
yelp-2:3.28.1-3.el8_6.1 cpe:/a:redhat:rhel_tus:8.6 RHSA-2025:4455 2025-05-05T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
yelp-2:3.28.1-3.el8_6.1 cpe:/a:redhat:rhel_e4s:8.6 RHSA-2025:4455 2025-05-05T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
yelp-2:40.3-2.el9_0.1 cpe:/a:redhat:rhel_e4s:9.0 RHSA-2025:4450 2025-05-05T00:00:00Z
References
Link Providers
http://www.openwall.com/lists/oss-security/2025/04/04/1 cve-icon
https://access.redhat.com/errata/RHSA-2025:4450 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:4451 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:4455 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:4456 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:4457 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2025-3155 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2357091 cve-icon cve-icon
https://gist.github.com/parrot409/e970b155358d45b298d7024edd9b17f2 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-3155 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-3155 cve-icon
History

Mon, 05 May 2025 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6

Mon, 05 May 2025 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_aus:8.2::appstream
cpe:/a:redhat:rhel_eus:9.4::appstream
cpe:/a:redhat:rhel_eus:9.4::crb
Vendors & Products Redhat rhel Eus
References

Mon, 05 May 2025 09:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.6::appstream
cpe:/a:redhat:rhel_tus:8.6::appstream
References

Mon, 05 May 2025 08:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_e4s:9.0::appstream
References

Mon, 05 May 2025 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.4::appstream
cpe:/a:redhat:rhel_e4s:8.4::appstream
cpe:/a:redhat:rhel_tus:8.4::appstream
Vendors & Products Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Tus
References

Wed, 16 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
Metrics threat_severity

Moderate

 threat_severity

Important

Wed, 16 Apr 2025 02:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

Tue, 08 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 21:45:00 +0000

Type Values Removed Values Added
References

Fri, 04 Apr 2025 02:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 03 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 03 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.
Title Yelp: arbitrary file read
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-829
CPEs cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-04-03T13:34:18.878Z

Updated: 2025-05-05T13:52:40.301Z

Reserved: 2025-04-03T02:00:30.674Z

Link: CVE-2025-3155

cve-icon Vulnrichment

Updated: 2025-04-04T21:02:38.684Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-04-03T14:15:46.413

Modified: 2025-05-05T14:15:28.677

Link: CVE-2025-3155

cve-icon Redhat

Severity : Important

Publid Date: 2025-04-03T00:00:00Z

Links: CVE-2025-3155 - Bugzilla