Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-22228 (GCVE-0-2025-22228)
Vulnerability from cvelistv5 – Published: 2025-03-20 05:49 – Updated: 2026-02-26 19:09
VLAI
EPSS
Title
CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length
Summary
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
Severity
7.4 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Spring | Spring Security |
Affected:
5.7.x , < 5.7.16
(Enterprise Support Only)
Affected: 5.8.x , < 5.8.18 (Enterprise Support Only) Affected: 6.0.x , < 6.0.16 (Enterprise Support Only) Affected: 6.1.x , < 6.1.14 (Enterprise Support Only) Affected: 6.2.x , < 6.2.10 (Enterprise Support Only) Affected: 6.3.x , < 6.3.8 (OSS) Affected: 6.4.x , < 6.4.4 (OSS) |
Date Public
2025-03-19 08:44
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-21T03:55:17.357088Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T19:09:20.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-25T23:03:00.421Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250425-0009/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "Spring Security",
"product": "Spring Security",
"vendor": "Spring",
"versions": [
{
"lessThan": "5.7.16",
"status": "affected",
"version": "5.7.x",
"versionType": "Enterprise Support Only"
},
{
"lessThan": "5.8.18",
"status": "affected",
"version": "5.8.x",
"versionType": "Enterprise Support Only"
},
{
"lessThan": "6.0.16",
"status": "affected",
"version": "6.0.x",
"versionType": "Enterprise Support Only"
},
{
"lessThan": "6.1.14",
"status": "affected",
"version": "6.1.x",
"versionType": "Enterprise Support Only"
},
{
"lessThan": "6.2.10",
"status": "affected",
"version": "6.2.x",
"versionType": "Enterprise Support Only"
},
{
"lessThan": "6.3.8",
"status": "affected",
"version": "6.3.x",
"versionType": "OSS"
},
{
"lessThan": "6.4.4",
"status": "affected",
"version": "6.4.x",
"versionType": "OSS"
}
]
}
],
"datePublic": "2025-03-19T08:44:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ccode\u003eBCryptPasswordEncoder.matches(CharSequence,String)\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;will incorrectly return \u003c/span\u003e\u003ccode\u003etrue\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;for passwords larger than 72 characters as long as the first 72 characters are the same.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "BCryptPasswordEncoder.matches(CharSequence,String)\u00a0will incorrectly return true\u00a0for passwords larger than 72 characters as long as the first 72 characters are the same."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T05:49:19.275Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2025-22228"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-22228",
"datePublished": "2025-03-20T05:49:19.275Z",
"dateReserved": "2025-01-02T04:29:59.191Z",
"dateUpdated": "2026-02-26T19:09:20.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-22228",
"date": "2026-05-27",
"epss": "0.00065",
"percentile": "0.20274"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-22228\",\"sourceIdentifier\":\"security@vmware.com\",\"published\":\"2025-03-20T06:15:23.087\",\"lastModified\":\"2025-04-25T23:15:16.877\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"BCryptPasswordEncoder.matches(CharSequence,String)\u00a0will incorrectly return true\u00a0for passwords larger than 72 characters as long as the first 72 characters are the same.\"},{\"lang\":\"es\",\"value\":\"BCryptPasswordEncoder.matches(CharSequence,String) devolver\u00e1 incorrectamente verdadero para contrase\u00f1as con m\u00e1s de 72 caracteres siempre que los primeros 72 caracteres sean iguales.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"references\":[{\"url\":\"https://spring.io/security/cve-2025-22228\",\"source\":\"security@vmware.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20250425-0009/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://security.netapp.com/advisory/ntap-20250425-0009/\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-04-25T23:03:00.421Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-22228\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-21T03:55:17.357088Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287 Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-20T17:47:51.495Z\"}}], \"cna\": {\"title\": \"CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Spring\", \"product\": \"Spring Security\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.7.x\", \"lessThan\": \"5.7.16\", \"versionType\": \"Enterprise Support Only\"}, {\"status\": \"affected\", \"version\": \"5.8.x\", \"lessThan\": \"5.8.18\", \"versionType\": \"Enterprise Support Only\"}, {\"status\": \"affected\", \"version\": \"6.0.x\", \"lessThan\": \"6.0.16\", \"versionType\": \"Enterprise Support Only\"}, {\"status\": \"affected\", \"version\": \"6.1.x\", \"lessThan\": \"6.1.14\", \"versionType\": \"Enterprise Support Only\"}, {\"status\": \"affected\", \"version\": \"6.2.x\", \"lessThan\": \"6.2.10\", \"versionType\": \"Enterprise Support Only\"}, {\"status\": \"affected\", \"version\": \"6.3.x\", \"lessThan\": \"6.3.8\", \"versionType\": \"OSS\"}, {\"status\": \"affected\", \"version\": \"6.4.x\", \"lessThan\": \"6.4.4\", \"versionType\": \"OSS\"}], \"packageName\": \"Spring Security\", \"defaultStatus\": \"affected\"}], \"datePublic\": \"2025-03-19T08:44:00.000Z\", \"references\": [{\"url\": \"https://spring.io/security/cve-2025-22228\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"BCryptPasswordEncoder.matches(CharSequence,String)\\u00a0will incorrectly return true\\u00a0for passwords larger than 72 characters as long as the first 72 characters are the same.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003ccode\u003eBCryptPasswordEncoder.matches(CharSequence,String)\u003c/code\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;will incorrectly return \u003c/span\u003e\u003ccode\u003etrue\u003c/code\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;for passwords larger than 72 characters as long as the first 72 characters are the same.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"shortName\": \"vmware\", \"dateUpdated\": \"2025-03-20T05:49:19.275Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-22228\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-26T19:09:20.934Z\", \"dateReserved\": \"2025-01-02T04:29:59.191Z\", \"assignerOrgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"datePublished\": \"2025-03-20T05:49:19.275Z\", \"assignerShortName\": \"vmware\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
CERTFR-2026-AVI-0322
Vulnerability from certfr_avis - Published: 2026-03-20 - Updated: 2026-03-20
De multiples vulnérabilités ont été découvertes dans les produits VMware. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| VMware | Tanzu | Tanzu GemFire C++ et .NET Framework Clients versions antérieures à 10.4.8 | ||
| VMware | Tanzu | Tanzu RabbitMQ versions antérieures à 4.0.19 | ||
| VMware | Tanzu | Tanzu RabbitMQ sur Kubernetes versions antérieures à 4.1.10 | ||
| VMware | Tanzu | Tanzu RabbitMQ versions antérieures à 4.2.5 | ||
| VMware | Tanzu | Tanzu RabbitMQ versions antérieures à 4.1.10 | ||
| VMware | Tanzu | Tanzu RabbitMQ sur Kubernetes versions antérieures à 4.2.5 | ||
| VMware | Tanzu | Tanzu GemFire Session Management versions antérieures à 1.1.1 | ||
| VMware | Tanzu | Tanzu RabbitMQ versions antérieures à 3.13.14 | ||
| VMware | Tanzu | Tanzu GemFire Search versions antérieures à 1.2.1 | ||
| VMware | Tanzu | Tanzu RabbitMQ sur Kubernetes versions antérieures à 4.0.19 | ||
| VMware | Tanzu | Tanzu GemFire sur Kubernetes versions antérieures à 2.6.2 | ||
| VMware | Tanzu | Tanzu RabbitMQ sur Kubernetes versions antérieures à 3.13.14 | ||
| VMware | Tanzu | Tanzu GemFire versions antérieures à 10.0.8 | ||
| VMware | Tanzu | Tanzu GemFire Vector Database versions antérieures à 1.2.1 | ||
| VMware | Tanzu | Tanzu Data Flow sur Kubernetes versions antérieures à 2.0.4 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Tanzu GemFire C++ et .NET Framework Clients versions ant\u00e9rieures \u00e0 10.4.8",
"product": {
"name": "Tanzu",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu RabbitMQ versions ant\u00e9rieures \u00e0 4.0.19",
"product": {
"name": "Tanzu",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu RabbitMQ sur Kubernetes versions ant\u00e9rieures \u00e0 4.1.10",
"product": {
"name": "Tanzu",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu RabbitMQ versions ant\u00e9rieures \u00e0 4.2.5",
"product": {
"name": "Tanzu",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu RabbitMQ versions ant\u00e9rieures \u00e0 4.1.10",
"product": {
"name": "Tanzu",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu RabbitMQ sur Kubernetes versions ant\u00e9rieures \u00e0 4.2.5",
"product": {
"name": "Tanzu",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu GemFire Session Management versions ant\u00e9rieures \u00e0 1.1.1",
"product": {
"name": "Tanzu",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu RabbitMQ versions ant\u00e9rieures \u00e0 3.13.14",
"product": {
"name": "Tanzu",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu GemFire Search versions ant\u00e9rieures \u00e0 1.2.1",
"product": {
"name": "Tanzu",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu RabbitMQ sur Kubernetes versions ant\u00e9rieures \u00e0 4.0.19",
"product": {
"name": "Tanzu",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu GemFire sur Kubernetes versions ant\u00e9rieures \u00e0 2.6.2",
"product": {
"name": "Tanzu",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu RabbitMQ sur Kubernetes versions ant\u00e9rieures \u00e0 3.13.14",
"product": {
"name": "Tanzu",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu GemFire versions ant\u00e9rieures \u00e0 10.0.8",
"product": {
"name": "Tanzu",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu GemFire Vector Database versions ant\u00e9rieures \u00e0 1.2.1",
"product": {
"name": "Tanzu",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu Data Flow sur Kubernetes versions ant\u00e9rieures \u00e0 2.0.4",
"product": {
"name": "Tanzu",
"vendor": {
"name": "VMware",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-38807",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38807"
},
{
"name": "CVE-2025-31651",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31651"
},
{
"name": "CVE-2026-24734",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24734"
},
{
"name": "CVE-2025-66614",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66614"
},
{
"name": "CVE-2025-22228",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
},
{
"name": "CVE-2025-55752",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55752"
},
{
"name": "CVE-2022-28948",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28948"
},
{
"name": "CVE-2025-9820",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9820"
},
{
"name": "CVE-2026-24051",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24051"
},
{
"name": "CVE-2025-49125",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49125"
},
{
"name": "CVE-2026-0861",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0861"
},
{
"name": "CVE-2026-27142",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27142"
},
{
"name": "CVE-2025-55754",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55754"
},
{
"name": "CVE-2025-61795",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61795"
},
{
"name": "CVE-2025-48976",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48976"
},
{
"name": "CVE-2024-23807",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23807"
},
{
"name": "CVE-2026-25679",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25679"
},
{
"name": "CVE-2025-52520",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52520"
},
{
"name": "CVE-2025-48989",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48989"
},
{
"name": "CVE-2025-48988",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48988"
},
{
"name": "CVE-2026-25518",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25518"
},
{
"name": "CVE-2025-52434",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52434"
},
{
"name": "CVE-2025-67735",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-67735"
},
{
"name": "CVE-2025-49124",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49124"
},
{
"name": "CVE-2026-0915",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0915"
},
{
"name": "CVE-2025-15281",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15281"
},
{
"name": "CVE-2025-55668",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55668"
},
{
"name": "CVE-2025-46701",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-46701"
},
{
"name": "CVE-2026-27139",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27139"
},
{
"name": "CVE-2025-22235",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22235"
},
{
"name": "CVE-2026-24733",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24733"
},
{
"name": "CVE-2025-48924",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48924"
},
{
"name": "CVE-2025-53506",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53506"
},
{
"name": "CVE-2025-31650",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31650"
},
{
"name": "CVE-2026-1225",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1225"
},
{
"name": "CVE-2025-14831",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14831"
},
{
"name": "CVE-2024-57699",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
}
],
"initial_release_date": "2026-03-20T00:00:00",
"last_revision_date": "2026-03-20T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0322",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-03-20T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits VMware. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits VMware",
"vendor_advisories": [
{
"published_at": "2026-03-20",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37257",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37257"
},
{
"published_at": "2026-03-20",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37260",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37260"
},
{
"published_at": "2026-03-20",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37259",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37259"
},
{
"published_at": "2026-03-20",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37255",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37255"
},
{
"published_at": "2026-03-20",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37253",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37253"
},
{
"published_at": "2026-03-20",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37262",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37262"
},
{
"published_at": "2026-03-19",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37251",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37251"
},
{
"published_at": "2026-03-19",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37252",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37252"
},
{
"published_at": "2026-03-20",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37261",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37261"
},
{
"published_at": "2026-03-20",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37256",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37256"
},
{
"published_at": "2026-03-19",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37248",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37248"
},
{
"published_at": "2026-03-20",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37258",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37258"
},
{
"published_at": "2026-03-19",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37250",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37250"
},
{
"published_at": "2026-03-20",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37254",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37254"
},
{
"published_at": "2026-03-20",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37249",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37249"
}
]
}
FKIE_CVE-2025-22228
Vulnerability from fkie_nvd - Published: 2025-03-20 06:15 - Updated: 2026-04-15 00:35
Severity
Summary
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BCryptPasswordEncoder.matches(CharSequence,String)\u00a0will incorrectly return true\u00a0for passwords larger than 72 characters as long as the first 72 characters are the same."
},
{
"lang": "es",
"value": "BCryptPasswordEncoder.matches(CharSequence,String) devolver\u00e1 incorrectamente verdadero para contrase\u00f1as con m\u00e1s de 72 caracteres siempre que los primeros 72 caracteres sean iguales."
}
],
"id": "CVE-2025-22228",
"lastModified": "2026-04-15T00:35:42.020",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "security@vmware.com",
"type": "Secondary"
}
]
},
"published": "2025-03-20T06:15:23.087",
"references": [
{
"source": "security@vmware.com",
"url": "https://spring.io/security/cve-2025-22228"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20250425-0009/"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
GHSA-MG83-C7GQ-RV5C
Vulnerability from github – Published: 2025-03-20 06:31 – Updated: 2025-04-26 00:30
VLAI
Summary
Spring Security Does Not Enforce Password Length
Details
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
Severity
7.4 (High)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-crypto"
},
"ranges": [
{
"events": [
{
"introduced": "6.3.0"
},
{
"fixed": "6.3.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-crypto"
},
"ranges": [
{
"events": [
{
"introduced": "6.4.0"
},
{
"fixed": "6.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.2.9"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-crypto"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.0"
},
{
"fixed": "6.2.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.1.13"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-crypto"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "6.1.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.15"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-crypto"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.8.17"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-crypto"
},
"ranges": [
{
"events": [
{
"introduced": "5.8.0"
},
{
"fixed": "5.8.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.7.15"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-crypto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.7.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-22228"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-521"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-20T18:19:20Z",
"nvd_published_at": "2025-03-20T06:15:23Z",
"severity": "HIGH"
},
"details": "BCryptPasswordEncoder.matches(CharSequence,String)\u00a0will incorrectly return true\u00a0for passwords larger than 72 characters as long as the first 72 characters are the same.",
"id": "GHSA-mg83-c7gq-rv5c",
"modified": "2025-04-26T00:30:24Z",
"published": "2025-03-20T06:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-security/commit/46f0dc6dfc8402cd556c598fdf2d31f9d46cdbf3"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-projects/spring-security"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250425-0009"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2025-22228"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spring Security Does Not Enforce Password Length"
}
NCSC-2025-0275
Vulnerability from csaf_ncscnl - Published: 2025-09-09 11:12 - Updated: 2025-09-09 11:12Summary
Kwetsbaarheden verholpen in SAP producten
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: SAP heeft kwetsbaarheden verholpen in verschillende producten, waaronder in SAP NetWeaver, SAP NetWeaver Application Server Java en SAP Landscape Transformation.
Interpretaties: De kwetsbaarheden bevinden zich onder andere in de RMI-P4 module en de SAP NetWeaver AS Java platform.
De kwetsbaarheid met kenmerk CVE-2025-42944 betreft een deserialisatieprobleem dat kan worden misbruikt door niet-geauthenticeerde aanvallers, wat kan leiden tot willekeurige OS-commando-executie. Dit bedreigt de vertrouwelijkheid, integriteit en beschikbaarheid van de applicatie.
De kwetsbaarheid met kenmerk CVE-2025-42922 stelt geauthenticeerde niet-administratieve gebruikers in staat om willekeurige bestanden te uploaden via de Deploy Web Service-functie. Dit kan ook leiden tot compromittering van systeemvertrouwelijkheid, integriteit en beschikbaarheid.
Oplossingen: SAP heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-250: Execution with Unnecessary Privileges
CWE-287: Improper Authentication
CWE-306: Missing Authentication for Critical Function
CWE-341: Predictable from Observable State
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-404: Improper Resource Shutdown or Release
CWE-502: Deserialization of Untrusted Data
CWE-521: Weak Password Requirements
CWE-522: Insufficiently Protected Credentials
CWE-606: Unchecked Input for Loop Condition
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-862: Missing Authorization
CWE-863: Incorrect Authorization
CWE-1022: Use of Web Link to Untrusted Target with window.opener Access
CWE-1287: Improper Validation of Specified Type of Input
CWE-1395: Dependency on Vulnerable Third-Party Component
7.5 (High)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
9.6 (Critical)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
CWE-404
- Improper Resource Shutdown or Release
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
7.4 (High)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
7.7 (High)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
5.0 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
6.5 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
CWE-862
- Missing Authorization
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
CWE-862
- Missing Authorization
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
CWE-862
- Missing Authorization
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
8.1 (High)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
6.5 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
4.3 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
6.1 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
9.9 (Critical)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
4.3 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
4.3 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
5.3 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
CWE-1395
- Dependency on Vulnerable Third-Party Component
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
8.1 (High)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
6.5 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
8.8 (High)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
6.1 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
CWE-1022
- Use of Web Link to Untrusted Target with window.opener Access
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
10.0 (Critical)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
9.1 (Critical)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
4.9 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
References
28 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "SAP heeft kwetsbaarheden verholpen in verschillende producten, waaronder in SAP NetWeaver, SAP NetWeaver Application Server Java en SAP Landscape Transformation.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden bevinden zich onder andere in de RMI-P4 module en de SAP NetWeaver AS Java platform.\n\nDe kwetsbaarheid met kenmerk CVE-2025-42944 betreft een deserialisatieprobleem dat kan worden misbruikt door niet-geauthenticeerde aanvallers, wat kan leiden tot willekeurige OS-commando-executie. Dit bedreigt de vertrouwelijkheid, integriteit en beschikbaarheid van de applicatie.\n\nDe kwetsbaarheid met kenmerk CVE-2025-42922 stelt geauthenticeerde niet-administratieve gebruikers in staat om willekeurige bestanden te uploaden via de Deploy Web Service-functie. Dit kan ook leiden tot compromittering van systeemvertrouwelijkheid, integriteit en beschikbaarheid.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "SAP heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "general",
"text": "Execution with Unnecessary Privileges",
"title": "CWE-250"
},
{
"category": "general",
"text": "Improper Authentication",
"title": "CWE-287"
},
{
"category": "general",
"text": "Missing Authentication for Critical Function",
"title": "CWE-306"
},
{
"category": "general",
"text": "Predictable from Observable State",
"title": "CWE-341"
},
{
"category": "general",
"text": "Cross-Site Request Forgery (CSRF)",
"title": "CWE-352"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "general",
"text": "Weak Password Requirements",
"title": "CWE-521"
},
{
"category": "general",
"text": "Insufficiently Protected Credentials",
"title": "CWE-522"
},
{
"category": "general",
"text": "Unchecked Input for Loop Condition",
"title": "CWE-606"
},
{
"category": "general",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "Use of Web Link to Untrusted Target with window.opener Access",
"title": "CWE-1022"
},
{
"category": "general",
"text": "Improper Validation of Specified Type of Input",
"title": "CWE-1287"
},
{
"category": "general",
"text": "Dependency on Vulnerable Third-Party Component",
"title": "CWE-1395"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html"
}
],
"title": "Kwetsbaarheden verholpen in SAP producten",
"tracking": {
"current_release_date": "2025-09-09T11:12:22.945466Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.2"
}
},
"id": "NCSC-2025-0275",
"initial_release_date": "2025-09-09T11:12:22.945466Z",
"revision_history": [
{
"date": "2025-09-09T11:12:22.945466Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "Business Planning and Consolidation"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "NetWeaver ABAP Platform"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "NetWeaver AS Java"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-4"
}
}
],
"category": "product_name",
"name": "Netweaver"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-5"
}
}
],
"category": "product_name",
"name": "SAP Business One (SLD)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-6"
}
}
],
"category": "product_name",
"name": "SAP Fiori (Launchpad)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-7"
}
}
],
"category": "product_name",
"name": "SAP Fiori App (F4044 Manage Work Center Groups)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-8"
}
}
],
"category": "product_name",
"name": "SAP HCM (Approve Timesheets Fiori 2.0 application)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-9"
}
}
],
"category": "product_name",
"name": "SAP HCM (My Timesheet Fiori 2.0 application)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-10"
}
}
],
"category": "product_name",
"name": "SAP Landscape Transformation Replication Server"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-11"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver (Service Data Download)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-12"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver AS Java (Adobe Document Service)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-13"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver AS Java (Deploy Web Service)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-14"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver AS Java (IIOP Service)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-15"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver Application Server Java"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-16"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver Application Server for ABAP"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-17"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver Application Server for ABAP (Background Processing)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-18"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver and ABAP Platform (Service Data Collection)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-19"
}
}
],
"category": "product_name",
"name": "SAP Netweaver (RMI-P4)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-20"
}
}
],
"category": "product_name",
"name": "SAP S/4HANA (Private Cloud or On-Premise)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-21"
}
}
],
"category": "product_name",
"name": "Supplier Relationship Management"
}
],
"category": "vendor",
"name": "SAP"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-5072",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-5072 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2023/cve-2023-5072.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2023-5072"
},
{
"cve": "CVE-2023-27500",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-27500 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2023/cve-2023-27500.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2023-27500"
},
{
"cve": "CVE-2024-13009",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-13009 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-13009.json"
}
],
"title": "CVE-2024-13009"
},
{
"cve": "CVE-2025-22228",
"cwe": {
"id": "CWE-521",
"name": "Weak Password Requirements"
},
"notes": [
{
"category": "other",
"text": "Weak Password Requirements",
"title": "CWE-521"
},
{
"category": "other",
"text": "Improper Authentication",
"title": "CWE-287"
},
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-22228 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-22228.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-22228"
},
{
"cve": "CVE-2025-27428",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-27428 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-27428.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-27428"
},
{
"cve": "CVE-2025-42911",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42911 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42911.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42911"
},
{
"cve": "CVE-2025-42912",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42912 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42912.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42912"
},
{
"cve": "CVE-2025-42913",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42913 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42913.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42913"
},
{
"cve": "CVE-2025-42914",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42914 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42914.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42914"
},
{
"cve": "CVE-2025-42915",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42915 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42915.json"
}
],
"title": "CVE-2025-42915"
},
{
"cve": "CVE-2025-42916",
"cwe": {
"id": "CWE-1287",
"name": "Improper Validation of Specified Type of Input"
},
"notes": [
{
"category": "other",
"text": "Improper Validation of Specified Type of Input",
"title": "CWE-1287"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42916 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42916.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42916"
},
{
"cve": "CVE-2025-42917",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42917 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42917.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42917"
},
{
"cve": "CVE-2025-42918",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42918 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42918.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42918"
},
{
"cve": "CVE-2025-42920",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42920 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42920.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42920"
},
{
"cve": "CVE-2025-42922",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42922 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42922.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42922"
},
{
"cve": "CVE-2025-42923",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"notes": [
{
"category": "other",
"text": "Cross-Site Request Forgery (CSRF)",
"title": "CWE-352"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42923 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42923.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42923"
},
{
"cve": "CVE-2025-42925",
"cwe": {
"id": "CWE-341",
"name": "Predictable from Observable State"
},
"notes": [
{
"category": "other",
"text": "Predictable from Observable State",
"title": "CWE-341"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42925 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42925.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42925"
},
{
"cve": "CVE-2025-42926",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"category": "other",
"text": "Missing Authentication for Critical Function",
"title": "CWE-306"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42926 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42926.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42926"
},
{
"cve": "CVE-2025-42927",
"cwe": {
"id": "CWE-1395",
"name": "Dependency on Vulnerable Third-Party Component"
},
"notes": [
{
"category": "other",
"text": "Dependency on Vulnerable Third-Party Component",
"title": "CWE-1395"
},
{
"category": "general",
"text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42927 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42927.json"
}
],
"title": "CVE-2025-42927"
},
{
"cve": "CVE-2025-42929",
"cwe": {
"id": "CWE-1287",
"name": "Improper Validation of Specified Type of Input"
},
"notes": [
{
"category": "other",
"text": "Improper Validation of Specified Type of Input",
"title": "CWE-1287"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42929 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42929.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42929"
},
{
"cve": "CVE-2025-42930",
"cwe": {
"id": "CWE-606",
"name": "Unchecked Input for Loop Condition"
},
"notes": [
{
"category": "other",
"text": "Unchecked Input for Loop Condition",
"title": "CWE-606"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42930 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42930.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42930"
},
{
"cve": "CVE-2025-42933",
"cwe": {
"id": "CWE-522",
"name": "Insufficiently Protected Credentials"
},
"notes": [
{
"category": "other",
"text": "Insufficiently Protected Credentials",
"title": "CWE-522"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42933 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42933.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42933"
},
{
"cve": "CVE-2025-42938",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42938 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42938.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42938"
},
{
"cve": "CVE-2025-42941",
"cwe": {
"id": "CWE-1022",
"name": "Use of Web Link to Untrusted Target with window.opener Access"
},
"notes": [
{
"category": "other",
"text": "Use of Web Link to Untrusted Target with window.opener Access",
"title": "CWE-1022"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42941 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42941.json"
}
],
"title": "CVE-2025-42941"
},
{
"cve": "CVE-2025-42944",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "other",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42944 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42944.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42944"
},
{
"cve": "CVE-2025-42958",
"cwe": {
"id": "CWE-250",
"name": "Execution with Unnecessary Privileges"
},
"notes": [
{
"category": "other",
"text": "Execution with Unnecessary Privileges",
"title": "CWE-250"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42958 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42958.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42958"
},
{
"cve": "CVE-2025-42961",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42961 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42961.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42961"
}
]
}
NCSC-2026-0025
Vulnerability from csaf_ncscnl - Published: 2026-01-21 09:55 - Updated: 2026-01-21 09:55Summary
Kwetsbaarheden verholpen in Oracle Financial Services
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: Oracle heeft kwetsbaarheden verholpen in verschillende producten, waaronder Oracle Banking Liquidity Management, Oracle Financial Services Model Management en Oracle FLEXCUBE.
Interpretaties: De kwetsbaarheden in de Oracle producten stellen ongeauthenticeerde aanvallers in staat om toegang te krijgen tot gevoelige gegevens en Denial-of-Service (DoS) aan te richten. Dit kan leiden tot vertrouwelijkheids- en integriteitsrisico's. Specifieke kwetsbaarheden omvatten onjuist beheer van verbindingen en onvoldoende invoervalidatie wat kan resulteren in systeemcompromittering en serviceonderbrekingen.
Oplossingen: Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-125: Out-of-bounds Read
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-284: Improper Access Control
CWE-285: Improper Authorization
CWE-287: Improper Authentication
CWE-289: Authentication Bypass by Alternate Name
CWE-400: Uncontrolled Resource Consumption
CWE-404: Improper Resource Shutdown or Release
CWE-521: Weak Password Requirements
CWE-674: Uncontrolled Recursion
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-787: Out-of-bounds Write
CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CWE-863: Incorrect Authorization
CWE-918: Server-Side Request Forgery (SSRF)
CWE-937: CWE-937
CWE-1035: CWE-1035
Multiple vulnerabilities, including the 'MadeYouReset' attack in HTTP/2 and unauthenticated issues in Oracle products, can lead to denial of service across various platforms such as Eclipse Jetty and SAP Commerce Cloud.
7.5 (High)
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Oracle Banking Branch
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Cash Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Corporate Lending Process Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Liquidity Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Supply Chain Finance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Investor Servicing
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Universal Banking
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Compliance Studio
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Model Management and Governance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Insurance Policy Administration J2EE
|
vers:unknown/* |
Multiple vulnerabilities related to out-of-bounds read and write issues in OpenSSL affect various products, with moderate severity assessments and low likelihood of successful exploitation.
7.5 (High)
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Oracle Banking Branch
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Cash Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Corporate Lending Process Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Liquidity Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Supply Chain Finance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Investor Servicing
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Universal Banking
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Compliance Studio
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Model Management and Governance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Insurance Policy Administration J2EE
|
vers:unknown/* |
Multiple vulnerabilities have been identified across Oracle and NetApp products, including critical issues in Oracle Banking Liquidity Management and Spring Security flaws affecting sensitive data integrity.
7.4 (High)
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Oracle Banking Branch
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Cash Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Corporate Lending Process Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Liquidity Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Supply Chain Finance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Investor Servicing
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Universal Banking
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Compliance Studio
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Model Management and Governance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Insurance Policy Administration J2EE
|
vers:unknown/* |
Multiple vulnerabilities across Apache Kafka and Oracle products allow unauthorized access to sensitive data, with notable SSRF risks and CVSS scores of 7.5 for several Oracle systems.
8.1 (High)
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Oracle Banking Branch
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Cash Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Corporate Lending Process Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Liquidity Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Supply Chain Finance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Investor Servicing
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Universal Banking
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Compliance Studio
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Model Management and Governance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Insurance Policy Administration J2EE
|
vers:unknown/* |
Recent vulnerabilities in Oracle Financial Services Model Management and Spring Framework versions expose critical data and may lead to authorization bypass, with significant confidentiality impacts.
7.5 (High)
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Oracle Banking Branch
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Cash Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Corporate Lending Process Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Liquidity Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Supply Chain Finance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Investor Servicing
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Universal Banking
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Compliance Studio
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Model Management and Governance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Insurance Policy Administration J2EE
|
vers:unknown/* |
Multiple vulnerabilities have been identified in Oracle Financial Services and Retail products, as well as the Spring Framework, allowing unauthorized access to sensitive data and potentially leading to information disclosure.
7.5 (High)
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Oracle Banking Branch
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Cash Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Corporate Lending Process Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Liquidity Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Supply Chain Finance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Investor Servicing
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Universal Banking
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Compliance Studio
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Model Management and Governance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Insurance Policy Administration J2EE
|
vers:unknown/* |
Recent updates to Apache Commons BeanUtils and Oracle products address multiple vulnerabilities, including remote code execution and system compromise risks, affecting various versions and components.
8.8 (High)
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Oracle Banking Branch
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Cash Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Corporate Lending Process Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Liquidity Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Supply Chain Finance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Investor Servicing
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Universal Banking
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Compliance Studio
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Model Management and Governance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Insurance Policy Administration J2EE
|
vers:unknown/* |
Multiple vulnerabilities in Oracle's Primavera P6 and WebCenter Forms Recognition, along with an Apache CXF bug and issues in HPE Telco Service Activator, expose systems to unauthorized data access and potential denial of service.
5.6 (Medium)
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Oracle Banking Branch
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Cash Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Corporate Lending Process Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Liquidity Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Supply Chain Finance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Investor Servicing
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Universal Banking
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Compliance Studio
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Model Management and Governance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Insurance Policy Administration J2EE
|
vers:unknown/* |
Multiple vulnerabilities have been identified in Oracle WebLogic Server and Oracle Communications ASAP, both allowing unauthenticated partial denial of service, alongside an uncontrolled recursion issue in Apache Commons Lang leading to potential application crashes.
6.5 (Medium)
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Oracle Banking Branch
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Cash Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Corporate Lending Process Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Liquidity Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Supply Chain Finance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Investor Servicing
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Universal Banking
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Compliance Studio
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Model Management and Governance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Insurance Policy Administration J2EE
|
vers:unknown/* |
Multiple denial-of-service vulnerabilities have been identified in Oracle Application Testing Suite, Oracle Agile PLM, Apache Commons FileUpload, and HPE IceWall Identity Manager, with CVSS scores of 7.5 for some products.
7.5 (High)
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Oracle Banking Branch
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Cash Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Corporate Lending Process Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Liquidity Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Supply Chain Finance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Investor Servicing
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Universal Banking
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Compliance Studio
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Model Management and Governance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Insurance Policy Administration J2EE
|
vers:unknown/* |
Multiple vulnerabilities across Oracle Banking Branch and Oracle Communications Cloud Native Core Certificate Management products, as well as libxml2, could lead to critical data compromise and denial of service, with CVSS scores reaching 9.1.
9.1 (Critical)
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Oracle Banking Branch
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Cash Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Corporate Lending Process Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Liquidity Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Supply Chain Finance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Investor Servicing
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Universal Banking
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Compliance Studio
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Model Management and Governance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Insurance Policy Administration J2EE
|
vers:unknown/* |
Recent updates to Netty and Oracle Communications products address critical vulnerabilities, including the 'MadeYouReset' attack in HTTP/2, which can lead to denial of service and resource exhaustion.
7.5 (High)
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Oracle Banking Branch
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Cash Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Corporate Lending Process Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Liquidity Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Supply Chain Finance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Investor Servicing
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Universal Banking
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Compliance Studio
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Model Management and Governance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Insurance Policy Administration J2EE
|
vers:unknown/* |
Apache Tomcat and Oracle Communications Unified Assurance have critical vulnerabilities related to Denial of Service (DoS) risks, affecting multiple versions and requiring updates to address issues like improper resource shutdown and HTTP access exploitation.
5.3 (Medium)
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Oracle Banking Branch
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Cash Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Corporate Lending Process Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Liquidity Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Supply Chain Finance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Investor Servicing
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Universal Banking
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Compliance Studio
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Model Management and Governance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Insurance Policy Administration J2EE
|
vers:unknown/* |
The urllib3 library had a vulnerability allowing unbounded decompression chains, leading to potential Denial of Service (DoS) attacks due to excessive CPU and memory usage, fixed in version 2.6.0.
8.6 (High)
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Oracle Banking Branch
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Cash Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Corporate Lending Process Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Liquidity Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Supply Chain Finance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Investor Servicing
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Universal Banking
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Compliance Studio
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Model Management and Governance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Insurance Policy Administration J2EE
|
vers:unknown/* |
A vulnerability in Oracle FLEXCUBE Investor Servicing versions 14.5.0.15.0, 14.7.0.8.0, and 14.8.0.1.0 allows low privileged attackers to exploit it via HTTP, leading to unauthorized access and modification of critical data.
8.1 (High)
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Oracle Banking Branch
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Cash Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Corporate Lending Process Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Liquidity Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Supply Chain Finance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Investor Servicing
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Universal Banking
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Compliance Studio
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Model Management and Governance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Insurance Policy Administration J2EE
|
vers:unknown/* |
A vulnerability in Oracle FLEXCUBE Universal Banking (versions 14.0.0.0.0-14.8.0.0.0) allows low privileged attackers with HTTP access to potentially gain unauthorized access to critical data, rated with a CVSS 3.1 Base Score of 6.5.
6.5 (Medium)
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Oracle Banking Branch
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Cash Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Corporate Lending Process Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Liquidity Management
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Banking Supply Chain Finance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Investor Servicing
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle FLEXCUBE Universal Banking
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Compliance Studio
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Financial Services Model Management and Governance
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Insurance Policy Administration J2EE
|
vers:unknown/* |
References
17 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Oracle heeft kwetsbaarheden verholpen in verschillende producten, waaronder Oracle Banking Liquidity Management, Oracle Financial Services Model Management en Oracle FLEXCUBE.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden in de Oracle producten stellen ongeauthenticeerde aanvallers in staat om toegang te krijgen tot gevoelige gegevens en Denial-of-Service (DoS) aan te richten. Dit kan leiden tot vertrouwelijkheids- en integriteitsrisico\u0027s. Specifieke kwetsbaarheden omvatten onjuist beheer van verbindingen en onvoldoende invoervalidatie wat kan resulteren in systeemcompromittering en serviceonderbrekingen.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "general",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "general",
"text": "Improper Access Control",
"title": "CWE-284"
},
{
"category": "general",
"text": "Improper Authorization",
"title": "CWE-285"
},
{
"category": "general",
"text": "Improper Authentication",
"title": "CWE-287"
},
{
"category": "general",
"text": "Authentication Bypass by Alternate Name",
"title": "CWE-289"
},
{
"category": "general",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Weak Password Requirements",
"title": "CWE-521"
},
{
"category": "general",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "general",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "Out-of-bounds Write",
"title": "CWE-787"
},
{
"category": "general",
"text": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"title": "CWE-843"
},
{
"category": "general",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
},
{
"category": "general",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "general",
"text": "CWE-1035",
"title": "CWE-1035"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://www.oracle.com/security-alerts/cpujan2026.html"
}
],
"title": "Kwetsbaarheden verholpen in Oracle Financial Services",
"tracking": {
"current_release_date": "2026-01-21T09:55:33.889125Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2026-0025",
"initial_release_date": "2026-01-21T09:55:33.889125Z",
"revision_history": [
{
"date": "2026-01-21T09:55:33.889125Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "Oracle Banking Branch"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "Oracle Banking Cash Management"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "Oracle Banking Corporate Lending Process Management"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-4"
}
}
],
"category": "product_name",
"name": "Oracle Banking Liquidity Management"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-5"
}
}
],
"category": "product_name",
"name": "Oracle Banking Supply Chain Finance"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-6"
}
}
],
"category": "product_name",
"name": "Oracle FLEXCUBE Investor Servicing"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-7"
}
}
],
"category": "product_name",
"name": "Oracle FLEXCUBE Universal Banking"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-8"
}
}
],
"category": "product_name",
"name": "Oracle Financial Services Compliance Studio"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-9"
}
}
],
"category": "product_name",
"name": "Oracle Financial Services Model Management and Governance"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-10"
}
}
],
"category": "product_name",
"name": "Oracle Insurance Policy Administration J2EE"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-5115",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "Multiple vulnerabilities, including the \u0027MadeYouReset\u0027 attack in HTTP/2 and unauthenticated issues in Oracle products, can lead to denial of service across various platforms such as Eclipse Jetty and SAP Commerce Cloud.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-5115 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-5115.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
}
],
"title": "CVE-2025-5115"
},
{
"cve": "CVE-2025-9230",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "other",
"text": "Out-of-bounds Write",
"title": "CWE-787"
},
{
"category": "description",
"text": "Multiple vulnerabilities related to out-of-bounds read and write issues in OpenSSL affect various products, with moderate severity assessments and low likelihood of successful exploitation.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-9230 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-9230.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
}
],
"title": "CVE-2025-9230"
},
{
"cve": "CVE-2025-22228",
"cwe": {
"id": "CWE-521",
"name": "Weak Password Requirements"
},
"notes": [
{
"category": "other",
"text": "Weak Password Requirements",
"title": "CWE-521"
},
{
"category": "other",
"text": "Improper Authentication",
"title": "CWE-287"
},
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "description",
"text": "Multiple vulnerabilities have been identified across Oracle and NetApp products, including critical issues in Oracle Banking Liquidity Management and Spring Security flaws affecting sensitive data integrity.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-22228 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-22228.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
}
],
"title": "CVE-2025-22228"
},
{
"cve": "CVE-2025-27817",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"notes": [
{
"category": "other",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
},
{
"category": "description",
"text": "Multiple vulnerabilities across Apache Kafka and Oracle products allow unauthorized access to sensitive data, with notable SSRF risks and CVSS scores of 7.5 for several Oracle systems.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-27817 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-27817.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
}
],
"title": "CVE-2025-27817"
},
{
"cve": "CVE-2025-41248",
"cwe": {
"id": "CWE-289",
"name": "Authentication Bypass by Alternate Name"
},
"notes": [
{
"category": "other",
"text": "Authentication Bypass by Alternate Name",
"title": "CWE-289"
},
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Recent vulnerabilities in Oracle Financial Services Model Management and Spring Framework versions expose critical data and may lead to authorization bypass, with significant confidentiality impacts.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-41248 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-41248.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
}
],
"title": "CVE-2025-41248"
},
{
"cve": "CVE-2025-41249",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"notes": [
{
"category": "other",
"text": "Improper Authorization",
"title": "CWE-285"
},
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Multiple vulnerabilities have been identified in Oracle Financial Services and Retail products, as well as the Spring Framework, allowing unauthorized access to sensitive data and potentially leading to information disclosure.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-41249 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-41249.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
}
],
"title": "CVE-2025-41249"
},
{
"cve": "CVE-2025-48734",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "other",
"text": "Improper Access Control",
"title": "CWE-284"
},
{
"category": "description",
"text": "Recent updates to Apache Commons BeanUtils and Oracle products address multiple vulnerabilities, including remote code execution and system compromise risks, affecting various versions and components.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48734 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48734.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
}
],
"title": "CVE-2025-48734"
},
{
"cve": "CVE-2025-48795",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "other",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "description",
"text": "Multiple vulnerabilities in Oracle\u0027s Primavera P6 and WebCenter Forms Recognition, along with an Apache CXF bug and issues in HPE Telco Service Activator, expose systems to unauthorized data access and potential denial of service.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48795 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48795.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
}
],
"title": "CVE-2025-48795"
},
{
"cve": "CVE-2025-48924",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "description",
"text": "Multiple vulnerabilities have been identified in Oracle WebLogic Server and Oracle Communications ASAP, both allowing unauthenticated partial denial of service, alongside an uncontrolled recursion issue in Apache Commons Lang leading to potential application crashes.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48924 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48924.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
}
],
"title": "CVE-2025-48924"
},
{
"cve": "CVE-2025-48976",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "Multiple denial-of-service vulnerabilities have been identified in Oracle Application Testing Suite, Oracle Agile PLM, Apache Commons FileUpload, and HPE IceWall Identity Manager, with CVSS scores of 7.5 for some products.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48976 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
}
],
"title": "CVE-2025-48976"
},
{
"cve": "CVE-2025-49796",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "description",
"text": "Multiple vulnerabilities across Oracle Banking Branch and Oracle Communications Cloud Native Core Certificate Management products, as well as libxml2, could lead to critical data compromise and denial of service, with CVSS scores reaching 9.1.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49796 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49796.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
}
],
"title": "CVE-2025-49796"
},
{
"cve": "CVE-2025-55163",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Recent updates to Netty and Oracle Communications products address critical vulnerabilities, including the \u0027MadeYouReset\u0027 attack in HTTP/2, which can lead to denial of service and resource exhaustion.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-55163 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55163.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
}
],
"title": "CVE-2025-55163"
},
{
"cve": "CVE-2025-61795",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Apache Tomcat and Oracle Communications Unified Assurance have critical vulnerabilities related to Denial of Service (DoS) risks, affecting multiple versions and requiring updates to address issues like improper resource shutdown and HTTP access exploitation.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-61795 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-61795.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
}
],
"title": "CVE-2025-61795"
},
{
"cve": "CVE-2025-66418",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "The urllib3 library had a vulnerability allowing unbounded decompression chains, leading to potential Denial of Service (DoS) attacks due to excessive CPU and memory usage, fixed in version 2.6.0.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-66418 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-66418.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
}
],
"title": "CVE-2025-66418"
},
{
"cve": "CVE-2026-21973",
"notes": [
{
"category": "description",
"text": "A vulnerability in Oracle FLEXCUBE Investor Servicing versions 14.5.0.15.0, 14.7.0.8.0, and 14.8.0.1.0 allows low privileged attackers to exploit it via HTTP, leading to unauthorized access and modification of critical data.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-21973 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21973.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
}
],
"title": "CVE-2026-21973"
},
{
"cve": "CVE-2026-21978",
"notes": [
{
"category": "description",
"text": "A vulnerability in Oracle FLEXCUBE Universal Banking (versions 14.0.0.0.0-14.8.0.0.0) allows low privileged attackers with HTTP access to potentially gain unauthorized access to critical data, rated with a CVSS 3.1 Base Score of 6.5.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-21978 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21978.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10"
]
}
],
"title": "CVE-2026-21978"
}
]
}
RHSA-2025:10092
Vulnerability from csaf_redhat - Published: 2025-07-01 13:48 - Updated: 2026-05-10 14:26Summary
Red Hat Security Advisory: Red Hat Product OCP Tools 4.18 OpenShift Jenkins security update
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat Product OCP
Tools 4.18. Red Hat Product Security has rated this update as having a
security impact of important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Details: Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for
CVE-2023-1370) (CVE-2024-57699)
* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not
enforce maximum password length (CVE-2025-22228)
* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)
* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)
* jenkins-2-plugins: jackson-core Potential StackoverflowError
(CVE-2025-52999)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.
7.4 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat Product OCP \nTools 4.18. Red Hat Product Security has rated this update as having a \nsecurity impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a \ndetailed severity rating, is available for each vulnerability from the CVE \nlink(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Jenkins is a continuous integration server that monitors executions of \nrepeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for\nCVE-2023-1370) (CVE-2024-57699)\n* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not\nenforce maximum password length (CVE-2025-22228)\n* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)\n* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)\n* jenkins-2-plugins: jackson-core Potential StackoverflowError\n(CVE-2025-52999)\n\nFor more details about the security issue(s), including the impact, a CVSS \nscore, acknowledgments, and other related information, refer to the CVE \npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:10092",
"url": "https://access.redhat.com/errata/RHSA-2025:10092"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2344073",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
},
{
"category": "external",
"summary": "2353507",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
},
{
"category": "external",
"summary": "2365137",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
},
{
"category": "external",
"summary": "2374804",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10092.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Product OCP Tools 4.18 OpenShift Jenkins security update",
"tracking": {
"current_release_date": "2026-05-10T14:26:59+00:00",
"generator": {
"date": "2026-05-10T14:26:59+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2025:10092",
"initial_release_date": "2025-07-01T13:48:03+00:00",
"revision_history": [
{
"date": "2025-07-01T13:48:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-07-01T13:48:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-10T14:26:59+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services for OCP 4.18",
"product": {
"name": "OpenShift Developer Tools and Services for OCP 4.18",
"product_id": "9Base-OCP-Tools-4.18",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.18::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Jenkins"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.504.2.1750846524-3.el9.src",
"product": {
"name": "jenkins-0:2.504.2.1750846524-3.el9.src",
"product_id": "jenkins-0:2.504.2.1750846524-3.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.504.2.1750846524-3.el9?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.18.1750846854-1.el9.src",
"product": {
"name": "jenkins-2-plugins-0:4.18.1750846854-1.el9.src",
"product_id": "jenkins-2-plugins-0:4.18.1750846854-1.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.18.1750846854-1.el9?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.504.2.1750846524-3.el9.noarch",
"product": {
"name": "jenkins-0:2.504.2.1750846524-3.el9.noarch",
"product_id": "jenkins-0:2.504.2.1750846524-3.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.504.2.1750846524-3.el9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"product_id": "jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.18.1750846854-1.el9?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.504.2.1750846524-3.el9.noarch as a component of OpenShift Developer Tools and Services for OCP 4.18",
"product_id": "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch"
},
"product_reference": "jenkins-0:2.504.2.1750846524-3.el9.noarch",
"relates_to_product_reference": "9Base-OCP-Tools-4.18"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.504.2.1750846524-3.el9.src as a component of OpenShift Developer Tools and Services for OCP 4.18",
"product_id": "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src"
},
"product_reference": "jenkins-0:2.504.2.1750846524-3.el9.src",
"relates_to_product_reference": "9Base-OCP-Tools-4.18"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch as a component of OpenShift Developer Tools and Services for OCP 4.18",
"product_id": "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"relates_to_product_reference": "9Base-OCP-Tools-4.18"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.18.1750846854-1.el9.src as a component of OpenShift Developer Tools and Services for OCP 4.18",
"product_id": "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
},
"product_reference": "jenkins-2-plugins-0:4.18.1750846854-1.el9.src",
"relates_to_product_reference": "9Base-OCP-Tools-4.18"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-57699",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2025-02-05T22:01:26.352808+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2344073"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue exists because of an incomplete fix for CVE-2023-1370, therefore it only affects json-smart v2.5.0 through v2.5.1 (inclusive).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-57699"
},
{
"category": "external",
"summary": "RHBZ#2344073",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-57699",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699"
},
{
"category": "external",
"summary": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699",
"url": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/cve-2023-1370",
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-1370"
}
],
"release_date": "2025-02-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T13:48:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10092"
},
{
"category": "workaround",
"details": "Red Hat Product Security does not have a recommended mitigation at this time.",
"product_ids": [
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)"
},
{
"cve": "CVE-2025-1948",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2025-05-08T18:00:52.156301+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2365137"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-1948"
},
{
"category": "external",
"summary": "RHBZ#2365137",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-1948",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1948"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56",
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56"
}
],
"release_date": "2025-05-08T17:48:40.831000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T13:48:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10092"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability"
},
{
"cve": "CVE-2025-22228",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"discovery_date": "2025-03-20T06:00:45.196050+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2353507"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22228"
},
{
"category": "external",
"summary": "RHBZ#2353507",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22228",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228"
},
{
"category": "external",
"summary": "https://spring.io/security/cve-2025-22228",
"url": "https://spring.io/security/cve-2025-22228"
}
],
"release_date": "2025-03-20T05:49:19.275000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T13:48:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10092"
},
{
"category": "workaround",
"details": "Red Hat Product Security does not have a recommended mitigation at this time.",
"product_ids": [
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length"
},
{
"cve": "CVE-2025-52999",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"discovery_date": "2025-06-25T18:00:54.693716+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2374804"
}
],
"notes": [
{
"category": "description",
"text": "A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-52999"
},
{
"category": "external",
"summary": "RHBZ#2374804",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-52999",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-core/pull/943",
"url": "https://github.com/FasterXML/jackson-core/pull/943"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3",
"url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"
}
],
"release_date": "2025-06-25T17:02:57.428000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T13:48:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10092"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, the recommendation is to avoid parsing input files from untrusted sources that may have excessively deep nested data structures; anything with a depth over 1000.",
"product_ids": [
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
"9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError"
}
]
}
RHSA-2025:10097
Vulnerability from csaf_redhat - Published: 2025-07-01 14:30 - Updated: 2026-05-10 14:26Summary
Red Hat Security Advisory: Red Hat Product OCP Tools 4.17 OpenShift Jenkins security update
Severity
Important
Notes
Topic: An update for OpenShift Jenkins is now available for Red Hat Product OCP
Tools 4.17. Red Hat Product Security has rated this update as having a
security impact of important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Details: Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for
CVE-2023-1370) (CVE-2024-57699)
* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not
enforce maximum password length (CVE-2025-22228)
* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)
* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)
* jenkins-2-plugins: jackson-core Potential StackoverflowError
(CVE-2025-52999)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.
7.4 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for OpenShift Jenkins is now available for Red Hat Product OCP \nTools 4.17. Red Hat Product Security has rated this update as having a \nsecurity impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a \ndetailed severity rating, is available for each vulnerability from the CVE \nlink(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Jenkins is a continuous integration server that monitors executions of \nrepeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for\nCVE-2023-1370) (CVE-2024-57699)\n* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not\nenforce maximum password length (CVE-2025-22228)\n* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)\n* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)\n* jenkins-2-plugins: jackson-core Potential StackoverflowError\n(CVE-2025-52999)\n\nFor more details about the security issue(s), including the impact, a CVSS \nscore, acknowledgments, and other related information, refer to the CVE \npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:10097",
"url": "https://access.redhat.com/errata/RHSA-2025:10097"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2344073",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
},
{
"category": "external",
"summary": "2353507",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
},
{
"category": "external",
"summary": "2365137",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
},
{
"category": "external",
"summary": "2374804",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10097.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Product OCP Tools 4.17 OpenShift Jenkins security update",
"tracking": {
"current_release_date": "2026-05-10T14:26:53+00:00",
"generator": {
"date": "2026-05-10T14:26:53+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2025:10097",
"initial_release_date": "2025-07-01T14:30:33+00:00",
"revision_history": [
{
"date": "2025-07-01T14:30:33+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-07-01T14:30:33+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-10T14:26:53+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services for OCP 4.17",
"product": {
"name": "OpenShift Developer Tools and Services for OCP 4.17",
"product_id": "9Base-OCP-Tools-4.17",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.17::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Jenkins"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.504.2.1750851690-3.el9.src",
"product": {
"name": "jenkins-0:2.504.2.1750851690-3.el9.src",
"product_id": "jenkins-0:2.504.2.1750851690-3.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.504.2.1750851690-3.el9?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.17.1750851950-1.el9.src",
"product": {
"name": "jenkins-2-plugins-0:4.17.1750851950-1.el9.src",
"product_id": "jenkins-2-plugins-0:4.17.1750851950-1.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.17.1750851950-1.el9?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.504.2.1750851690-3.el9.noarch",
"product": {
"name": "jenkins-0:2.504.2.1750851690-3.el9.noarch",
"product_id": "jenkins-0:2.504.2.1750851690-3.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.504.2.1750851690-3.el9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"product_id": "jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.17.1750851950-1.el9?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.504.2.1750851690-3.el9.noarch as a component of OpenShift Developer Tools and Services for OCP 4.17",
"product_id": "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch"
},
"product_reference": "jenkins-0:2.504.2.1750851690-3.el9.noarch",
"relates_to_product_reference": "9Base-OCP-Tools-4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.504.2.1750851690-3.el9.src as a component of OpenShift Developer Tools and Services for OCP 4.17",
"product_id": "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src"
},
"product_reference": "jenkins-0:2.504.2.1750851690-3.el9.src",
"relates_to_product_reference": "9Base-OCP-Tools-4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch as a component of OpenShift Developer Tools and Services for OCP 4.17",
"product_id": "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"relates_to_product_reference": "9Base-OCP-Tools-4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.17.1750851950-1.el9.src as a component of OpenShift Developer Tools and Services for OCP 4.17",
"product_id": "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
},
"product_reference": "jenkins-2-plugins-0:4.17.1750851950-1.el9.src",
"relates_to_product_reference": "9Base-OCP-Tools-4.17"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-57699",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2025-02-05T22:01:26.352808+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2344073"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue exists because of an incomplete fix for CVE-2023-1370, therefore it only affects json-smart v2.5.0 through v2.5.1 (inclusive).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-57699"
},
{
"category": "external",
"summary": "RHBZ#2344073",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-57699",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699"
},
{
"category": "external",
"summary": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699",
"url": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/cve-2023-1370",
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-1370"
}
],
"release_date": "2025-02-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T14:30:33+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10097"
},
{
"category": "workaround",
"details": "Red Hat Product Security does not have a recommended mitigation at this time.",
"product_ids": [
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)"
},
{
"cve": "CVE-2025-1948",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2025-05-08T18:00:52.156301+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2365137"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-1948"
},
{
"category": "external",
"summary": "RHBZ#2365137",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-1948",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1948"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56",
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56"
}
],
"release_date": "2025-05-08T17:48:40.831000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T14:30:33+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10097"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability"
},
{
"cve": "CVE-2025-22228",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"discovery_date": "2025-03-20T06:00:45.196050+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2353507"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22228"
},
{
"category": "external",
"summary": "RHBZ#2353507",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22228",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228"
},
{
"category": "external",
"summary": "https://spring.io/security/cve-2025-22228",
"url": "https://spring.io/security/cve-2025-22228"
}
],
"release_date": "2025-03-20T05:49:19.275000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T14:30:33+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10097"
},
{
"category": "workaround",
"details": "Red Hat Product Security does not have a recommended mitigation at this time.",
"product_ids": [
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length"
},
{
"cve": "CVE-2025-52999",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"discovery_date": "2025-06-25T18:00:54.693716+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2374804"
}
],
"notes": [
{
"category": "description",
"text": "A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-52999"
},
{
"category": "external",
"summary": "RHBZ#2374804",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-52999",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-core/pull/943",
"url": "https://github.com/FasterXML/jackson-core/pull/943"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3",
"url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"
}
],
"release_date": "2025-06-25T17:02:57.428000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T14:30:33+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10097"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, the recommendation is to avoid parsing input files from untrusted sources that may have excessively deep nested data structures; anything with a depth over 1000.",
"product_ids": [
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
"9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError"
}
]
}
RHSA-2025:10098
Vulnerability from csaf_redhat - Published: 2025-07-01 14:34 - Updated: 2026-05-10 14:26Summary
Red Hat Security Advisory: Red Hat Product OCP Tools 4.16 OpenShift Jenkins security update
Severity
Important
Notes
Topic: An update for OpenShift Jenkins is now available for Red Hat Product OCP
Tools 4.16. Red Hat Product Security has rated this update as having a
security impact of important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Details: Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370) (CVE-2024-57699)
* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length (CVE-2025-22228)
* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)
* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)
* jenkins-2-plugins: jackson-core Potential StackoverflowError (CVE-2025-52999)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.
7.4 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for OpenShift Jenkins is now available for Red Hat Product OCP \nTools 4.16. Red Hat Product Security has rated this update as having a \nsecurity impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a \ndetailed severity rating, is available for each vulnerability from the CVE \nlink(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Jenkins is a continuous integration server that monitors executions of \nrepeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370) (CVE-2024-57699)\n* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length (CVE-2025-22228)\n* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)\n* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)\n* jenkins-2-plugins: jackson-core Potential StackoverflowError (CVE-2025-52999)\n\nFor more details about the security issue(s), including the impact, a CVSS \nscore, acknowledgments, and other related information, refer to the CVE \npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:10098",
"url": "https://access.redhat.com/errata/RHSA-2025:10098"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2344073",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
},
{
"category": "external",
"summary": "2353507",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
},
{
"category": "external",
"summary": "2365137",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
},
{
"category": "external",
"summary": "2374804",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10098.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Product OCP Tools 4.16 OpenShift Jenkins security update",
"tracking": {
"current_release_date": "2026-05-10T14:26:55+00:00",
"generator": {
"date": "2026-05-10T14:26:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2025:10098",
"initial_release_date": "2025-07-01T14:34:48+00:00",
"revision_history": [
{
"date": "2025-07-01T14:34:48+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-07-01T14:34:48+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-10T14:26:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services for OCP 4.16",
"product": {
"name": "OpenShift Developer Tools and Services for OCP 4.16",
"product_id": "9Base-OCP-Tools-4.16",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.16::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Jenkins"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.504.2.1750857144-3.el9.src",
"product": {
"name": "jenkins-0:2.504.2.1750857144-3.el9.src",
"product_id": "jenkins-0:2.504.2.1750857144-3.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.504.2.1750857144-3.el9?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.16.1750857315-1.el9.src",
"product": {
"name": "jenkins-2-plugins-0:4.16.1750857315-1.el9.src",
"product_id": "jenkins-2-plugins-0:4.16.1750857315-1.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.16.1750857315-1.el9?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.504.2.1750857144-3.el9.noarch",
"product": {
"name": "jenkins-0:2.504.2.1750857144-3.el9.noarch",
"product_id": "jenkins-0:2.504.2.1750857144-3.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.504.2.1750857144-3.el9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"product_id": "jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.16.1750857315-1.el9?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.504.2.1750857144-3.el9.noarch as a component of OpenShift Developer Tools and Services for OCP 4.16",
"product_id": "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch"
},
"product_reference": "jenkins-0:2.504.2.1750857144-3.el9.noarch",
"relates_to_product_reference": "9Base-OCP-Tools-4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.504.2.1750857144-3.el9.src as a component of OpenShift Developer Tools and Services for OCP 4.16",
"product_id": "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src"
},
"product_reference": "jenkins-0:2.504.2.1750857144-3.el9.src",
"relates_to_product_reference": "9Base-OCP-Tools-4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch as a component of OpenShift Developer Tools and Services for OCP 4.16",
"product_id": "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"relates_to_product_reference": "9Base-OCP-Tools-4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.16.1750857315-1.el9.src as a component of OpenShift Developer Tools and Services for OCP 4.16",
"product_id": "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
},
"product_reference": "jenkins-2-plugins-0:4.16.1750857315-1.el9.src",
"relates_to_product_reference": "9Base-OCP-Tools-4.16"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-57699",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2025-02-05T22:01:26.352808+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2344073"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue exists because of an incomplete fix for CVE-2023-1370, therefore it only affects json-smart v2.5.0 through v2.5.1 (inclusive).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-57699"
},
{
"category": "external",
"summary": "RHBZ#2344073",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-57699",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699"
},
{
"category": "external",
"summary": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699",
"url": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/cve-2023-1370",
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-1370"
}
],
"release_date": "2025-02-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T14:34:48+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10098"
},
{
"category": "workaround",
"details": "Red Hat Product Security does not have a recommended mitigation at this time.",
"product_ids": [
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)"
},
{
"cve": "CVE-2025-1948",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2025-05-08T18:00:52.156301+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2365137"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-1948"
},
{
"category": "external",
"summary": "RHBZ#2365137",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-1948",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1948"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56",
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56"
}
],
"release_date": "2025-05-08T17:48:40.831000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T14:34:48+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10098"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability"
},
{
"cve": "CVE-2025-22228",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"discovery_date": "2025-03-20T06:00:45.196050+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2353507"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22228"
},
{
"category": "external",
"summary": "RHBZ#2353507",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22228",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228"
},
{
"category": "external",
"summary": "https://spring.io/security/cve-2025-22228",
"url": "https://spring.io/security/cve-2025-22228"
}
],
"release_date": "2025-03-20T05:49:19.275000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T14:34:48+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10098"
},
{
"category": "workaround",
"details": "Red Hat Product Security does not have a recommended mitigation at this time.",
"product_ids": [
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length"
},
{
"cve": "CVE-2025-52999",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"discovery_date": "2025-06-25T18:00:54.693716+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2374804"
}
],
"notes": [
{
"category": "description",
"text": "A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-52999"
},
{
"category": "external",
"summary": "RHBZ#2374804",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-52999",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-core/pull/943",
"url": "https://github.com/FasterXML/jackson-core/pull/943"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3",
"url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"
}
],
"release_date": "2025-06-25T17:02:57.428000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T14:34:48+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10098"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, the recommendation is to avoid parsing input files from untrusted sources that may have excessively deep nested data structures; anything with a depth over 1000.",
"product_ids": [
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
"9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError"
}
]
}
RHSA-2025:10104
Vulnerability from csaf_redhat - Published: 2025-07-01 14:56 - Updated: 2026-05-10 14:26Summary
Red Hat Security Advisory: Red Hat Product OCP Tools 4.15 OpenShift Jenkins security update
Severity
Important
Notes
Topic: An update for OpenShift Jenkins is now available for Red Hat Product OCP
Tools 4.15. Red Hat Product Security has rated this update as having a
security impact of important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Details: Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for
CVE-2023-1370) (CVE-2024-57699)
* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not
enforce maximum password length (CVE-2025-22228)
* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)
* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)
* jenkins-2-plugins: jackson-core Potential StackoverflowError
(CVE-2025-52999)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.
7.4 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for OpenShift Jenkins is now available for Red Hat Product OCP \nTools 4.15. Red Hat Product Security has rated this update as having a \nsecurity impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a \ndetailed severity rating, is available for each vulnerability from the CVE \nlink(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Jenkins is a continuous integration server that monitors executions of \nrepeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for\nCVE-2023-1370) (CVE-2024-57699)\n* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not\nenforce maximum password length (CVE-2025-22228)\n* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)\n* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)\n* jenkins-2-plugins: jackson-core Potential StackoverflowError\n(CVE-2025-52999)\n\nFor more details about the security issue(s), including the impact, a CVSS \nscore, acknowledgments, and other related information, refer to the CVE \npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:10104",
"url": "https://access.redhat.com/errata/RHSA-2025:10104"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2344073",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
},
{
"category": "external",
"summary": "2353507",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
},
{
"category": "external",
"summary": "2365137",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
},
{
"category": "external",
"summary": "2374804",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10104.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Product OCP Tools 4.15 OpenShift Jenkins security update",
"tracking": {
"current_release_date": "2026-05-10T14:26:58+00:00",
"generator": {
"date": "2026-05-10T14:26:58+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2025:10104",
"initial_release_date": "2025-07-01T14:56:03+00:00",
"revision_history": [
{
"date": "2025-07-01T14:56:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-07-01T14:56:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-10T14:26:58+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services for OCP 4.15",
"product": {
"name": "OpenShift Developer Tools and Services for OCP 4.15",
"product_id": "8Base-OCP-Tools-4.15",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.15::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Jenkins"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.504.2.1750856366-3.el8.src",
"product": {
"name": "jenkins-0:2.504.2.1750856366-3.el8.src",
"product_id": "jenkins-0:2.504.2.1750856366-3.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.504.2.1750856366-3.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.15.1750856638-1.el8.src",
"product": {
"name": "jenkins-2-plugins-0:4.15.1750856638-1.el8.src",
"product_id": "jenkins-2-plugins-0:4.15.1750856638-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.15.1750856638-1.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.504.2.1750856366-3.el8.noarch",
"product": {
"name": "jenkins-0:2.504.2.1750856366-3.el8.noarch",
"product_id": "jenkins-0:2.504.2.1750856366-3.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.504.2.1750856366-3.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"product_id": "jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.15.1750856638-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.504.2.1750856366-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.15",
"product_id": "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch"
},
"product_reference": "jenkins-0:2.504.2.1750856366-3.el8.noarch",
"relates_to_product_reference": "8Base-OCP-Tools-4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.504.2.1750856366-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.15",
"product_id": "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src"
},
"product_reference": "jenkins-0:2.504.2.1750856366-3.el8.src",
"relates_to_product_reference": "8Base-OCP-Tools-4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.15",
"product_id": "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"relates_to_product_reference": "8Base-OCP-Tools-4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.15.1750856638-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.15",
"product_id": "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
},
"product_reference": "jenkins-2-plugins-0:4.15.1750856638-1.el8.src",
"relates_to_product_reference": "8Base-OCP-Tools-4.15"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-57699",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2025-02-05T22:01:26.352808+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2344073"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue exists because of an incomplete fix for CVE-2023-1370, therefore it only affects json-smart v2.5.0 through v2.5.1 (inclusive).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-57699"
},
{
"category": "external",
"summary": "RHBZ#2344073",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-57699",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699"
},
{
"category": "external",
"summary": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699",
"url": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/cve-2023-1370",
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-1370"
}
],
"release_date": "2025-02-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T14:56:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10104"
},
{
"category": "workaround",
"details": "Red Hat Product Security does not have a recommended mitigation at this time.",
"product_ids": [
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)"
},
{
"cve": "CVE-2025-1948",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2025-05-08T18:00:52.156301+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2365137"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-1948"
},
{
"category": "external",
"summary": "RHBZ#2365137",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-1948",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1948"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56",
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56"
}
],
"release_date": "2025-05-08T17:48:40.831000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T14:56:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10104"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability"
},
{
"cve": "CVE-2025-22228",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"discovery_date": "2025-03-20T06:00:45.196050+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2353507"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22228"
},
{
"category": "external",
"summary": "RHBZ#2353507",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22228",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228"
},
{
"category": "external",
"summary": "https://spring.io/security/cve-2025-22228",
"url": "https://spring.io/security/cve-2025-22228"
}
],
"release_date": "2025-03-20T05:49:19.275000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T14:56:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10104"
},
{
"category": "workaround",
"details": "Red Hat Product Security does not have a recommended mitigation at this time.",
"product_ids": [
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length"
},
{
"cve": "CVE-2025-52999",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"discovery_date": "2025-06-25T18:00:54.693716+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2374804"
}
],
"notes": [
{
"category": "description",
"text": "A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-52999"
},
{
"category": "external",
"summary": "RHBZ#2374804",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-52999",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-core/pull/943",
"url": "https://github.com/FasterXML/jackson-core/pull/943"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3",
"url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"
}
],
"release_date": "2025-06-25T17:02:57.428000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T14:56:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10104"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, the recommendation is to avoid parsing input files from untrusted sources that may have excessively deep nested data structures; anything with a depth over 1000.",
"product_ids": [
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
"8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError"
}
]
}
RHSA-2025:10118
Vulnerability from csaf_redhat - Published: 2025-07-01 16:36 - Updated: 2026-05-10 14:27Summary
Red Hat Security Advisory: Red Hat Product OCP Tools 4.12 OpenShift Jenkins security update
Severity
Important
Notes
Topic: An update for OpenShift Jenkins is now available for Red Hat Product OCP
Tools 4.12. Red Hat Product Security has rated this update as having a
security impact of important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Details: Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for
CVE-2023-1370) (CVE-2024-57699)
* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not
enforce maximum password length (CVE-2025-22228)
* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)
* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)
* jenkins-2-plugins: jackson-core Potential StackoverflowError
(CVE-2025-52999)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.
7.4 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for OpenShift Jenkins is now available for Red Hat Product OCP\nTools 4.12. Red Hat Product Security has rated this update as having a\nsecurity impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a \ndetailed severity rating, is available for each vulnerability from the CVE\nlink(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Jenkins is a continuous integration server that monitors executions of \nrepeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for\nCVE-2023-1370) (CVE-2024-57699)\n* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not\nenforce maximum password length (CVE-2025-22228)\n* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)\n* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)\n* jenkins-2-plugins: jackson-core Potential StackoverflowError\n(CVE-2025-52999)\n\nFor more details about the security issue(s), including the impact, a CVSS \nscore, acknowledgments, and other related information, refer to the CVE \npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:10118",
"url": "https://access.redhat.com/errata/RHSA-2025:10118"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2344073",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
},
{
"category": "external",
"summary": "2353507",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
},
{
"category": "external",
"summary": "2365137",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
},
{
"category": "external",
"summary": "2374804",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10118.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Product OCP Tools 4.12 OpenShift Jenkins security update",
"tracking": {
"current_release_date": "2026-05-10T14:27:00+00:00",
"generator": {
"date": "2026-05-10T14:27:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2025:10118",
"initial_release_date": "2025-07-01T16:36:58+00:00",
"revision_history": [
{
"date": "2025-07-01T16:36:58+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-07-01T16:36:58+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-10T14:27:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services for OCP 4.12",
"product": {
"name": "OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.12::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Jenkins"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.504.2.1750932984-3.el8.src",
"product": {
"name": "jenkins-0:2.504.2.1750932984-3.el8.src",
"product_id": "jenkins-0:2.504.2.1750932984-3.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.504.2.1750932984-3.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.12.1750933270-1.el8.src",
"product": {
"name": "jenkins-2-plugins-0:4.12.1750933270-1.el8.src",
"product_id": "jenkins-2-plugins-0:4.12.1750933270-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.12.1750933270-1.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.504.2.1750932984-3.el8.noarch",
"product": {
"name": "jenkins-0:2.504.2.1750932984-3.el8.noarch",
"product_id": "jenkins-0:2.504.2.1750932984-3.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.504.2.1750932984-3.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"product_id": "jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.12.1750933270-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.504.2.1750932984-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch"
},
"product_reference": "jenkins-0:2.504.2.1750932984-3.el8.noarch",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.504.2.1750932984-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src"
},
"product_reference": "jenkins-0:2.504.2.1750932984-3.el8.src",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.12.1750933270-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
},
"product_reference": "jenkins-2-plugins-0:4.12.1750933270-1.el8.src",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-57699",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2025-02-05T22:01:26.352808+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2344073"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue exists because of an incomplete fix for CVE-2023-1370, therefore it only affects json-smart v2.5.0 through v2.5.1 (inclusive).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-57699"
},
{
"category": "external",
"summary": "RHBZ#2344073",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-57699",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699"
},
{
"category": "external",
"summary": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699",
"url": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/cve-2023-1370",
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-1370"
}
],
"release_date": "2025-02-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T16:36:58+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10118"
},
{
"category": "workaround",
"details": "Red Hat Product Security does not have a recommended mitigation at this time.",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)"
},
{
"cve": "CVE-2025-1948",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2025-05-08T18:00:52.156301+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2365137"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-1948"
},
{
"category": "external",
"summary": "RHBZ#2365137",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-1948",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1948"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56",
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56"
}
],
"release_date": "2025-05-08T17:48:40.831000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T16:36:58+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10118"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability"
},
{
"cve": "CVE-2025-22228",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"discovery_date": "2025-03-20T06:00:45.196050+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2353507"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22228"
},
{
"category": "external",
"summary": "RHBZ#2353507",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22228",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228"
},
{
"category": "external",
"summary": "https://spring.io/security/cve-2025-22228",
"url": "https://spring.io/security/cve-2025-22228"
}
],
"release_date": "2025-03-20T05:49:19.275000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T16:36:58+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10118"
},
{
"category": "workaround",
"details": "Red Hat Product Security does not have a recommended mitigation at this time.",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length"
},
{
"cve": "CVE-2025-52999",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"discovery_date": "2025-06-25T18:00:54.693716+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2374804"
}
],
"notes": [
{
"category": "description",
"text": "A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-52999"
},
{
"category": "external",
"summary": "RHBZ#2374804",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-52999",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-core/pull/943",
"url": "https://github.com/FasterXML/jackson-core/pull/943"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3",
"url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"
}
],
"release_date": "2025-06-25T17:02:57.428000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-01T16:36:58+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10118"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, the recommendation is to avoid parsing input files from untrusted sources that may have excessively deep nested data structures; anything with a depth over 1000.",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…