Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Apigee hybrid Javacallout policy by Google Cloud

    CVE-2025-13426 (GCVE-0-2025-13426)

    Vulnerability from nvd – Published: 2025-12-05 21:27 – Updated: 2025-12-08 17:27
    VLAI
    Title
    Improper Sandboxing in Google Apigee's JavaCallout Policy Allows for Remote Code Execution
    Summary
    A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime, leading to unauthorized access to data, lateral movement within the network, and access to backend systems. The Apigee hybrid versions below have all been updated to protect from this vulnerability: * Hybrid_1.11.2+ * Hybrid_1.12.4+ * Hybrid_1.13.3+ * Hybrid_1.14.1+ * OPDK_5202+ * OPDK_5300+
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-913 - Improper Control of Dynamically-Managed Code Resources
    Assigner
    Impacted products
    Vendor Product Version
    Google Cloud Apigee hybrid Javacallout policy Affected: 0 , < Hybrid_1.11.2 (custom)
    Affected: 0 , < Hybrid_1.12.4 (custom)
    Affected: 0 , < Hybrid_1.13.3 (custom)
    Affected: 0 , < Hybrid_1.14.1 (custom)
    Affected: 0 , < OPDK_5202 (custom)
    Affected: 0 , < OPDK_5300 (custom)
    Create a notification for this product.
    Credits
    Nikita Markevich
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13426",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-08T17:27:37.360144Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-08T17:27:42.517Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apigee hybrid Javacallout policy",
              "vendor": "Google Cloud",
              "versions": [
                {
                  "lessThan": "Hybrid_1.11.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "Hybrid_1.12.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "Hybrid_1.13.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "Hybrid_1.14.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "OPDK_5202",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "OPDK_5300",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nikita Markevich"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA vulnerability exists in Google \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.apigee.com/api-platform/reference/policies/java-callout-policy\"\u003eApigee\u0027s JavaCallout policy\u003c/a\u003e that allows for remote code execution.\u003c/p\u003eIt is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime,\u0026nbsp;leading to unauthorized access to data, lateral movement within the network, and access to backend systems.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eThe Apigee hybrid versions below have all been updated to protect from this vulnerability:\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003cul\u003e\u003cli\u003eHybrid_1.11.2+\u003c/li\u003e\u003cli\u003eHybrid_1.12.4+\u003c/li\u003e\u003cli\u003eHybrid_1.13.3+\u003c/li\u003e\u003cli\u003eHybrid_1.14.1+\u003c/li\u003e\u003cli\u003eOPDK_5202+\u003c/li\u003e\u003cli\u003eOPDK_5300+\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "A vulnerability exists in Google  Apigee\u0027s JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy  that allows for remote code execution.\n\nIt is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime,\u00a0leading to unauthorized access to data, lateral movement within the network, and access to backend systems.\n\nThe Apigee hybrid versions below have all been updated to protect from this vulnerability:\n  *  Hybrid_1.11.2+\n  *  Hybrid_1.12.4+\n  *  Hybrid_1.13.3+\n  *  Hybrid_1.14.1+\n  *  OPDK_5202+\n  *  OPDK_5300+"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "CLEAR",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-913",
                  "description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-05T21:27:13.711Z",
            "orgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c",
            "shortName": "GoogleCloud"
          },
          "references": [
            {
              "url": "https://docs.cloud.google.com/apigee/docs/hybrid/release-notes#March_01_2025"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Sandboxing in Google Apigee\u0027s JavaCallout Policy Allows for Remote Code Execution",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c",
        "assignerShortName": "GoogleCloud",
        "cveId": "CVE-2025-13426",
        "datePublished": "2025-12-05T21:27:13.711Z",
        "dateReserved": "2025-11-19T16:10:26.041Z",
        "dateUpdated": "2025-12-08T17:27:42.517Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13426 (GCVE-0-2025-13426)

    Vulnerability from cvelistv5 – Published: 2025-12-05 21:27 – Updated: 2025-12-08 17:27
    VLAI
    Title
    Improper Sandboxing in Google Apigee's JavaCallout Policy Allows for Remote Code Execution
    Summary
    A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime, leading to unauthorized access to data, lateral movement within the network, and access to backend systems. The Apigee hybrid versions below have all been updated to protect from this vulnerability: * Hybrid_1.11.2+ * Hybrid_1.12.4+ * Hybrid_1.13.3+ * Hybrid_1.14.1+ * OPDK_5202+ * OPDK_5300+
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-913 - Improper Control of Dynamically-Managed Code Resources
    Assigner
    Impacted products
    Vendor Product Version
    Google Cloud Apigee hybrid Javacallout policy Affected: 0 , < Hybrid_1.11.2 (custom)
    Affected: 0 , < Hybrid_1.12.4 (custom)
    Affected: 0 , < Hybrid_1.13.3 (custom)
    Affected: 0 , < Hybrid_1.14.1 (custom)
    Affected: 0 , < OPDK_5202 (custom)
    Affected: 0 , < OPDK_5300 (custom)
    Create a notification for this product.
    Credits
    Nikita Markevich
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13426",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-08T17:27:37.360144Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-08T17:27:42.517Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apigee hybrid Javacallout policy",
              "vendor": "Google Cloud",
              "versions": [
                {
                  "lessThan": "Hybrid_1.11.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "Hybrid_1.12.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "Hybrid_1.13.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "Hybrid_1.14.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "OPDK_5202",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "OPDK_5300",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nikita Markevich"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA vulnerability exists in Google \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.apigee.com/api-platform/reference/policies/java-callout-policy\"\u003eApigee\u0027s JavaCallout policy\u003c/a\u003e that allows for remote code execution.\u003c/p\u003eIt is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime,\u0026nbsp;leading to unauthorized access to data, lateral movement within the network, and access to backend systems.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eThe Apigee hybrid versions below have all been updated to protect from this vulnerability:\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003cul\u003e\u003cli\u003eHybrid_1.11.2+\u003c/li\u003e\u003cli\u003eHybrid_1.12.4+\u003c/li\u003e\u003cli\u003eHybrid_1.13.3+\u003c/li\u003e\u003cli\u003eHybrid_1.14.1+\u003c/li\u003e\u003cli\u003eOPDK_5202+\u003c/li\u003e\u003cli\u003eOPDK_5300+\u003c/li\u003e\u003c/ul\u003e"
                }
              ],
              "value": "A vulnerability exists in Google  Apigee\u0027s JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy  that allows for remote code execution.\n\nIt is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime,\u00a0leading to unauthorized access to data, lateral movement within the network, and access to backend systems.\n\nThe Apigee hybrid versions below have all been updated to protect from this vulnerability:\n  *  Hybrid_1.11.2+\n  *  Hybrid_1.12.4+\n  *  Hybrid_1.13.3+\n  *  Hybrid_1.14.1+\n  *  OPDK_5202+\n  *  OPDK_5300+"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "CLEAR",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-913",
                  "description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-05T21:27:13.711Z",
            "orgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c",
            "shortName": "GoogleCloud"
          },
          "references": [
            {
              "url": "https://docs.cloud.google.com/apigee/docs/hybrid/release-notes#March_01_2025"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Sandboxing in Google Apigee\u0027s JavaCallout Policy Allows for Remote Code Execution",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c",
        "assignerShortName": "GoogleCloud",
        "cveId": "CVE-2025-13426",
        "datePublished": "2025-12-05T21:27:13.711Z",
        "dateReserved": "2025-11-19T16:10:26.041Z",
        "dateUpdated": "2025-12-08T17:27:42.517Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }