Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for kvrocks by apache

    CVE-2025-59792 (GCVE-0-2025-59792)

    Vulnerability from nvd – Published: 2025-11-28 14:21 – Updated: 2025-11-28 17:03
    VLAI
    Title
    Apache Kvrocks: MONITOR command reveals plaintext credentials to non-admins
    Summary
    Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 1.0.0 through 2.13.0. Users are recommended to upgrade to version 2.14.0, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Reveals plaintext credentials in the MONITOR command
    • CWE-312 - Cleartext Storage of Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Kvrocks Affected: 1.0.0 , ≤ 2.13.0 (semver)
    Create a notification for this product.
    Credits
    Mapta / BugBunny_ai
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59792",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-28T14:37:52.286992Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-312",
                    "description": "CWE-312 Cleartext Storage of Sensitive Information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-28T14:37:56.536Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-28T17:03:57.700Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/11/28/3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Kvrocks",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "2.13.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Mapta / BugBunny_ai"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eReveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Kvrocks: from 1.0.0 through 2.13.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.14.0, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks.\n\nThis issue affects Apache Kvrocks: from 1.0.0 through 2.13.0.\n\nUsers are recommended to upgrade to version 2.14.0, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Reveals plaintext credentials in the MONITOR command",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-28T14:21:22.699Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/h2pcvr5p9otc7dnj2dt2nr4b3omghddw"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Kvrocks: MONITOR command reveals plaintext credentials to non-admins",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-59792",
        "datePublished": "2025-11-28T14:21:22.699Z",
        "dateReserved": "2025-09-21T04:00:36.588Z",
        "dateUpdated": "2025-11-28T17:03:57.700Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-59790 (GCVE-0-2025-59790)

    Vulnerability from nvd – Published: 2025-11-28 14:20 – Updated: 2025-11-28 17:03
    VLAI
    Title
    Apache Kvrocks: RESET command grants admin privileges
    Summary
    Improper Privilege Management vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from v2.9.0 through v2.13.0. Users are recommended to upgrade to version 2.14.0, which fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Kvrocks Affected: 2.9.0 , ≤ 2.13.0 (semver)
    Create a notification for this product.
    Credits
    Mapta / BugBunny_ai
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59790",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-28T16:49:31.870544Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-28T16:50:25.812Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-28T17:03:56.121Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/11/28/2"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Kvrocks",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "2.13.0",
                  "status": "affected",
                  "version": "2.9.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Mapta / BugBunny_ai"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eImproper Privilege Management vulnerability in Apache Kvrocks.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Kvrocks: from v2.9.0 through v2.13.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.14.0, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Improper Privilege Management vulnerability in Apache Kvrocks.\n\nThis issue affects Apache Kvrocks: from v2.9.0 through v2.13.0.\n\nUsers are recommended to upgrade to version 2.14.0, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "critical"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-28T14:20:31.682Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/dlbz5hmm4ts3npzqnvhofxmqg9w9zt0o"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Kvrocks: RESET command grants admin privileges",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-59790",
        "datePublished": "2025-11-28T14:20:31.682Z",
        "dateReserved": "2025-09-21T03:22:21.593Z",
        "dateUpdated": "2025-11-28T17:03:56.121Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-26413 (GCVE-0-2025-26413)

    Vulnerability from nvd – Published: 2025-04-22 07:07 – Updated: 2025-05-12 15:47
    VLAI
    Title
    Apache Kvrocks: The server was crashed by the negative offset
    Summary
    Improper Input Validation vulnerability in Apache Kvrocks. The SETRANGE command didn't check if the `offset` input is a positive integer and use it as an index of a string. So it will cause the server to crash due to its index is  out of range. This issue affects Apache Kvrocks: through 2.11.1. Users are recommended to upgrade to version 2.12.0, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Kvrocks Affected: 0 , ≤ 2.11.1 (semver)
    Create a notification for this product.
    Credits
    ankki-zsyang, Shenzhen Ankki Technologies Co., Ltd.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-04-22T09:03:20.306Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/04/22/1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-26413",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-12T15:47:15.186377Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-12T15:47:39.924Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Kvrocks",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "2.11.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "ankki-zsyang, Shenzhen Ankki Technologies Co., Ltd."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eImproper Input Validation vulnerability in Apache Kvrocks.\u003c/p\u003eThe SETRANGE command didn\u0027t check if the `offset` input is a positive integer and use it as an index\u003cbr\u003eof a string. So it will cause the server to crash due to its index is\u0026nbsp; out of range.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Kvrocks: through 2.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.12.0, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Improper Input Validation vulnerability in Apache Kvrocks.\n\nThe SETRANGE command didn\u0027t check if the `offset` input is a positive integer and use it as an index\nof a string. So it will cause the server to crash due to its index is\u00a0 out of range.\nThis issue affects Apache Kvrocks: through 2.11.1.\n\nUsers are recommended to upgrade to version 2.12.0, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-22T10:57:37.160Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/388743qrr8yq8qm0go8tls6rf1kog8dw"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Kvrocks: The server was crashed by the negative offset",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-26413",
        "datePublished": "2025-04-22T07:07:49.985Z",
        "dateReserved": "2025-02-10T12:29:42.521Z",
        "dateUpdated": "2025-05-12T15:47:39.924Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-25069 (GCVE-0-2025-25069)

    Vulnerability from nvd – Published: 2025-02-07 12:46 – Updated: 2025-02-13 21:21
    VLAI
    Title
    Apache Kvrocks: Cross-Protocol Scripting Vulnerability
    Summary
    A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks. Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests, a valid HTTP request can also be sent to Kvrocks as a valid RESP request and trigger some database operations, which can be dangerous when it is chained with SSRF. It is similiar to CVE-2016-10517 in Redis. This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0. Users are recommended to upgrade to version 2.11.1, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-115 - Misinterpretation of Input
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Kvrocks Affected: 0 , ≤ 2.11.0 (semver)
    Create a notification for this product.
    Credits
    Sergey Volosatov
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-25069",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-13T21:21:35.668189Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-13T21:21:42.342Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Kvrocks",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "2.11.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Sergey Volosatov"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.\u003c/p\u003eSince Kvrocks didn\u0027t detect if \"Host:\" or \"POST\" appears in RESP requests,\u003cbr\u003ea valid HTTP request can also be sent to Kvrocks as a valid RESP request \u003cbr\u003eand trigger some database operations, which can be\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;dangerous when \u003cbr\u003eit is chained with SSRF.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003eIt is similiar to\u0026nbsp;CVE-2016-10517 in Redis.\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.11.1, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.\n\nSince Kvrocks didn\u0027t detect if \"Host:\" or \"POST\" appears in RESP requests,\na valid HTTP request can also be sent to Kvrocks as a valid RESP request \nand trigger some database operations, which can be\u00a0dangerous when \nit is chained with SSRF.\n\nIt is similiar to\u00a0CVE-2016-10517 in Redis.\n\nThis issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0.\n\nUsers are recommended to upgrade to version 2.11.1, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "Moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-115",
                  "description": "CWE-115 Misinterpretation of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-07T12:46:11.350Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "related"
              ],
              "url": "https://www.cve.org/CVERecord?id=CVE-2016-10517"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/gbxv9gpsskmdzg6z48zm3tvo8cyo9v3t"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache Kvrocks: Cross-Protocol Scripting Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-25069",
        "datePublished": "2025-02-07T12:46:11.350Z",
        "dateReserved": "2025-02-03T13:33:31.674Z",
        "dateUpdated": "2025-02-13T21:21:42.342Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-59792 (GCVE-0-2025-59792)

    Vulnerability from cvelistv5 – Published: 2025-11-28 14:21 – Updated: 2025-11-28 17:03
    VLAI
    Title
    Apache Kvrocks: MONITOR command reveals plaintext credentials to non-admins
    Summary
    Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 1.0.0 through 2.13.0. Users are recommended to upgrade to version 2.14.0, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Reveals plaintext credentials in the MONITOR command
    • CWE-312 - Cleartext Storage of Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Kvrocks Affected: 1.0.0 , ≤ 2.13.0 (semver)
    Create a notification for this product.
    Credits
    Mapta / BugBunny_ai
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59792",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-28T14:37:52.286992Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-312",
                    "description": "CWE-312 Cleartext Storage of Sensitive Information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-28T14:37:56.536Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-28T17:03:57.700Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/11/28/3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Kvrocks",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "2.13.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Mapta / BugBunny_ai"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eReveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Kvrocks: from 1.0.0 through 2.13.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.14.0, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks.\n\nThis issue affects Apache Kvrocks: from 1.0.0 through 2.13.0.\n\nUsers are recommended to upgrade to version 2.14.0, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Reveals plaintext credentials in the MONITOR command",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-28T14:21:22.699Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/h2pcvr5p9otc7dnj2dt2nr4b3omghddw"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Kvrocks: MONITOR command reveals plaintext credentials to non-admins",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-59792",
        "datePublished": "2025-11-28T14:21:22.699Z",
        "dateReserved": "2025-09-21T04:00:36.588Z",
        "dateUpdated": "2025-11-28T17:03:57.700Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-59790 (GCVE-0-2025-59790)

    Vulnerability from cvelistv5 – Published: 2025-11-28 14:20 – Updated: 2025-11-28 17:03
    VLAI
    Title
    Apache Kvrocks: RESET command grants admin privileges
    Summary
    Improper Privilege Management vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from v2.9.0 through v2.13.0. Users are recommended to upgrade to version 2.14.0, which fixes the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Kvrocks Affected: 2.9.0 , ≤ 2.13.0 (semver)
    Create a notification for this product.
    Credits
    Mapta / BugBunny_ai
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59790",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-28T16:49:31.870544Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-28T16:50:25.812Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-28T17:03:56.121Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/11/28/2"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Kvrocks",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "2.13.0",
                  "status": "affected",
                  "version": "2.9.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Mapta / BugBunny_ai"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eImproper Privilege Management vulnerability in Apache Kvrocks.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Kvrocks: from v2.9.0 through v2.13.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.14.0, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Improper Privilege Management vulnerability in Apache Kvrocks.\n\nThis issue affects Apache Kvrocks: from v2.9.0 through v2.13.0.\n\nUsers are recommended to upgrade to version 2.14.0, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "critical"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-28T14:20:31.682Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/dlbz5hmm4ts3npzqnvhofxmqg9w9zt0o"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Kvrocks: RESET command grants admin privileges",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-59790",
        "datePublished": "2025-11-28T14:20:31.682Z",
        "dateReserved": "2025-09-21T03:22:21.593Z",
        "dateUpdated": "2025-11-28T17:03:56.121Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-26413 (GCVE-0-2025-26413)

    Vulnerability from cvelistv5 – Published: 2025-04-22 07:07 – Updated: 2025-05-12 15:47
    VLAI
    Title
    Apache Kvrocks: The server was crashed by the negative offset
    Summary
    Improper Input Validation vulnerability in Apache Kvrocks. The SETRANGE command didn't check if the `offset` input is a positive integer and use it as an index of a string. So it will cause the server to crash due to its index is  out of range. This issue affects Apache Kvrocks: through 2.11.1. Users are recommended to upgrade to version 2.12.0, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Kvrocks Affected: 0 , ≤ 2.11.1 (semver)
    Create a notification for this product.
    Credits
    ankki-zsyang, Shenzhen Ankki Technologies Co., Ltd.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-04-22T09:03:20.306Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/04/22/1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-26413",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-12T15:47:15.186377Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-12T15:47:39.924Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Kvrocks",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "2.11.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "ankki-zsyang, Shenzhen Ankki Technologies Co., Ltd."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eImproper Input Validation vulnerability in Apache Kvrocks.\u003c/p\u003eThe SETRANGE command didn\u0027t check if the `offset` input is a positive integer and use it as an index\u003cbr\u003eof a string. So it will cause the server to crash due to its index is\u0026nbsp; out of range.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Kvrocks: through 2.11.1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.12.0, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Improper Input Validation vulnerability in Apache Kvrocks.\n\nThe SETRANGE command didn\u0027t check if the `offset` input is a positive integer and use it as an index\nof a string. So it will cause the server to crash due to its index is\u00a0 out of range.\nThis issue affects Apache Kvrocks: through 2.11.1.\n\nUsers are recommended to upgrade to version 2.12.0, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-22T10:57:37.160Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/388743qrr8yq8qm0go8tls6rf1kog8dw"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache Kvrocks: The server was crashed by the negative offset",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-26413",
        "datePublished": "2025-04-22T07:07:49.985Z",
        "dateReserved": "2025-02-10T12:29:42.521Z",
        "dateUpdated": "2025-05-12T15:47:39.924Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-25069 (GCVE-0-2025-25069)

    Vulnerability from cvelistv5 – Published: 2025-02-07 12:46 – Updated: 2025-02-13 21:21
    VLAI
    Title
    Apache Kvrocks: Cross-Protocol Scripting Vulnerability
    Summary
    A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks. Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests, a valid HTTP request can also be sent to Kvrocks as a valid RESP request and trigger some database operations, which can be dangerous when it is chained with SSRF. It is similiar to CVE-2016-10517 in Redis. This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0. Users are recommended to upgrade to version 2.11.1, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-115 - Misinterpretation of Input
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Kvrocks Affected: 0 , ≤ 2.11.0 (semver)
    Create a notification for this product.
    Credits
    Sergey Volosatov
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-25069",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-13T21:21:35.668189Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-13T21:21:42.342Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache Kvrocks",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThanOrEqual": "2.11.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Sergey Volosatov"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.\u003c/p\u003eSince Kvrocks didn\u0027t detect if \"Host:\" or \"POST\" appears in RESP requests,\u003cbr\u003ea valid HTTP request can also be sent to Kvrocks as a valid RESP request \u003cbr\u003eand trigger some database operations, which can be\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;dangerous when \u003cbr\u003eit is chained with SSRF.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003eIt is similiar to\u0026nbsp;CVE-2016-10517 in Redis.\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.11.1, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.\n\nSince Kvrocks didn\u0027t detect if \"Host:\" or \"POST\" appears in RESP requests,\na valid HTTP request can also be sent to Kvrocks as a valid RESP request \nand trigger some database operations, which can be\u00a0dangerous when \nit is chained with SSRF.\n\nIt is similiar to\u00a0CVE-2016-10517 in Redis.\n\nThis issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0.\n\nUsers are recommended to upgrade to version 2.11.1, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "Moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-115",
                  "description": "CWE-115 Misinterpretation of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-07T12:46:11.350Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "related"
              ],
              "url": "https://www.cve.org/CVERecord?id=CVE-2016-10517"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/gbxv9gpsskmdzg6z48zm3tvo8cyo9v3t"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache Kvrocks: Cross-Protocol Scripting Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2025-25069",
        "datePublished": "2025-02-07T12:46:11.350Z",
        "dateReserved": "2025-02-03T13:33:31.674Z",
        "dateUpdated": "2025-02-13T21:21:42.342Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }