Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-48924 (GCVE-0-2025-48924)
Vulnerability from cvelistv5 – Published: 2025-07-11 14:56 – Updated: 2025-11-04 22:06
VLAI
EPSS
Title
Apache Commons Lang, Apache Commons Lang: ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs
Summary
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Commons Lang |
Affected:
2.0 , ≤ 2.6
(maven)
|
|
| Apache Software Foundation | Apache Commons Lang |
Affected:
3.0 , < 3.18.0
(maven)
|
Credits
OSS-Fuzz Issue 42522972
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-48924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T16:36:59.432024Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T16:37:02.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T22:06:40.023Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/11/1"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unknown",
"packageName": "commons-lang:commons-lang",
"product": "Apache Commons Lang",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.6",
"status": "affected",
"version": "2.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.commons:commons-lang3",
"product": "Apache Commons Lang",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.18.0",
"status": "affected",
"version": "3.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "OSS-Fuzz Issue 42522972"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUncontrolled Recursion vulnerability in Apache Commons Lang.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Commons Lang: Starting with\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecommons-lang:commons-lang\u0026nbsp;\u003c/span\u003e2.0 to 2.6, and, from org.apache.\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecommons:commons-lang3 3.0 before\u0026nbsp;\u003c/span\u003e3.18.0.\u003c/p\u003e\u003cp\u003eThe methods ClassUtils.getClass(...) can throw\u0026nbsp;StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could\u0026nbsp;cause an application to stop.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with\u00a0commons-lang:commons-lang\u00a02.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before\u00a03.18.0.\n\nThe methods ClassUtils.getClass(...) can throw\u00a0StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could\u00a0cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T14:56:58.049Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Commons Lang, Apache Commons Lang: ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-48924",
"datePublished": "2025-07-11T14:56:58.049Z",
"dateReserved": "2025-05-28T15:06:51.476Z",
"dateUpdated": "2025-11-04T22:06:40.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-48924",
"date": "2026-06-05",
"epss": "0.00099",
"percentile": "0.27196"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-48924\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-07-11T15:15:24.347\",\"lastModified\":\"2025-11-04T22:16:17.823\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Uncontrolled Recursion vulnerability in Apache Commons Lang.\\n\\nThis issue affects Apache Commons Lang: Starting with\u00a0commons-lang:commons-lang\u00a02.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before\u00a03.18.0.\\n\\nThe methods ClassUtils.getClass(...) can throw\u00a0StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \\nStackOverflowError could\u00a0cause an application to stop.\\n\\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de recursi\u00f3n incontrolada en Apache Commons Lang. Este problema afecta a Apache Commons Lang: a partir de commons-lang:commons-lang 2.0 a 2.6, y desde org.apache.commons:commons-lang3 3.0 hasta 3.18.0. El m\u00e9todo ClassUtils.getClass(...) puede generar un error de StackOverflowError en entradas muy largas. Dado que las aplicaciones y librer\u00edas no suelen gestionar un error, un error de StackOverflowError podr\u00eda provocar la detenci\u00f3n de una aplicaci\u00f3n. Se recomienda actualizar a la versi\u00f3n 3.18.0, que soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-674\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_lang:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0\",\"versionEndExcluding\":\"2.6\",\"matchCriteriaId\":\"88B2D4D0-4FA9-443F-8195-E1C35122DC0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_lang:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0\",\"versionEndExcluding\":\"3.18.0\",\"matchCriteriaId\":\"71219CE6-DF6F-469F-A603-C28B43865D7A\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/07/11/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2025/07/11/1\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-04T22:06:40.023Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48924\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-14T16:36:59.432024Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-11T20:10:08.183Z\"}}], \"cna\": {\"title\": \"Apache Commons Lang, Apache Commons Lang: ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"OSS-Fuzz Issue 42522972\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"low\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Commons Lang\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"2.6\"}], \"packageName\": \"commons-lang:commons-lang\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Commons Lang\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0\", \"lessThan\": \"3.18.0\", \"versionType\": \"maven\"}], \"packageName\": \"org.apache.commons:commons-lang3\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Uncontrolled Recursion vulnerability in Apache Commons Lang.\\n\\nThis issue affects Apache Commons Lang: Starting with\\u00a0commons-lang:commons-lang\\u00a02.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before\\u00a03.18.0.\\n\\nThe methods ClassUtils.getClass(...) can throw\\u00a0StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \\nStackOverflowError could\\u00a0cause an application to stop.\\n\\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUncontrolled Recursion vulnerability in Apache Commons Lang.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Commons Lang: Starting with\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003ecommons-lang:commons-lang\u0026nbsp;\u003c/span\u003e2.0 to 2.6, and, from org.apache.\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003ecommons:commons-lang3 3.0 before\u0026nbsp;\u003c/span\u003e3.18.0.\u003c/p\u003e\u003cp\u003eThe methods ClassUtils.getClass(...) can throw\u0026nbsp;StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \\nStackOverflowError could\u0026nbsp;cause an application to stop.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-674\", \"description\": \"CWE-674 Uncontrolled Recursion\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-07-11T14:56:58.049Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-48924\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-04T22:06:40.023Z\", \"dateReserved\": \"2025-05-28T15:06:51.476Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-07-11T14:56:58.049Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2025:15697
Vulnerability from csaf_redhat - Published: 2025-09-11 15:16 - Updated: 2026-05-10 14:28Summary
Red Hat Security Advisory: Streams for Apache Kafka 2.9.2 release and security update
Severity
Important
Notes
Topic: Streams for Apache Kafka 2.9.2 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed
backbone that allows microservices and other applications to share data with
extremely high throughput and extremely low latency.
This release of Red Hat Streams for Apache Kafka 2.9.2 serves as a replacement for Red Hat Streams for Apache Kafka 2.9.1, and includes security and bug fixes, and enhancements.
Security Fix(es):
* Cruise Control, Drain Cleaner: Netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability [amq-st-2.9] "(CVE-2025-55163)"
* Kafka: org.apache.commons:commons-lang3 : Uncontrolled Recursion [amq-st-2.9] "(CVE-2025-48924)"
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
An uncontrolled recursion flaw was found in the Apache Commons Lang library. The ClassUtils.getClass(...) method can throw a StackOverflowError on very long inputs. Since this error is typically not handled by applications and libraries, a StackOverflowError may lead to the termination of an application.
CWE-674 - Uncontrolled RecursionAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 2.9.2
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:2.9::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 2.9.2
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:2.9::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
16 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Streams for Apache Kafka 2.9.2 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat Streams for Apache Kafka 2.9.2 serves as a replacement for Red Hat Streams for Apache Kafka 2.9.1, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Cruise Control, Drain Cleaner: Netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability [amq-st-2.9] \"(CVE-2025-55163)\"\n* Kafka: org.apache.commons:commons-lang3 : Uncontrolled Recursion [amq-st-2.9] \"(CVE-2025-48924)\"",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:15697",
"url": "https://access.redhat.com/errata/RHSA-2025:15697"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2379554",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379554"
},
{
"category": "external",
"summary": "2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_15697.json"
}
],
"title": "Red Hat Security Advisory: Streams for Apache Kafka 2.9.2 release and security update",
"tracking": {
"current_release_date": "2026-05-10T14:28:07+00:00",
"generator": {
"date": "2026-05-10T14:28:07+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2025:15697",
"initial_release_date": "2025-09-11T15:16:59+00:00",
"revision_history": [
{
"date": "2025-09-11T15:16:59+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-09-11T15:16:59+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-10T14:28:07+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Streams for Apache Kafka 2.9.2",
"product": {
"name": "Streams for Apache Kafka 2.9.2",
"product_id": "Streams for Apache Kafka 2.9.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:amq_streams:2.9::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48924",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2025-07-11T15:01:08.754489+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379554"
}
],
"notes": [
{
"category": "description",
"text": "An uncontrolled recursion flaw was found in the Apache Commons Lang library. The ClassUtils.getClass(...) method can throw a StackOverflowError on very long inputs. Since this error is typically not handled by applications and libraries, a StackOverflowError may lead to the termination of an application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 2.9.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48924"
},
{
"category": "external",
"summary": "RHBZ#2379554",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379554"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48924",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48924"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1",
"url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1"
}
],
"release_date": "2025-07-11T14:56:58.049000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-11T15:16:59+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 2.9.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:15697"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 2.9.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 2.9.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang"
},
{
"cve": "CVE-2025-55163",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-08-13T15:01:55.372237+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2388252"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a denial of service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation, which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 2.9.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55163"
},
{
"category": "external",
"summary": "RHBZ#2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4",
"url": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/767506",
"url": "https://kb.cert.org/vuls/id/767506"
}
],
"release_date": "2025-08-13T14:17:36.111000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-11T15:16:59+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 2.9.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:15697"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Streams for Apache Kafka 2.9.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 2.9.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability"
}
]
}
RHSA-2025:16407
Vulnerability from csaf_redhat - Published: 2025-09-22 21:48 - Updated: 2026-05-10 14:28Summary
Red Hat Security Advisory: Streams for Apache Kafka 3.0.1 release and security update
Severity
Important
Notes
Topic: Streams for Apache Kafka 3.0.1 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed
backbone that allows microservices and other applications to share data with
extremely high throughput and extremely low latency.
This release of Red Hat Streams for Apache Kafka 3.0.1 serves as a replacement for Red Hat Streams for Apache Kafka 3.0.0, and includes security and bug fixes, and enhancements.
* Cruise Control, Drain Cleaner: Netty: netty-codec-http2: Netty MadeYouReset
HTTP/2 DDoS Vulnerability [amq-st-3.0] "(CVE-2025-55163)"
* Kafka: org.apache.commons:commons-lang3 : Uncontrolled Recursion [amq-st-3.0] "(CVE-2025-48924)"
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
An uncontrolled recursion flaw was found in the Apache Commons Lang library. The ClassUtils.getClass(...) method can throw a StackOverflowError on very long inputs. Since this error is typically not handled by applications and libraries, a StackOverflowError may lead to the termination of an application.
CWE-674 - Uncontrolled RecursionAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.0.1
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.0::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.0.1
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.0::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
16 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Streams for Apache Kafka 3.0.1 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat Streams for Apache Kafka 3.0.1 serves as a replacement for Red Hat Streams for Apache Kafka 3.0.0, and includes security and bug fixes, and enhancements.\n\n* Cruise Control, Drain Cleaner: Netty: netty-codec-http2: Netty MadeYouReset\nHTTP/2 DDoS Vulnerability [amq-st-3.0] \"(CVE-2025-55163)\"\n* Kafka: org.apache.commons:commons-lang3 : Uncontrolled Recursion [amq-st-3.0] \"(CVE-2025-48924)\"",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:16407",
"url": "https://access.redhat.com/errata/RHSA-2025:16407"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2379554",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379554"
},
{
"category": "external",
"summary": "2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_16407.json"
}
],
"title": "Red Hat Security Advisory: Streams for Apache Kafka 3.0.1 release and security update",
"tracking": {
"current_release_date": "2026-05-10T14:28:09+00:00",
"generator": {
"date": "2026-05-10T14:28:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2025:16407",
"initial_release_date": "2025-09-22T21:48:11+00:00",
"revision_history": [
{
"date": "2025-09-22T21:48:11+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-09-22T21:48:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-10T14:28:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Streams for Apache Kafka 3.0.1",
"product": {
"name": "Streams for Apache Kafka 3.0.1",
"product_id": "Streams for Apache Kafka 3.0.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:amq_streams:3.0::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48924",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2025-07-11T15:01:08.754489+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379554"
}
],
"notes": [
{
"category": "description",
"text": "An uncontrolled recursion flaw was found in the Apache Commons Lang library. The ClassUtils.getClass(...) method can throw a StackOverflowError on very long inputs. Since this error is typically not handled by applications and libraries, a StackOverflowError may lead to the termination of an application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.0.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48924"
},
{
"category": "external",
"summary": "RHBZ#2379554",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379554"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48924",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48924"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1",
"url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1"
}
],
"release_date": "2025-07-11T14:56:58.049000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-22T21:48:11+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.0.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:16407"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.0.1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.0.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang"
},
{
"cve": "CVE-2025-55163",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-08-13T15:01:55.372237+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2388252"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a denial of service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation, which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.0.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55163"
},
{
"category": "external",
"summary": "RHBZ#2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4",
"url": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/767506",
"url": "https://kb.cert.org/vuls/id/767506"
}
],
"release_date": "2025-08-13T14:17:36.111000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-22T21:48:11+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.0.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:16407"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Streams for Apache Kafka 3.0.1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.0.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability"
}
]
}
RHSA-2025:23143
Vulnerability from csaf_redhat - Published: 2025-12-11 20:15 - Updated: 2026-05-10 14:28Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel 4.14.2 for Spring Boot release.
Severity
Critical
Notes
Topic: Red Hat build of Apache Camel 4.14.2 for Spring Boot patch release and security update is now available.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Details: Red Hat build of Apache Camel 4.14.2 for Spring Boot patch release and security update is now available.
The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* undertow-core: Undertow MadeYouReset HTTP/2 DDoS Vulnerability (CVE-2025-9784)
* tika-core: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected (CVE-2025-66516)
Uncontrolled Recursion vulnerability in Apache Commons Lang (CVE-2025-48924)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.14
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
An uncontrolled recursion flaw was found in the Apache Commons Lang library. The ClassUtils.getClass(...) method can throw a StackOverflowError on very long inputs. Since this error is typically not handled by applications and libraries, a StackOverflowError may lead to the termination of an application.
CWE-674 - Uncontrolled RecursionAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.14
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A XML External Entity (XXE) injection vulnerability was found in the Apache Tika framework's PDF parsing functionality. It could allow a remote, unauthenticated attacker to exploit the system by providing a specially crafted PDF containing an XFA (XML Forms Architecture) file. This flaw could lead to sensitive information disclosure or, potentially, Remote Code Execution (RCE) on the server. The issue affects multiple Tika modules, including tika-core, tika-pdf-module, and tika-parsers, within the version ranges 1.13 through 3.2.1. This CVE expands on the scope of CVE-2025-54988 to clarify that the root cause and required fix reside in the tika-core module, regardless of which parser module is used.
10.0 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4.14
|
— |
Vendor Fix
fix
|
Threats
Impact
Critical
References
25 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat build of Apache Camel 4.14.2 for Spring Boot patch release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of\nImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives\na detailed severity rating, is available for each vulnerability from the CVE\nlink(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Apache Camel 4.14.2 for Spring Boot patch release and security update is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n \n* undertow-core: Undertow MadeYouReset HTTP/2 DDoS Vulnerability (CVE-2025-9784)\n\n* tika-core: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected (CVE-2025-66516)\n\nUncontrolled Recursion vulnerability in Apache Commons Lang (CVE-2025-48924)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:23143",
"url": "https://access.redhat.com/errata/RHSA-2025:23143"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "2379554",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379554"
},
{
"category": "external",
"summary": "2392306",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392306"
},
{
"category": "external",
"summary": "2418870",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418870"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_23143.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.14.2 for Spring Boot release.",
"tracking": {
"current_release_date": "2026-05-10T14:28:35+00:00",
"generator": {
"date": "2026-05-10T14:28:35+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2025:23143",
"initial_release_date": "2025-12-11T20:15:32+00:00",
"revision_history": [
{
"date": "2025-12-11T20:15:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-11T20:15:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-10T14:28:35+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8",
"product": {
"name": "Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8",
"product_id": "Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.14"
}
}
}
],
"category": "product_family",
"name": "Red Hat Build of Apache Camel"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-9784",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-09-01T06:19:20.938000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2392306"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: Undertow MadeYouReset HTTP/2 DDoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a Denial of Service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation, which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-9784"
},
{
"category": "external",
"summary": "RHBZ#2392306",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392306"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-9784",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9784"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-9784",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9784"
},
{
"category": "external",
"summary": "https://github.com/undertow-io/undertow/pull/1778",
"url": "https://github.com/undertow-io/undertow/pull/1778"
},
{
"category": "external",
"summary": "https://github.com/undertow-io/undertow/releases/tag/2.2.38.Final",
"url": "https://github.com/undertow-io/undertow/releases/tag/2.2.38.Final"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/UNDERTOW-2598",
"url": "https://issues.redhat.com/browse/UNDERTOW-2598"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/767506",
"url": "https://kb.cert.org/vuls/id/767506"
}
],
"release_date": "2025-09-01T06:21:54.614000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-11T20:15:32+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23143"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "undertow: Undertow MadeYouReset HTTP/2 DDoS Vulnerability"
},
{
"cve": "CVE-2025-48924",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2025-07-11T15:01:08.754489+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379554"
}
],
"notes": [
{
"category": "description",
"text": "An uncontrolled recursion flaw was found in the Apache Commons Lang library. The ClassUtils.getClass(...) method can throw a StackOverflowError on very long inputs. Since this error is typically not handled by applications and libraries, a StackOverflowError may lead to the termination of an application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48924"
},
{
"category": "external",
"summary": "RHBZ#2379554",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379554"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48924",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48924"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1",
"url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1"
}
],
"release_date": "2025-07-11T14:56:58.049000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-11T20:15:32+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23143"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang"
},
{
"cve": "CVE-2025-66516",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2025-12-04T17:01:38.159055+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418870"
}
],
"notes": [
{
"category": "description",
"text": "A XML External Entity (XXE) injection vulnerability was found in the Apache Tika framework\u0027s PDF parsing functionality. It could allow a remote, unauthenticated attacker to exploit the system by providing a specially crafted PDF containing an XFA (XML Forms Architecture) file. This flaw could lead to sensitive information disclosure or, potentially, Remote Code Execution (RCE) on the server. The issue affects multiple Tika modules, including tika-core, tika-pdf-module, and tika-parsers, within the version ranges 1.13 through 3.2.1.\n\nThis CVE expands on the scope of CVE-2025-54988 to clarify that the root cause and required fix reside in the tika-core module, regardless of which parser module is used.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tika-core: tika-parsers: tika-parser-pdf-module: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Critical because it can be triggered when Apache Tika processes a maliciously crafted XFA file embedded within a PDF. Successful exploitation enables XML External Entity (XXE) injection, allowing an attacker to access sensitive local files and initiate arbitrary requests to internal or external network resources. This can lead to Server-Side Request Forgery (SSRF), data tampering, and potential elevation of privileges. With high impact across confidentiality, integrity, and availability, this vulnerability poses a severe risk to affected systems.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66516"
},
{
"category": "external",
"summary": "RHBZ#2418870",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418870"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66516",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66516"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66516",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66516"
},
{
"category": "external",
"summary": "https://cve.org/CVERecord?id=CVE-2025-54988",
"url": "https://cve.org/CVERecord?id=CVE-2025-54988"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k",
"url": "https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k"
}
],
"release_date": "2025-12-04T16:17:24.980000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-11T20:15:32+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23143"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.14.2 for Spring Boot 3.5.8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "tika-core: tika-parsers: tika-parser-pdf-module: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected"
}
]
}
RHSA-2025:23417
Vulnerability from csaf_redhat - Published: 2025-12-16 23:13 - Updated: 2026-05-10 14:28Summary
Red Hat Security Advisory: Streams for Apache Kafka 3.1.0 release and security update
Severity
Important
Notes
Topic: Streams for Apache Kafka 3.1.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed
backbone that allows microservices and other applications to share data with
extremely high throughput and extremely low latency.
This release of Red Hat Streams for Apache Kafka 3.1.0 serves as a replacement for Red Hat Streams for Apache Kafka 3.0.1, and includes security and bug fixes, and enhancements.
Security Fix(es):
* Apache Kafka, Drain Cleaner, Bridge, Cruise Conreol, Proxy, Console: Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack"(CVE-2025-58057)"
* Apache Kafka, Proxy: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions"(CVE-2025-58056)"
* Apache Kafka, Bridge, Drain Cleaner, Cruise Control, Console: Netty MadeYouReset HTTP/2 DDoS Vulnerability ("CVE-2025-55163")
* Apache Kafka: org.apache.commons:commons-lang3 : Uncontrolled Recursion("CVE-2025-48924")
* Drain Cleaner: io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout("CVE-2025-1634")
* Drain Cleaner, Console: Data leak vulnerability in io.quarkus:quarkus-vertx package ("CVE-2025-49574")
* Cruise Control: org.apache.kafka/kafka_2.13: Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption (" CVE-2024-56128")
* Cruise Control: org.apache.kafka: Kafka Client Arbitrary File Read SSRF("CVE-2025-27817")
* Cruise Control: Kafka Clients Vulnerabiliy("CVE-2025-27819")
* Cruise Control: Kafka Clients Vulnerabiliy("CVE-2025-27818")
* Cruise Control, Console: io.vertx/vertx-core: Eclipse Vert.x Access Control Flaw ("CVE-2025-11965")
* Cruise Control, Console: Vertx - Cross-site scripting (XSS) vulnerability ("CVE-2025-11966")
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM), which did not fully adhere to the requirements of RFC 5802. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. However, Kafka's SCRAM implementation did not perform this validation. In environments where SCRAM is operated over plaintext communication channels, an attacker with access to the exchange can intercept and potentially reuse authentication messages, leveraging the weak nonce validation to gain unauthorized access.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.1.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.1::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.1.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.1::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A file access control flaw has been discovered in the Eclipse Foundation's Vert.x library. A StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.1.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.1::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
In Eclipse Vert.x, when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.
4.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.1.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.1::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in apache-kafka. The Kafka client improperly handles configuration data for SASL/OAUTHBEARER connections, allowing an attacker to specify a crafted token endpoint URL. This allows for arbitrary file reads and server-side request forgery (SSRF) by a malicious client. Consequently, this can allow an attacker to read arbitrary files on the Kafka broker or initiate requests to internal or external resources.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.1.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.1::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in apache-kafka. This issue occurs due to improper handling of configuration data when using a Kafka client SASL JAAS, allowing an attacker with access to alterConfig for a cluster resource or Kafka Connect worker to inject arbitrary configuration. This injection can lead to the creation or modification of connectors with malicious configurations. Consequently, this can allow an attacker to compromise the integrity and availability of the Kafka cluster or Kafka Connect worker.
8.0 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.1.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.1::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in org.apache.kafka. The JndiLoginModule within the SASL authentication mechanism allows remote code execution and denial of service when misconfigured. This flaw allows an attacker to provide a malicious JNDI URI within the Kafka broker's configuration, permitting arbitrary code execution on the affected system.
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.1.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.1::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
An uncontrolled recursion flaw was found in the Apache Commons Lang library. The ClassUtils.getClass(...) method can throw a StackOverflowError on very long inputs. Since this error is typically not handled by applications and libraries, a StackOverflowError may lead to the termination of an application.
CWE-674 - Uncontrolled RecursionAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.1.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.1::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A data leak vulnerability has been discovered in the io.quarkus:quarkus-vertx package. This flaw can lead to information disclosure if a Vert.x context that has already been duplicated is subsequently duplicated again. In such a scenario, sensitive data residing within that context may be unintentionally exposed.
6.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.1.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.1::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.1.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.1::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw in Netty’s HTTP/1.1 chunked encoding parser allows newline (LF) characters in chunk extensions to be incorrectly treated as the end of the chunk-size line instead of requiring the proper CRLF sequence. This discrepancy can be exploited in rare cases where a reverse proxy interprets the same input differently, potentially enabling HTTP request smuggling attacks such as bypassing access controls or corrupting responses.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.1.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.1::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Netty. With specially crafted input, BrotliDecoder and some other decompressing decoders will allocate a large number of reachable byte buffers, which can lead to denial of service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.1.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.1::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
87 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Streams for Apache Kafka 3.1.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat Streams for Apache Kafka 3.1.0 serves as a replacement for Red Hat Streams for Apache Kafka 3.0.1, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Apache Kafka, Drain Cleaner, Bridge, Cruise Conreol, Proxy, Console: Netty\u0027s BrotliDecoder is vulnerable to DoS via zip bomb style attack\"(CVE-2025-58057)\"\n* Apache Kafka, Proxy: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions\"(CVE-2025-58056)\"\n* Apache Kafka, Bridge, Drain Cleaner, Cruise Control, Console: Netty MadeYouReset HTTP/2 DDoS Vulnerability (\"CVE-2025-55163\")\n* Apache Kafka: org.apache.commons:commons-lang3 : Uncontrolled Recursion(\"CVE-2025-48924\")\n* Drain Cleaner: io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout(\"CVE-2025-1634\")\n* Drain Cleaner, Console: Data leak vulnerability in io.quarkus:quarkus-vertx package (\"CVE-2025-49574\")\n* Cruise Control: org.apache.kafka/kafka_2.13: Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption (\" CVE-2024-56128\")\n* Cruise Control: org.apache.kafka: Kafka Client Arbitrary File Read SSRF(\"CVE-2025-27817\")\n* Cruise Control: Kafka Clients Vulnerabiliy(\"CVE-2025-27819\")\n* Cruise Control: Kafka Clients Vulnerabiliy(\"CVE-2025-27818\")\n* Cruise Control, Console: io.vertx/vertx-core: Eclipse Vert.x Access Control Flaw (\"CVE-2025-11965\")\n* Cruise Control, Console: Vertx - Cross-site scripting (XSS) vulnerability (\"CVE-2025-11966\")",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:23417",
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2333013",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333013"
},
{
"category": "external",
"summary": "2347319",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347319"
},
{
"category": "external",
"summary": "2371365",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2371365"
},
{
"category": "external",
"summary": "2371367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2371367"
},
{
"category": "external",
"summary": "2371368",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2371368"
},
{
"category": "external",
"summary": "2374376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374376"
},
{
"category": "external",
"summary": "2379554",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379554"
},
{
"category": "external",
"summary": "2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "external",
"summary": "2392996",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392996"
},
{
"category": "external",
"summary": "2393000",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393000"
},
{
"category": "external",
"summary": "2405789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405789"
},
{
"category": "external",
"summary": "2405820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405820"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_23417.json"
}
],
"title": "Red Hat Security Advisory: Streams for Apache Kafka 3.1.0 release and security update",
"tracking": {
"current_release_date": "2026-05-10T14:28:14+00:00",
"generator": {
"date": "2026-05-10T14:28:14+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2025:23417",
"initial_release_date": "2025-12-16T23:13:43+00:00",
"revision_history": [
{
"date": "2025-12-16T23:13:43+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-16T23:13:43+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-10T14:28:14+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Streams for Apache Kafka 3.1.0",
"product": {
"name": "Streams for Apache Kafka 3.1.0",
"product_id": "Streams for Apache Kafka 3.1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:amq_streams:3.1::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-56128",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2024-12-18T14:00:43.732728+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2333013"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Kafka\u0027s implementation of the Salted Challenge Response Authentication Mechanism (SCRAM), which did not fully adhere to the requirements of RFC 5802. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. However, Kafka\u0027s SCRAM implementation did not perform this validation. In environments where SCRAM is operated over plaintext communication channels, an attacker with access to the exchange can intercept and potentially reuse authentication messages, leveraging the weak nonce validation to gain unauthorized access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kafka: Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is marked with an Important severity because it compromises a fundamental security requirement of the SCRAM protocol as specified in RFC 5802 \u2014the validation of nonces for ensuring message integrity and preventing replay attacks. Without proper nonce validation, an attacker with plaintext access to the SCRAM authentication exchange could manipulate or replay parts of the authentication process, potentially gaining unauthorized access or disrupting the integrity of authentication. While the use of plaintext communication for SCRAM is discouraged, many legacy systems or misconfigured deployments may still rely on it, making them directly susceptible.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-56128"
},
{
"category": "external",
"summary": "RHBZ#2333013",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333013"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-56128",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56128"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-56128",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56128"
},
{
"category": "external",
"summary": "https://datatracker.ietf.org/doc/html/rfc5802",
"url": "https://datatracker.ietf.org/doc/html/rfc5802"
},
{
"category": "external",
"summary": "https://datatracker.ietf.org/doc/html/rfc5802#section-9",
"url": "https://datatracker.ietf.org/doc/html/rfc5802#section-9"
},
{
"category": "external",
"summary": "https://kafka.apache.org/documentation/#security_sasl_scram_security",
"url": "https://kafka.apache.org/documentation/#security_sasl_scram_security"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/84dh4so32lwn7wr6c5s9mwh381vx9wkw",
"url": "https://lists.apache.org/thread/84dh4so32lwn7wr6c5s9mwh381vx9wkw"
}
],
"release_date": "2024-12-18T13:38:03.068000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "kafka: Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption"
},
{
"cve": "CVE-2025-1634",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"discovery_date": "2025-02-24T14:17:31.237000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2347319"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is marked as and Important severity rather than Moderate because it allows an unauthenticated attacker to trigger a denial of service condition by repeatedly sending crafted HTTP requests with low timeouts. The issue leads to a memory leak that cannot be recovered without restarting the application, ultimately resulting in an OutOfMemoryError and complete service failure.\n\nIn a production environment, this vulnerability poses a significant risk to availability, especially for applications handling multiple concurrent requests. Since no mitigation exists, all applications using quarkus-resteasy are affected until patched. The ease of exploitation, lack of required privileges, and high impact on service uptime justify the high severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-1634"
},
{
"category": "external",
"summary": "RHBZ#2347319",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347319"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-1634",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1634"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-1634",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1634"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/issues/46412",
"url": "https://github.com/quarkusio/quarkus/issues/46412"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/pull/46419",
"url": "https://github.com/quarkusio/quarkus/pull/46419"
}
],
"release_date": "2025-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout"
},
{
"cve": "CVE-2025-11965",
"cwe": {
"id": "CWE-552",
"name": "Files or Directories Accessible to External Parties"
},
"discovery_date": "2025-10-22T15:04:14.114397+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2405820"
}
],
"notes": [
{
"category": "description",
"text": "A file access control flaw has been discovered in the Eclipse Foundation\u0027s Vert.x library. A StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.vertx/vertx-core: Eclipse Vert.x Access Control Flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-11965"
},
{
"category": "external",
"summary": "RHBZ#2405820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405820"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-11965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11965"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-11965",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11965"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/304",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/304"
}
],
"release_date": "2025-10-22T14:50:07.602000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.vertx/vertx-core: Eclipse Vert.x Access Control Flaw"
},
{
"cve": "CVE-2025-11966",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2025-10-22T15:01:24.122189+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2405789"
}
],
"notes": [
{
"category": "description",
"text": "In Eclipse Vert.x, when \"directory listing\" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.vertx/vertx-web: Eclipse Vert.x cross site scripting",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-11966"
},
{
"category": "external",
"summary": "RHBZ#2405789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-11966",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11966"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-11966",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11966"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303"
}
],
"release_date": "2025-10-22T14:44:24.145000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.vertx/vertx-web: Eclipse Vert.x cross site scripting"
},
{
"cve": "CVE-2025-27817",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2025-06-10T08:00:46.717358+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2371367"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in apache-kafka. The Kafka client improperly handles configuration data for SASL/OAUTHBEARER connections, allowing an attacker to specify a crafted token endpoint URL. This allows for arbitrary file reads and server-side request forgery (SSRF) by a malicious client. Consequently, this can allow an attacker to read arbitrary files on the Kafka broker or initiate requests to internal or external resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.apache.kafka: Kafka Client Arbitrary File Read SSRF",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-27817"
},
{
"category": "external",
"summary": "RHBZ#2371367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2371367"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-27817",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27817"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-27817",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27817"
},
{
"category": "external",
"summary": "https://kafka.apache.org/cve-list",
"url": "https://kafka.apache.org/cve-list"
}
],
"release_date": "2025-06-10T07:55:14.422000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "To mitigate this flaw, explicitly set the allowed urls in SASL JAAS configuration using the system property \"-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls\".",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.apache.kafka: Kafka Client Arbitrary File Read SSRF"
},
{
"cve": "CVE-2025-27818",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2025-06-10T08:00:49.484918+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2371368"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in apache-kafka. This issue occurs due to improper handling of configuration data when using a Kafka client SASL JAAS, allowing an attacker with access to alterConfig for a cluster resource or Kafka Connect worker to inject arbitrary configuration. This injection can lead to the creation or modification of connectors with malicious configurations. Consequently, this can allow an attacker to compromise the integrity and availability of the Kafka cluster or Kafka Connect worker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-kafka: Apache Kafka: Possible RCE attack via SASL JAAS LdapLoginModule configuration",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No Red Hat products are affected by this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-27818"
},
{
"category": "external",
"summary": "RHBZ#2371368",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2371368"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-27818",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27818"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-27818",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27818"
},
{
"category": "external",
"summary": "https://kafka.apache.org/cve-list",
"url": "https://kafka.apache.org/cve-list"
}
],
"release_date": "2025-06-10T07:52:31.778000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread \ninstallation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "apache-kafka: Apache Kafka: Possible RCE attack via SASL JAAS LdapLoginModule configuration"
},
{
"cve": "CVE-2025-27819",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2025-06-10T08:00:41.723005+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2371365"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.apache.kafka. The JndiLoginModule within the SASL authentication mechanism allows remote code execution and denial of service when misconfigured. This flaw allows an attacker to provide a malicious JNDI URI within the Kafka broker\u0027s configuration, permitting arbitrary code execution on the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.apache.kafka: Kafka JNDI Login Module RCE Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No Red Hat products or offerings are affected by this vulnerability.\n\nThis vulnerability is categorized as Important rather than Moderate due to its potential to enable remote code execution (RCE) or denial of service (DoS) in a core component of Apache Kafka\u2014its brokers\u2014under certain but realistic conditions. While exploitation requires AlterConfigs permission and network access to the Kafka cluster, these privileges are commonly granted to administrative or automation accounts in real-world deployments. The core issue arises from unsafe JAAS configuration allowing the use of JndiLoginModule, which can trigger JNDI lookups and result in arbitrary code execution if a malicious LDAP or RMI server is referenced. Given Kafka\u0027s central role in data pipelines and real-time processing systems, a successful exploit could lead to a full cluster compromise, service disruption, or even lateral movement within a network.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-27819"
},
{
"category": "external",
"summary": "RHBZ#2371365",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2371365"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-27819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27819"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-27819",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27819"
},
{
"category": "external",
"summary": "https://kafka.apache.org/cve-list",
"url": "https://kafka.apache.org/cve-list"
}
],
"release_date": "2025-06-10T07:54:41.896000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "To mitigate this flaw, disable the problematic login module\u0027s usage in the SASL JAAS configuration using the system property, \"-Dorg.apache.kafka.disallowed.login.modules\".",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.apache.kafka: Kafka JNDI Login Module RCE Vulnerability"
},
{
"cve": "CVE-2025-48924",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2025-07-11T15:01:08.754489+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379554"
}
],
"notes": [
{
"category": "description",
"text": "An uncontrolled recursion flaw was found in the Apache Commons Lang library. The ClassUtils.getClass(...) method can throw a StackOverflowError on very long inputs. Since this error is typically not handled by applications and libraries, a StackOverflowError may lead to the termination of an application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48924"
},
{
"category": "external",
"summary": "RHBZ#2379554",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379554"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48924",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48924"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1",
"url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1"
}
],
"release_date": "2025-07-11T14:56:58.049000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang"
},
{
"cve": "CVE-2025-49574",
"cwe": {
"id": "CWE-668",
"name": "Exposure of Resource to Wrong Sphere"
},
"discovery_date": "2025-06-23T20:00:57.216622+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2374376"
}
],
"notes": [
{
"category": "description",
"text": "A data leak vulnerability has been discovered in the io.quarkus:quarkus-vertx package. This flaw can lead to information disclosure if a Vert.x context that has already been duplicated is subsequently duplicated again. In such a scenario, sensitive data residing within that context may be unintentionally exposed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.quarkus/quarkus-vertx: Quarkus potential data leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49574"
},
{
"category": "external",
"summary": "RHBZ#2374376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49574",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49574"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49574",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49574"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/commit/2b58f59f4bf0bae7d35b1abb585b65f2a66787d1",
"url": "https://github.com/quarkusio/quarkus/commit/2b58f59f4bf0bae7d35b1abb585b65f2a66787d1"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/issues/48227",
"url": "https://github.com/quarkusio/quarkus/issues/48227"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-9623-mj7j-p9v4",
"url": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-9623-mj7j-p9v4"
}
],
"release_date": "2025-06-23T19:47:05.454000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.quarkus/quarkus-vertx: Quarkus potential data leak"
},
{
"cve": "CVE-2025-55163",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-08-13T15:01:55.372237+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2388252"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a denial of service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation, which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55163"
},
{
"category": "external",
"summary": "RHBZ#2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4",
"url": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/767506",
"url": "https://kb.cert.org/vuls/id/767506"
}
],
"release_date": "2025-08-13T14:17:36.111000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability"
},
{
"cve": "CVE-2025-58056",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2025-09-03T21:01:22.935850+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2392996"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Netty\u2019s HTTP/1.1 chunked encoding parser allows newline (LF) characters in chunk extensions to be incorrectly treated as the end of the chunk-size line instead of requiring the proper CRLF sequence. This discrepancy can be exploited in rare cases where a reverse proxy interprets the same input differently, potentially enabling HTTP request smuggling attacks such as bypassing access controls or corrupting responses.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue is considered Moderate rather than Important because successful exploitation depends on a very specific deployment condition: the presence of an intermediary reverse proxy that both mishandles lone LF characters in chunk extensions and forwards them unmodified to Netty. By itself, Netty\u2019s parsing quirk does not introduce risk, and in most real-world environments, reverse proxies normalize or reject malformed chunked requests, preventing smuggling. As a result, the vulnerability has limited reach, requires a niche configuration to be exploitable, and does not universally expose Netty-based servers to request smuggling\u2014hence it is rated moderate in severity rather than important or critical.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58056"
},
{
"category": "external",
"summary": "RHBZ#2392996",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392996"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58056"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58056",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58056"
},
{
"category": "external",
"summary": "https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding",
"url": "https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding"
},
{
"category": "external",
"summary": "https://github.com/JLLeitschuh/unCVEed/issues/1",
"url": "https://github.com/JLLeitschuh/unCVEed/issues/1"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284",
"url": "https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/issues/15522",
"url": "https://github.com/netty/netty/issues/15522"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/pull/15611",
"url": "https://github.com/netty/netty/pull/15611"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49",
"url": "https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49"
},
{
"category": "external",
"summary": "https://w4ke.info/2025/06/18/funky-chunks.html",
"url": "https://w4ke.info/2025/06/18/funky-chunks.html"
}
],
"release_date": "2025-09-03T20:56:50.732000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "To mitigate this issue, enforce strict RFC compliance on all front-end proxies and load balancers so that lone LF characters in chunk extensions are rejected or normalized before being forwarded. Additionally, configure input validation at the application or proxy layer to block malformed chunked requests, ensuring consistent parsing across all components in the request path.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions"
},
{
"cve": "CVE-2025-58057",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-09-03T22:00:48.401986+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2393000"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. With specially crafted input, BrotliDecoder and some other decompressing decoders will allocate a large number of reachable byte buffers, which can lead to denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty-codec: netty-codec-compression: Netty\u0027s BrotliDecoder is vulnerable to DoS via zip bomb style attack",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Moderate for Red Hat products. A flaw in Netty\u0027s BrotliDecoder and other decompression decoders can lead to a denial of service when processing specially crafted input. This affects various Red Hat products that utilize Netty for network communication and data decompression. Using BrotliDecoder on untrusted input is entirely",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58057"
},
{
"category": "external",
"summary": "RHBZ#2393000",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393000"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58057"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58057",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58057"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d",
"url": "https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj",
"url": "https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj"
}
],
"release_date": "2025-09-03T21:46:49.928000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty-codec: netty-codec-compression: Netty\u0027s BrotliDecoder is vulnerable to DoS via zip bomb style attack"
}
]
}
SUSE-SU-2025:02785-1
Vulnerability from csaf_suse - Published: 2025-08-13 11:50 - Updated: 2025-08-13 11:50Summary
Security update for apache-commons-lang3
Severity
Moderate
Notes
Title of the patch: Security update for apache-commons-lang3
Description of the patch: This update for apache-commons-lang3 fixes the following issues:
- CVE-2025-48924: Fixed an uncontrolled recursion vulnerability that may lead to a DoS. (bsc#1246397)
Patchnames: SUSE-2025-2785,SUSE-SLE-Module-Basesystem-15-SP6-2025-2785,SUSE-SLE-Module-Basesystem-15-SP7-2025-2785,openSUSE-SLE-15.6-2025-2785
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.7 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang-2.6-150200.14.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang-2.6-150200.14.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:apache-commons-lang-2.6-150200.14.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for apache-commons-lang3",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for apache-commons-lang3 fixes the following issues:\n\n- CVE-2025-48924: Fixed an uncontrolled recursion vulnerability that may lead to a DoS. (bsc#1246397)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-2785,SUSE-SLE-Module-Basesystem-15-SP6-2025-2785,SUSE-SLE-Module-Basesystem-15-SP7-2025-2785,openSUSE-SLE-15.6-2025-2785",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_02785-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:02785-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202502785-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:02785-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-August/041196.html"
},
{
"category": "self",
"summary": "SUSE Bug 1246397",
"url": "https://bugzilla.suse.com/1246397"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-48924 page",
"url": "https://www.suse.com/security/cve/CVE-2025-48924/"
}
],
"title": "Security update for apache-commons-lang3",
"tracking": {
"current_release_date": "2025-08-13T11:50:54Z",
"generator": {
"date": "2025-08-13T11:50:54Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:02785-1",
"initial_release_date": "2025-08-13T11:50:54Z",
"revision_history": [
{
"date": "2025-08-13T11:50:54Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-lang-2.6-150200.14.3.1.noarch",
"product": {
"name": "apache-commons-lang-2.6-150200.14.3.1.noarch",
"product_id": "apache-commons-lang-2.6-150200.14.3.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch",
"product": {
"name": "apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch",
"product_id": "apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp7"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang-2.6-150200.14.3.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang-2.6-150200.14.3.1.noarch"
},
"product_reference": "apache-commons-lang-2.6-150200.14.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang-2.6-150200.14.3.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang-2.6-150200.14.3.1.noarch"
},
"product_reference": "apache-commons-lang-2.6-150200.14.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang-2.6-150200.14.3.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:apache-commons-lang-2.6-150200.14.3.1.noarch"
},
"product_reference": "apache-commons-lang-2.6-150200.14.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch"
},
"product_reference": "apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48924",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-48924"
}
],
"notes": [
{
"category": "general",
"text": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang-2.6-150200.14.3.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang-2.6-150200.14.3.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang-2.6-150200.14.3.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-48924",
"url": "https://www.suse.com/security/cve/CVE-2025-48924"
},
{
"category": "external",
"summary": "SUSE Bug 1246397 for CVE-2025-48924",
"url": "https://bugzilla.suse.com/1246397"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang-2.6-150200.14.3.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang-2.6-150200.14.3.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang-2.6-150200.14.3.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang-2.6-150200.14.3.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang-2.6-150200.14.3.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang-2.6-150200.14.3.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-08-13T11:50:54Z",
"details": "moderate"
}
],
"title": "CVE-2025-48924"
}
]
}
SUSE-SU-2025:02786-1
Vulnerability from csaf_suse - Published: 2025-08-13 11:51 - Updated: 2025-08-13 11:51Summary
Security update for apache-commons-lang3
Severity
Moderate
Notes
Title of the patch: Security update for apache-commons-lang3
Description of the patch: This update for apache-commons-lang3 fixes the following issues:
- CVE-2025-48924: Fixed an uncontrolled recursion vulnerability that may lead to a DoS. (bsc#1246397)
Patchnames: SUSE-2025-2786,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-2786
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.7 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache-commons-lang-2.6-5.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for apache-commons-lang3",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for apache-commons-lang3 fixes the following issues:\n\n- CVE-2025-48924: Fixed an uncontrolled recursion vulnerability that may lead to a DoS. (bsc#1246397)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-2786,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-2786",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_02786-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:02786-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202502786-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:02786-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-August/041195.html"
},
{
"category": "self",
"summary": "SUSE Bug 1085999",
"url": "https://bugzilla.suse.com/1085999"
},
{
"category": "self",
"summary": "SUSE Bug 1246397",
"url": "https://bugzilla.suse.com/1246397"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-48924 page",
"url": "https://www.suse.com/security/cve/CVE-2025-48924/"
}
],
"title": "Security update for apache-commons-lang3",
"tracking": {
"current_release_date": "2025-08-13T11:51:16Z",
"generator": {
"date": "2025-08-13T11:51:16Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:02786-1",
"initial_release_date": "2025-08-13T11:51:16Z",
"revision_history": [
{
"date": "2025-08-13T11:51:16Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-lang-2.6-5.3.1.noarch",
"product": {
"name": "apache-commons-lang-2.6-5.3.1.noarch",
"product_id": "apache-commons-lang-2.6-5.3.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-lang-javadoc-2.6-5.3.1.noarch",
"product": {
"name": "apache-commons-lang-javadoc-2.6-5.3.1.noarch",
"product_id": "apache-commons-lang-javadoc-2.6-5.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_id": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss-extended-security:12:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang-2.6-5.3.1.noarch as component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_id": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache-commons-lang-2.6-5.3.1.noarch"
},
"product_reference": "apache-commons-lang-2.6-5.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48924",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-48924"
}
],
"notes": [
{
"category": "general",
"text": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache-commons-lang-2.6-5.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-48924",
"url": "https://www.suse.com/security/cve/CVE-2025-48924"
},
{
"category": "external",
"summary": "SUSE Bug 1246397 for CVE-2025-48924",
"url": "https://bugzilla.suse.com/1246397"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache-commons-lang-2.6-5.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache-commons-lang-2.6-5.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-08-13T11:51:16Z",
"details": "moderate"
}
],
"title": "CVE-2025-48924"
}
]
}
SUSE-SU-2025:02818-1
Vulnerability from csaf_suse - Published: 2025-08-15 12:56 - Updated: 2025-08-15 12:56Summary
Security update for apache-commons-lang3
Severity
Moderate
Notes
Title of the patch: Security update for apache-commons-lang3
Description of the patch: This update for apache-commons-lang3 fixes the following issues:
- Update to version 3.18.0
- CVE-2025-48924: Fixed an uncontrolled recursion vulnerability that may lead to a DoS. (bsc#1246397)
Patchnames: SUSE-2025-2818,SUSE-SLE-Module-Basesystem-15-SP6-2025-2818,SUSE-SLE-Module-Basesystem-15-SP7-2025-2818,SUSE-SLE-Module-SUSE-Manager-Server-4.3-2025-2818,openSUSE-SLE-15.6-2025-2818
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.7 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang3-3.18.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server Module 4.3:apache-commons-lang3-3.18.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for apache-commons-lang3",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for apache-commons-lang3 fixes the following issues:\n\n- Update to version 3.18.0 \n- CVE-2025-48924: Fixed an uncontrolled recursion vulnerability that may lead to a DoS. (bsc#1246397)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-2818,SUSE-SLE-Module-Basesystem-15-SP6-2025-2818,SUSE-SLE-Module-Basesystem-15-SP7-2025-2818,SUSE-SLE-Module-SUSE-Manager-Server-4.3-2025-2818,openSUSE-SLE-15.6-2025-2818",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_02818-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:02818-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202502818-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:02818-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-August/041221.html"
},
{
"category": "self",
"summary": "SUSE Bug 1246397",
"url": "https://bugzilla.suse.com/1246397"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-48924 page",
"url": "https://www.suse.com/security/cve/CVE-2025-48924/"
}
],
"title": "Security update for apache-commons-lang3",
"tracking": {
"current_release_date": "2025-08-15T12:56:26Z",
"generator": {
"date": "2025-08-15T12:56:26Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:02818-1",
"initial_release_date": "2025-08-15T12:56:26Z",
"revision_history": [
{
"date": "2025-08-15T12:56:26Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"product": {
"name": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"product_id": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch",
"product": {
"name": "apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch",
"product_id": "apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp7"
}
}
},
{
"category": "product_name",
"name": "SUSE Manager Server Module 4.3",
"product": {
"name": "SUSE Manager Server Module 4.3",
"product_id": "SUSE Manager Server Module 4.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-suse-manager-server:4.3"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang3-3.18.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch as component of SUSE Manager Server Module 4.3",
"product_id": "SUSE Manager Server Module 4.3:apache-commons-lang3-3.18.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Manager Server Module 4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48924",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-48924"
}
],
"notes": [
{
"category": "general",
"text": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"SUSE Manager Server Module 4.3:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-48924",
"url": "https://www.suse.com/security/cve/CVE-2025-48924"
},
{
"category": "external",
"summary": "SUSE Bug 1246397 for CVE-2025-48924",
"url": "https://bugzilla.suse.com/1246397"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"SUSE Manager Server Module 4.3:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"SUSE Manager Server Module 4.3:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-08-15T12:56:26Z",
"details": "moderate"
}
],
"title": "CVE-2025-48924"
}
]
}
WID-SEC-W-2025-1540
Vulnerability from csaf_certbund - Published: 2025-07-13 22:00 - Updated: 2026-06-02 22:00Summary
Apache Commons Lang: Schwachstelle ermöglicht Denial of Service
Severity
Niedrig
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Apache Commons ist ein Apache-Projekt, das alle Aspekte der wiederverwendbaren Java-Komponenten behandelt.
Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Commons Lang ausnutzen, um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme: - Linux
- UNIX
Affected products
Known affected
35 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAS Institute Base SAS <9.4M9 (TS1M9)
SAS Institute / Base SAS
|
<9.4M9 (TS1M9) | ||
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
IBM SPSS Analytic Server
IBM / SPSS
|
cpe:/a:ibm:spss:analytic_server
|
Analytic Server | |
|
SOS GmbH JobScheduler <2.7.6
SOS GmbH / JobScheduler
|
<2.7.6 | ||
|
IBM License Metric Tool
IBM
|
cpe:/a:ibm:license_metric_tool:-
|
— | |
|
IBM Sterling Connect:Direct 6.3
IBM / Sterling Connect:Direct
|
cpe:/a:ibm:sterling_connect%3adirect:6.3
|
6.3 | |
|
HCL Commerce <25.09.17.0
HCL / Commerce
|
<25.09.17.0 | ||
|
IBM Integration Bus
IBM
|
cpe:/a:ibm:integration_bus:for_zos
|
— | |
|
IBM Sterling Connect:Direct <6.4.0.4
IBM / Sterling Connect:Direct
|
<6.4.0.4 | ||
|
Apache Commons Lang <3.18.0
Apache / Commons
|
Lang <3.18.0 | ||
|
IBM Operational Decision Manager
IBM
|
cpe:/a:ibm:operational_decision_manager:-
|
— | |
|
IBM Sterling Connect:Direct <6.2.0.29
IBM / Sterling Connect:Direct
|
<6.2.0.29 | ||
|
IBM Sterling Connect:Direct <6.3.0.15
IBM / Sterling Connect:Direct
|
<6.3.0.15 | ||
|
RealObjects PDFreactor <12.4
RealObjects / PDFreactor
|
<12.4 | ||
|
IBM DB2
IBM / DB2
|
cpe:/a:ibm:db2:-
|
— | |
|
IBM InfoSphere Information Server
IBM
|
cpe:/a:ibm:infosphere_information_server:-
|
— | |
|
IBM SPSS Collaboration and Deployment Services
IBM / SPSS
|
cpe:/a:ibm:spss:collaboration_and_deployment_services
|
Collaboration and Deployment Services | |
|
Dell Secure Connect Gateway <5.34.00.16
Dell / Secure Connect Gateway
|
<5.34.00.16 | ||
|
IBM App Connect Enterprise
IBM
|
cpe:/a:ibm:app_connect_enterprise:-
|
— | |
|
IBM Business Automation Workflow
IBM
|
cpe:/a:ibm:business_automation_workflow:-
|
— | |
|
Red Hat JBoss Enterprise Application Platform Middleware 1
Red Hat / JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:middleware_1
|
Middleware 1 | |
|
IBM Security Guardium
IBM
|
cpe:/a:ibm:security_guardium:-
|
— | |
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Open Source Vaadin <Vaadin 24.9.0-rc2
Open Source / Vaadin
|
<Vaadin 24.9.0-rc2 | ||
|
IBM DB2 Big SQL
IBM / DB2
|
cpe:/a:ibm:db2:big_sql
|
Big SQL | |
|
Ubuntu Linux
Ubuntu
|
cpe:/o:canonical:ubuntu_linux:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Absolute Secure Access Insights <4.30
Absolute / Secure Access
|
Insights <4.30 | ||
|
IBM Tivoli Netcool/OMNIbus
IBM
|
cpe:/a:ibm:tivoli_netcool%2fomnibus:-
|
— | |
|
Open Source Keycloak <26.4.0
Open Source / Keycloak
|
<26.4.0 | ||
|
Absolute Secure Access Server <14.10
Absolute / Secure Access
|
Server <14.10 | ||
|
SOS GmbH JobScheduler <2.8.1
SOS GmbH / JobScheduler
|
<2.8.1 | ||
|
IBM Storage Scale <5.2.3.4
IBM / Storage Scale
|
<5.2.3.4 | ||
|
Dell Secure Connect Gateway Appliance <5.32.00.18
Dell / Secure Connect Gateway
|
Appliance <5.32.00.18 |
Last affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Commons Lang <=2.6
Apache / Commons
|
Lang <=2.6 |
References
43 references
{
"document": {
"aggregate_severity": {
"text": "niedrig"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Apache Commons ist ein Apache-Projekt, das alle Aspekte der wiederverwendbaren Java-Komponenten behandelt.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Commons Lang ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-1540 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1540.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-1540 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1540"
},
{
"category": "external",
"summary": "Mailing list OSS Security vom 2025-07-13",
"url": "https://seclists.org/oss-sec/2025/q3/32"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-j288-q9x7-2f5v vom 2025-07-13",
"url": "https://github.com/advisories/GHSA-j288-q9x7-2f5v"
},
{
"category": "external",
"summary": "Red Hat Bugtracker #2379554 vom 2025-07-13",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379554"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15347-1 vom 2025-07-17",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LGR6UBT67EURFPFBQYCGTOHPDNATFA6B/"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7240960 vom 2025-07-29",
"url": "https://www.ibm.com/support/pages/node/7240960"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4262 vom 2025-08-01",
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:12511 vom 2025-08-03",
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
},
{
"category": "external",
"summary": "SOS Release Notes vom 2025-08-11",
"url": "https://kb.sos-berlin.com/display/PKB/Vulnerability+Remediation+Release+2.8.1"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:02785-1 vom 2025-08-13",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022155.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:02786-1 vom 2025-08-13",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022154.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:02818-1 vom 2025-08-15",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022170.html"
},
{
"category": "external",
"summary": "SOS Release Notes vom 2025-08-15",
"url": "https://kb.sos-berlin.com/display/PKB/Vulnerability+Remediation+Release+2.7.6"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4286 vom 2025-08-31",
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7244275 vom 2025-09-08",
"url": "https://www.ibm.com/support/pages/node/7244275"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:15697 vom 2025-09-11",
"url": "https://access.redhat.com/errata/RHSA-2025:15697"
},
{
"category": "external",
"summary": "Vaadin 24.9.0-rc2 Release Notes vom 2025-09-11",
"url": "https://github.com/vaadin/platform/releases/tag/24.9.0-rc2"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7245649 vom 2025-09-20",
"url": "https://www.ibm.com/support/pages/node/7245649"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7245706 vom 2025-09-22",
"url": "https://www.ibm.com/support/pages/node/7245706"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:16407 vom 2025-09-23",
"url": "https://access.redhat.com/errata/RHSA-2025:16407"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7246165 vom 2025-09-29",
"url": "https://www.ibm.com/support/pages/node/7246165"
},
{
"category": "external",
"summary": "Keycloak 26.4.0 Release Notes vom 2025-09-30",
"url": "https://www.keycloak.org/2025/09/keycloak-2640-released"
},
{
"category": "external",
"summary": "Absolute Security Information vom 2025-09-30",
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1410"
},
{
"category": "external",
"summary": "SAS Security Update vom 2025-10-02",
"url": "https://support.sas.com/en/security-bulletins/sas-security-update-for-sas-94m9-ts1m9.html"
},
{
"category": "external",
"summary": "HCL Security Bulletin vom 2025-10-15",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124532"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7248117 vom 2025-10-16",
"url": "https://www.ibm.com/support/pages/node/7248117"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7248973 vom 2025-10-23",
"url": "https://www.ibm.com/support/pages/node/7248973"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7249057 vom 2025-10-24",
"url": "https://www.ibm.com/support/pages/node/7249057"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2025-390 vom 2025-11-05",
"url": "https://www.dell.com/support/kbdoc/000385230"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7252694 vom 2025-11-26",
"url": "https://www.ibm.com/support/pages/node/7252694"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7252721 vom 2025-11-26",
"url": "https://www.ibm.com/support/pages/node/7252721"
},
{
"category": "external",
"summary": "PDFreactor ReleaseNotes vom 2025-12-04",
"url": "https://www.pdfreactor.com/pdfreactor-12-4/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:23417 vom 2025-12-17",
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7255296 vom 2026-01-21",
"url": "https://www.ibm.com/support/pages/node/7255296"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7257914 vom 2026-01-23",
"url": "https://www.ibm.com/support/pages/node/7257914"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7258317 vom 2026-01-29",
"url": "https://www.ibm.com/support/pages/node/7258317"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7259324 vom 2026-01-30",
"url": "https://www.ibm.com/support/pages/node/7259324"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2026-152 vom 2026-03-23",
"url": "https://www.dell.com/support/kbdoc/de-de/000443243/dsa-2026-152-dell-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:10784-1 vom 2026-05-17",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BEKG645ORNRE7JDIAF3H6OJABJNCWNAA/"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7273312 vom 2026-05-18",
"url": "https://www.ibm.com/support/pages/node/7273312"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:20841-1 vom 2026-06-01",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZX4PE7U7EUO3FASPSWEHRN3STKWX6WCN/"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-8364-1 vom 2026-06-02",
"url": "https://ubuntu.com/security/notices/USN-8364-1"
}
],
"source_lang": "en-US",
"title": "Apache Commons Lang: Schwachstelle erm\u00f6glicht Denial of Service",
"tracking": {
"current_release_date": "2026-06-02T22:00:00.000+00:00",
"generator": {
"date": "2026-06-03T06:13:10.515+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.6.0"
}
},
"id": "WID-SEC-W-2025-1540",
"initial_release_date": "2025-07-13T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-07-13T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-07-17T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2025-07-29T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-07-31T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2025-08-03T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-08-11T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-08-13T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-08-17T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-08-31T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2025-09-08T22:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-09-11T22:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-09-21T22:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-09-22T22:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-09-29T22:00:00.000+00:00",
"number": "14",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-09-30T22:00:00.000+00:00",
"number": "15",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-10-05T22:00:00.000+00:00",
"number": "16",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-10-15T22:00:00.000+00:00",
"number": "17",
"summary": "Neue Updates von HCL und IBM aufgenommen"
},
{
"date": "2025-10-23T22:00:00.000+00:00",
"number": "18",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-11-04T23:00:00.000+00:00",
"number": "19",
"summary": "Neue Updates von Dell aufgenommen"
},
{
"date": "2025-11-26T23:00:00.000+00:00",
"number": "20",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-12-03T23:00:00.000+00:00",
"number": "21",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-12-16T23:00:00.000+00:00",
"number": "22",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-01-20T23:00:00.000+00:00",
"number": "23",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2026-01-25T23:00:00.000+00:00",
"number": "24",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2026-01-28T23:00:00.000+00:00",
"number": "25",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2026-02-01T23:00:00.000+00:00",
"number": "26",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2026-03-23T23:00:00.000+00:00",
"number": "27",
"summary": "Neue Updates von Dell aufgenommen"
},
{
"date": "2026-05-17T22:00:00.000+00:00",
"number": "28",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2026-05-18T22:00:00.000+00:00",
"number": "29",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2026-06-01T22:00:00.000+00:00",
"number": "30",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2026-06-02T22:00:00.000+00:00",
"number": "31",
"summary": "Neue Updates von Ubuntu aufgenommen"
}
],
"status": "final",
"version": "31"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Server \u003c14.10",
"product": {
"name": "Absolute Secure Access Server \u003c14.10",
"product_id": "T047275"
}
},
{
"category": "product_version",
"name": "Server 14.10",
"product": {
"name": "Absolute Secure Access Server 14.10",
"product_id": "T047275-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:absolute:secure_access:server__14.10"
}
}
},
{
"category": "product_version_range",
"name": "Insights \u003c4.30",
"product": {
"name": "Absolute Secure Access Insights \u003c4.30",
"product_id": "T047276"
}
},
{
"category": "product_version",
"name": "Insights 4.30",
"product": {
"name": "Absolute Secure Access Insights 4.30",
"product_id": "T047276-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:absolute:secure_access:insights__4.30"
}
}
}
],
"category": "product_name",
"name": "Secure Access"
}
],
"category": "vendor",
"name": "Absolute"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Lang \u003c=2.6",
"product": {
"name": "Apache Commons Lang \u003c=2.6",
"product_id": "T045327"
}
},
{
"category": "product_version_range",
"name": "Lang \u003c=2.6",
"product": {
"name": "Apache Commons Lang \u003c=2.6",
"product_id": "T045327-fixed"
}
},
{
"category": "product_version_range",
"name": "Lang \u003c3.18.0",
"product": {
"name": "Apache Commons Lang \u003c3.18.0",
"product_id": "T045328"
}
},
{
"category": "product_version",
"name": "Lang 3.18.0",
"product": {
"name": "Apache Commons Lang 3.18.0",
"product_id": "T045328-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:commons:lang__3.18.0"
}
}
}
],
"category": "product_name",
"name": "Commons"
}
],
"category": "vendor",
"name": "Apache"
},
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Appliance \u003c5.32.00.18",
"product": {
"name": "Dell Secure Connect Gateway Appliance \u003c5.32.00.18",
"product_id": "T048301"
}
},
{
"category": "product_version",
"name": "Appliance 5.32.00.18",
"product": {
"name": "Dell Secure Connect Gateway Appliance 5.32.00.18",
"product_id": "T048301-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:dell:secure_connect_gateway:appliance__5.32.00.18"
}
}
},
{
"category": "product_version_range",
"name": "\u003c5.34.00.16",
"product": {
"name": "Dell Secure Connect Gateway \u003c5.34.00.16",
"product_id": "T052048"
}
},
{
"category": "product_version",
"name": "5.34.00.16",
"product": {
"name": "Dell Secure Connect Gateway 5.34.00.16",
"product_id": "T052048-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:dell:secure_connect_gateway:5.34.00.16"
}
}
}
],
"category": "product_name",
"name": "Secure Connect Gateway"
}
],
"category": "vendor",
"name": "Dell"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c25.09.17.0",
"product": {
"name": "HCL Commerce \u003c25.09.17.0",
"product_id": "T047719"
}
},
{
"category": "product_version",
"name": "25.09.17.0",
"product": {
"name": "HCL Commerce 25.09.17.0",
"product_id": "T047719-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:hcltechsw:commerce:25.09.17.0"
}
}
}
],
"category": "product_name",
"name": "Commerce"
}
],
"category": "vendor",
"name": "HCL"
},
{
"branches": [
{
"category": "product_name",
"name": "IBM App Connect Enterprise",
"product": {
"name": "IBM App Connect Enterprise",
"product_id": "T032495",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:app_connect_enterprise:-"
}
}
},
{
"category": "product_name",
"name": "IBM Business Automation Workflow",
"product": {
"name": "IBM Business Automation Workflow",
"product_id": "T043411",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:business_automation_workflow:-"
}
}
},
{
"branches": [
{
"category": "product_version",
"name": "Big SQL",
"product": {
"name": "IBM DB2 Big SQL",
"product_id": "T022379",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:db2:big_sql"
}
}
},
{
"category": "product_name",
"name": "IBM DB2",
"product": {
"name": "IBM DB2",
"product_id": "T048379",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:db2:-"
}
}
}
],
"category": "product_name",
"name": "DB2"
},
{
"category": "product_name",
"name": "IBM InfoSphere Information Server",
"product": {
"name": "IBM InfoSphere Information Server",
"product_id": "T035705",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:infosphere_information_server:-"
}
}
},
{
"category": "product_name",
"name": "IBM Integration Bus",
"product": {
"name": "IBM Integration Bus",
"product_id": "T039654",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:integration_bus:for_zos"
}
}
},
{
"category": "product_name",
"name": "IBM License Metric Tool",
"product": {
"name": "IBM License Metric Tool",
"product_id": "T029071",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:license_metric_tool:-"
}
}
},
{
"category": "product_name",
"name": "IBM Operational Decision Manager",
"product": {
"name": "IBM Operational Decision Manager",
"product_id": "T005180",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:operational_decision_manager:-"
}
}
},
{
"branches": [
{
"category": "product_version",
"name": "Analytic Server",
"product": {
"name": "IBM SPSS Analytic Server",
"product_id": "T011787",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spss:analytic_server"
}
}
},
{
"category": "product_version",
"name": "Collaboration and Deployment Services",
"product": {
"name": "IBM SPSS Collaboration and Deployment Services",
"product_id": "T037766",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spss:collaboration_and_deployment_services"
}
}
}
],
"category": "product_name",
"name": "SPSS"
},
{
"category": "product_name",
"name": "IBM Security Guardium",
"product": {
"name": "IBM Security Guardium",
"product_id": "T021345",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:security_guardium:-"
}
}
},
{
"branches": [
{
"category": "product_version",
"name": "6.3",
"product": {
"name": "IBM Sterling Connect:Direct 6.3",
"product_id": "T045739",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:sterling_connect%3adirect:6.3"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.2.0.29",
"product": {
"name": "IBM Sterling Connect:Direct \u003c6.2.0.29",
"product_id": "T047720"
}
},
{
"category": "product_version",
"name": "6.2.0.29",
"product": {
"name": "IBM Sterling Connect:Direct 6.2.0.29",
"product_id": "T047720-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:sterling_connect%3adirect:6.2.0.29"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.3.0.15",
"product": {
"name": "IBM Sterling Connect:Direct \u003c6.3.0.15",
"product_id": "T047721"
}
},
{
"category": "product_version",
"name": "6.3.0.15",
"product": {
"name": "IBM Sterling Connect:Direct 6.3.0.15",
"product_id": "T047721-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:sterling_connect%3adirect:6.3.0.15"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.4.0.4",
"product": {
"name": "IBM Sterling Connect:Direct \u003c6.4.0.4",
"product_id": "T047722"
}
},
{
"category": "product_version",
"name": "6.4.0.4",
"product": {
"name": "IBM Sterling Connect:Direct 6.4.0.4",
"product_id": "T047722-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:sterling_connect%3adirect:6.4.0.4"
}
}
}
],
"category": "product_name",
"name": "Sterling Connect:Direct"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c5.2.3.4",
"product": {
"name": "IBM Storage Scale \u003c5.2.3.4",
"product_id": "T048104"
}
},
{
"category": "product_version",
"name": "5.2.3.4",
"product": {
"name": "IBM Storage Scale 5.2.3.4",
"product_id": "T048104-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spectrum_scale:5.2.3.4"
}
}
}
],
"category": "product_name",
"name": "Storage Scale"
},
{
"category": "product_name",
"name": "IBM Tivoli Netcool/OMNIbus",
"product": {
"name": "IBM Tivoli Netcool/OMNIbus",
"product_id": "T004181",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:tivoli_netcool%2fomnibus:-"
}
}
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c26.4.0",
"product": {
"name": "Open Source Keycloak \u003c26.4.0",
"product_id": "T047274"
}
},
{
"category": "product_version",
"name": "26.4.0",
"product": {
"name": "Open Source Keycloak 26.4.0",
"product_id": "T047274-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:keycloak:keycloak:26.4.0"
}
}
}
],
"category": "product_name",
"name": "Keycloak"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cVaadin 24.9.0-rc2",
"product": {
"name": "Open Source Vaadin \u003cVaadin 24.9.0-rc2",
"product_id": "T046947"
}
},
{
"category": "product_version",
"name": "Vaadin 24.9.0-rc2",
"product": {
"name": "Open Source Vaadin Vaadin 24.9.0-rc2",
"product_id": "T046947-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vaadin:vaadin:vaadin_24.9.0-rc2"
}
}
}
],
"category": "product_name",
"name": "Vaadin"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c12.4",
"product": {
"name": "RealObjects PDFreactor \u003c12.4",
"product_id": "T049106"
}
},
{
"category": "product_version",
"name": "12.4",
"product": {
"name": "RealObjects PDFreactor 12.4",
"product_id": "T049106-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:realobjects:pdfreactor:12.4"
}
}
}
],
"category": "product_name",
"name": "PDFreactor"
}
],
"category": "vendor",
"name": "RealObjects"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"branches": [
{
"category": "product_version",
"name": "Middleware 1",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform Middleware 1",
"product_id": "T046944",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:middleware_1"
}
}
}
],
"category": "product_name",
"name": "JBoss Enterprise Application Platform"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c9.4M9 (TS1M9)",
"product": {
"name": "SAS Institute Base SAS \u003c9.4M9 (TS1M9)",
"product_id": "T047382"
}
},
{
"category": "product_version",
"name": "9.4M9 (TS1M9)",
"product": {
"name": "SAS Institute Base SAS 9.4M9 (TS1M9)",
"product_id": "T047382-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:sas:base_sas:9.4m9_%28ts1m9%29"
}
}
}
],
"category": "product_name",
"name": "Base SAS"
}
],
"category": "vendor",
"name": "SAS Institute"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2.8.1",
"product": {
"name": "SOS GmbH JobScheduler \u003c2.8.1",
"product_id": "T045972"
}
},
{
"category": "product_version",
"name": "2.8.1",
"product": {
"name": "SOS GmbH JobScheduler 2.8.1",
"product_id": "T045972-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:sos_gmbh:jobscheduler:2.8.1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c2.7.6",
"product": {
"name": "SOS GmbH JobScheduler \u003c2.7.6",
"product_id": "T046292"
}
},
{
"category": "product_version",
"name": "2.7.6",
"product": {
"name": "SOS GmbH JobScheduler 2.7.6",
"product_id": "T046292-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:sos_gmbh:jobscheduler:2.7.6"
}
}
}
],
"category": "product_name",
"name": "JobScheduler"
}
],
"category": "vendor",
"name": "SOS GmbH"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48924",
"product_status": {
"known_affected": [
"T047382",
"67646",
"T011787",
"T046292",
"T029071",
"T045739",
"T047719",
"T039654",
"T047722",
"T045328",
"T005180",
"T047720",
"T047721",
"T049106",
"T048379",
"T035705",
"T037766",
"T052048",
"T032495",
"T043411",
"T046944",
"T021345",
"2951",
"T002207",
"T046947",
"T022379",
"T000126",
"T027843",
"T047276",
"T004181",
"T047274",
"T047275",
"T045972",
"T048104",
"T048301"
],
"last_affected": [
"T045327"
]
},
"release_date": "2025-07-13T22:00:00.000+00:00",
"title": "CVE-2025-48924"
}
]
}
WID-SEC-W-2025-2353
Vulnerability from csaf_certbund - Published: 2025-10-21 22:00 - Updated: 2025-10-21 22:00Summary
Oracle Construction and Engineering: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Construction and Engineering ist eine Sammlung von Werkzeugen zur Unterstützung von Bau- und Ingenieurbüros. Sie umfasst u. a. Projektmanagement-Lösungen zur Verwaltung von Projekte, zur Schaffung von Transparenz, zur Zusammenarbeit und zur Verwaltung von Änderungen.
Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Construction and Engineering ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme: - Linux
- Sonstiges
- Windows
Affected products
Last affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Construction and Engineering <=24.12.4.0
Oracle / Construction and Engineering
|
<=24.12.4.0 | ||
|
Oracle Construction and Engineering <=23.12.15
Oracle / Construction and Engineering
|
<=23.12.15 | ||
|
Oracle Construction and Engineering <=22.12.20.0
Oracle / Construction and Engineering
|
<=22.12.20.0 | ||
|
Oracle Construction and Engineering <=23.12.14.0
Oracle / Construction and Engineering
|
<=23.12.14.0 | ||
|
Oracle Construction and Engineering <=24.12.9
Oracle / Construction and Engineering
|
<=24.12.9 | ||
|
Oracle Construction and Engineering <=20.12.17
Oracle / Construction and Engineering
|
<=20.12.17 | ||
|
Oracle Construction and Engineering <=21.12.17
Oracle / Construction and Engineering
|
<=21.12.17 | ||
|
Oracle Construction and Engineering <=20.12.16
Oracle / Construction and Engineering
|
<=20.12.16 | ||
|
Oracle Construction and Engineering <=21.12.15
Oracle / Construction and Engineering
|
<=21.12.15 | ||
|
Oracle Construction and Engineering <=22.12.15
Oracle / Construction and Engineering
|
<=22.12.15 | ||
|
Oracle Construction and Engineering <=20.12.21.0
Oracle / Construction and Engineering
|
<=20.12.21.0 | ||
|
Oracle Construction and Engineering <=21.12.21.2
Oracle / Construction and Engineering
|
<=21.12.21.2 |
Affected products
Last affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Construction and Engineering <=24.12.4.0
Oracle / Construction and Engineering
|
<=24.12.4.0 | ||
|
Oracle Construction and Engineering <=23.12.15
Oracle / Construction and Engineering
|
<=23.12.15 | ||
|
Oracle Construction and Engineering <=22.12.20.0
Oracle / Construction and Engineering
|
<=22.12.20.0 | ||
|
Oracle Construction and Engineering <=23.12.14.0
Oracle / Construction and Engineering
|
<=23.12.14.0 | ||
|
Oracle Construction and Engineering <=24.12.9
Oracle / Construction and Engineering
|
<=24.12.9 | ||
|
Oracle Construction and Engineering <=20.12.17
Oracle / Construction and Engineering
|
<=20.12.17 | ||
|
Oracle Construction and Engineering <=21.12.17
Oracle / Construction and Engineering
|
<=21.12.17 | ||
|
Oracle Construction and Engineering <=20.12.16
Oracle / Construction and Engineering
|
<=20.12.16 | ||
|
Oracle Construction and Engineering <=21.12.15
Oracle / Construction and Engineering
|
<=21.12.15 | ||
|
Oracle Construction and Engineering <=22.12.15
Oracle / Construction and Engineering
|
<=22.12.15 | ||
|
Oracle Construction and Engineering <=20.12.21.0
Oracle / Construction and Engineering
|
<=20.12.21.0 | ||
|
Oracle Construction and Engineering <=21.12.21.2
Oracle / Construction and Engineering
|
<=21.12.21.2 |
Affected products
Last affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Construction and Engineering <=24.12.4.0
Oracle / Construction and Engineering
|
<=24.12.4.0 | ||
|
Oracle Construction and Engineering <=23.12.15
Oracle / Construction and Engineering
|
<=23.12.15 | ||
|
Oracle Construction and Engineering <=22.12.20.0
Oracle / Construction and Engineering
|
<=22.12.20.0 | ||
|
Oracle Construction and Engineering <=23.12.14.0
Oracle / Construction and Engineering
|
<=23.12.14.0 | ||
|
Oracle Construction and Engineering <=24.12.9
Oracle / Construction and Engineering
|
<=24.12.9 | ||
|
Oracle Construction and Engineering <=20.12.17
Oracle / Construction and Engineering
|
<=20.12.17 | ||
|
Oracle Construction and Engineering <=21.12.17
Oracle / Construction and Engineering
|
<=21.12.17 | ||
|
Oracle Construction and Engineering <=20.12.16
Oracle / Construction and Engineering
|
<=20.12.16 | ||
|
Oracle Construction and Engineering <=21.12.15
Oracle / Construction and Engineering
|
<=21.12.15 | ||
|
Oracle Construction and Engineering <=22.12.15
Oracle / Construction and Engineering
|
<=22.12.15 | ||
|
Oracle Construction and Engineering <=20.12.21.0
Oracle / Construction and Engineering
|
<=20.12.21.0 | ||
|
Oracle Construction and Engineering <=21.12.21.2
Oracle / Construction and Engineering
|
<=21.12.21.2 |
Affected products
Last affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Construction and Engineering <=24.12.4.0
Oracle / Construction and Engineering
|
<=24.12.4.0 | ||
|
Oracle Construction and Engineering <=23.12.15
Oracle / Construction and Engineering
|
<=23.12.15 | ||
|
Oracle Construction and Engineering <=22.12.20.0
Oracle / Construction and Engineering
|
<=22.12.20.0 | ||
|
Oracle Construction and Engineering <=23.12.14.0
Oracle / Construction and Engineering
|
<=23.12.14.0 | ||
|
Oracle Construction and Engineering <=24.12.9
Oracle / Construction and Engineering
|
<=24.12.9 | ||
|
Oracle Construction and Engineering <=20.12.17
Oracle / Construction and Engineering
|
<=20.12.17 | ||
|
Oracle Construction and Engineering <=21.12.17
Oracle / Construction and Engineering
|
<=21.12.17 | ||
|
Oracle Construction and Engineering <=20.12.16
Oracle / Construction and Engineering
|
<=20.12.16 | ||
|
Oracle Construction and Engineering <=21.12.15
Oracle / Construction and Engineering
|
<=21.12.15 | ||
|
Oracle Construction and Engineering <=22.12.15
Oracle / Construction and Engineering
|
<=22.12.15 | ||
|
Oracle Construction and Engineering <=20.12.21.0
Oracle / Construction and Engineering
|
<=20.12.21.0 | ||
|
Oracle Construction and Engineering <=21.12.21.2
Oracle / Construction and Engineering
|
<=21.12.21.2 |
Affected products
Last affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Construction and Engineering <=24.12.4.0
Oracle / Construction and Engineering
|
<=24.12.4.0 | ||
|
Oracle Construction and Engineering <=23.12.15
Oracle / Construction and Engineering
|
<=23.12.15 | ||
|
Oracle Construction and Engineering <=22.12.20.0
Oracle / Construction and Engineering
|
<=22.12.20.0 | ||
|
Oracle Construction and Engineering <=23.12.14.0
Oracle / Construction and Engineering
|
<=23.12.14.0 | ||
|
Oracle Construction and Engineering <=24.12.9
Oracle / Construction and Engineering
|
<=24.12.9 | ||
|
Oracle Construction and Engineering <=20.12.17
Oracle / Construction and Engineering
|
<=20.12.17 | ||
|
Oracle Construction and Engineering <=21.12.17
Oracle / Construction and Engineering
|
<=21.12.17 | ||
|
Oracle Construction and Engineering <=20.12.16
Oracle / Construction and Engineering
|
<=20.12.16 | ||
|
Oracle Construction and Engineering <=21.12.15
Oracle / Construction and Engineering
|
<=21.12.15 | ||
|
Oracle Construction and Engineering <=22.12.15
Oracle / Construction and Engineering
|
<=22.12.15 | ||
|
Oracle Construction and Engineering <=20.12.21.0
Oracle / Construction and Engineering
|
<=20.12.21.0 | ||
|
Oracle Construction and Engineering <=21.12.21.2
Oracle / Construction and Engineering
|
<=21.12.21.2 |
References
3 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Construction and Engineering ist eine Sammlung von Werkzeugen zur Unterst\u00fctzung von Bau- und Ingenieurb\u00fcros. Sie umfasst u. a. Projektmanagement-L\u00f6sungen zur Verwaltung von Projekte, zur Schaffung von Transparenz, zur Zusammenarbeit und zur Verwaltung von \u00c4nderungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Construction and Engineering ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2353 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2353.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2353 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2353"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - October 2025 - Appendix Oracle Construction and Engineering vom 2025-10-21",
"url": "https://www.oracle.com/security-alerts/cpuoct2025.html#AppendixPVA"
}
],
"source_lang": "en-US",
"title": "Oracle Construction and Engineering: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-10-21T22:00:00.000+00:00",
"generator": {
"date": "2025-10-22T10:03:26.811+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-2353",
"initial_release_date": "2025-10-21T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-10-21T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=20.12.16",
"product": {
"name": "Oracle Construction and Engineering \u003c=20.12.16",
"product_id": "T027346"
}
},
{
"category": "product_version_range",
"name": "\u003c=20.12.16",
"product": {
"name": "Oracle Construction and Engineering \u003c=20.12.16",
"product_id": "T027346-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=21.12.15",
"product": {
"name": "Oracle Construction and Engineering \u003c=21.12.15",
"product_id": "T028688"
}
},
{
"category": "product_version_range",
"name": "\u003c=21.12.15",
"product": {
"name": "Oracle Construction and Engineering \u003c=21.12.15",
"product_id": "T028688-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=21.12.17",
"product": {
"name": "Oracle Construction and Engineering \u003c=21.12.17",
"product_id": "T032097"
}
},
{
"category": "product_version_range",
"name": "\u003c=21.12.17",
"product": {
"name": "Oracle Construction and Engineering \u003c=21.12.17",
"product_id": "T032097-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=22.12.15",
"product": {
"name": "Oracle Construction and Engineering \u003c=22.12.15",
"product_id": "T040454"
}
},
{
"category": "product_version_range",
"name": "\u003c=22.12.15",
"product": {
"name": "Oracle Construction and Engineering \u003c=22.12.15",
"product_id": "T040454-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=20.12.17",
"product": {
"name": "Oracle Construction and Engineering \u003c=20.12.17",
"product_id": "T042801"
}
},
{
"category": "product_version_range",
"name": "\u003c=20.12.17",
"product": {
"name": "Oracle Construction and Engineering \u003c=20.12.17",
"product_id": "T042801-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=20.12.21.0",
"product": {
"name": "Oracle Construction and Engineering \u003c=20.12.21.0",
"product_id": "T047896"
}
},
{
"category": "product_version_range",
"name": "\u003c=20.12.21.0",
"product": {
"name": "Oracle Construction and Engineering \u003c=20.12.21.0",
"product_id": "T047896-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=21.12.21.2",
"product": {
"name": "Oracle Construction and Engineering \u003c=21.12.21.2",
"product_id": "T047897"
}
},
{
"category": "product_version_range",
"name": "\u003c=21.12.21.2",
"product": {
"name": "Oracle Construction and Engineering \u003c=21.12.21.2",
"product_id": "T047897-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=22.12.20.0",
"product": {
"name": "Oracle Construction and Engineering \u003c=22.12.20.0",
"product_id": "T047898"
}
},
{
"category": "product_version_range",
"name": "\u003c=22.12.20.0",
"product": {
"name": "Oracle Construction and Engineering \u003c=22.12.20.0",
"product_id": "T047898-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=23.12.14.0",
"product": {
"name": "Oracle Construction and Engineering \u003c=23.12.14.0",
"product_id": "T047899"
}
},
{
"category": "product_version_range",
"name": "\u003c=23.12.14.0",
"product": {
"name": "Oracle Construction and Engineering \u003c=23.12.14.0",
"product_id": "T047899-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=24.12.4.0",
"product": {
"name": "Oracle Construction and Engineering \u003c=24.12.4.0",
"product_id": "T047900"
}
},
{
"category": "product_version_range",
"name": "\u003c=24.12.4.0",
"product": {
"name": "Oracle Construction and Engineering \u003c=24.12.4.0",
"product_id": "T047900-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=23.12.15",
"product": {
"name": "Oracle Construction and Engineering \u003c=23.12.15",
"product_id": "T047901"
}
},
{
"category": "product_version_range",
"name": "\u003c=23.12.15",
"product": {
"name": "Oracle Construction and Engineering \u003c=23.12.15",
"product_id": "T047901-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=24.12.9",
"product": {
"name": "Oracle Construction and Engineering \u003c=24.12.9",
"product_id": "T047902"
}
},
{
"category": "product_version_range",
"name": "\u003c=24.12.9",
"product": {
"name": "Oracle Construction and Engineering \u003c=24.12.9",
"product_id": "T047902-fixed"
}
}
],
"category": "product_name",
"name": "Construction and Engineering"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-27363",
"product_status": {
"last_affected": [
"T047900",
"T047901",
"T047898",
"T047899",
"T047902",
"T042801",
"T032097",
"T027346",
"T028688",
"T040454",
"T047896",
"T047897"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-27363"
},
{
"cve": "CVE-2025-27553",
"product_status": {
"last_affected": [
"T047900",
"T047901",
"T047898",
"T047899",
"T047902",
"T042801",
"T032097",
"T027346",
"T028688",
"T040454",
"T047896",
"T047897"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-27553"
},
{
"cve": "CVE-2025-48924",
"product_status": {
"last_affected": [
"T047900",
"T047901",
"T047898",
"T047899",
"T047902",
"T042801",
"T032097",
"T027346",
"T028688",
"T040454",
"T047896",
"T047897"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-48924"
},
{
"cve": "CVE-2025-48976",
"product_status": {
"last_affected": [
"T047900",
"T047901",
"T047898",
"T047899",
"T047902",
"T042801",
"T032097",
"T027346",
"T028688",
"T040454",
"T047896",
"T047897"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-48976"
},
{
"cve": "CVE-2025-5878",
"product_status": {
"last_affected": [
"T047900",
"T047901",
"T047898",
"T047899",
"T047902",
"T042801",
"T032097",
"T027346",
"T028688",
"T040454",
"T047896",
"T047897"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-5878"
}
]
}
WID-SEC-W-2025-2356
Vulnerability from csaf_certbund - Published: 2025-10-21 22:00 - Updated: 2025-10-22 22:00Summary
Oracle Financial Services Applications: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.
Angriff: Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme: - Linux
- Sonstiges
- Windows
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
References
3 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Financial Services ist eine Zusammenstellung von Anwendungen f\u00fcr den Finanzsektor und eine Technologiebasis zur Erf\u00fcllung von IT- und Gesch\u00e4ftsanforderungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2356 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2356.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2356 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2356"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - October 2025 - Appendix Oracle Financial Services Applications vom 2025-10-21",
"url": "https://www.oracle.com/security-alerts/cpuoct2025.html#AppendixIFLX"
}
],
"source_lang": "en-US",
"title": "Oracle Financial Services Applications: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-10-22T22:00:00.000+00:00",
"generator": {
"date": "2025-10-23T08:39:19.937+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-2356",
"initial_release_date": "2025-10-21T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-10-21T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-10-22T22:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2025-35258, EUVD-2025-35295, EUVD-2025-35299, EUVD-2025-35298, EUVD-2025-35297, EUVD-2025-35296, EUVD-2025-35300"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "8.0.8",
"product": {
"name": "Oracle Financial Services Applications 8.0.8",
"product_id": "T021677",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.8"
}
}
},
{
"category": "product_version",
"name": "8.0.8.1",
"product": {
"name": "Oracle Financial Services Applications 8.0.8.1",
"product_id": "T022844",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.8.1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c=14.7.0.0.0",
"product": {
"name": "Oracle Financial Services Applications \u003c=14.7.0.0.0",
"product_id": "T028702"
}
},
{
"category": "product_version_range",
"name": "\u003c=14.7.0.0.0",
"product": {
"name": "Oracle Financial Services Applications \u003c=14.7.0.0.0",
"product_id": "T028702-fixed"
}
},
{
"category": "product_version",
"name": "8.1.2.5",
"product": {
"name": "Oracle Financial Services Applications 8.1.2.5",
"product_id": "T028706",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.2.5"
}
}
},
{
"category": "product_version",
"name": "8.1.2.7",
"product": {
"name": "Oracle Financial Services Applications 8.1.2.7",
"product_id": "T036217",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.2.7"
}
}
},
{
"category": "product_version",
"name": "8.1.2.8",
"product": {
"name": "Oracle Financial Services Applications 8.1.2.8",
"product_id": "T038392",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.2.8"
}
}
},
{
"category": "product_version",
"name": "8.1.2.9",
"product": {
"name": "Oracle Financial Services Applications 8.1.2.9",
"product_id": "T042811",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.2.9"
}
}
},
{
"category": "product_version",
"name": "8.0.7.9",
"product": {
"name": "Oracle Financial Services Applications 8.0.7.9",
"product_id": "T047907",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.7.9"
}
}
},
{
"category": "product_version",
"name": "8.0.8.7",
"product": {
"name": "Oracle Financial Services Applications 8.0.8.7",
"product_id": "T047908",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.8.7"
}
}
},
{
"category": "product_version_range",
"name": "\u003c=14.8.0.0.0",
"product": {
"name": "Oracle Financial Services Applications \u003c=14.8.0.0.0",
"product_id": "T047909"
}
},
{
"category": "product_version_range",
"name": "\u003c=14.8.0.0.0",
"product": {
"name": "Oracle Financial Services Applications \u003c=14.8.0.0.0",
"product_id": "T047909-fixed"
}
},
{
"category": "product_version",
"name": "8.1.2.10",
"product": {
"name": "Oracle Financial Services Applications 8.1.2.10",
"product_id": "T047910",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.2.10"
}
}
},
{
"category": "product_version",
"name": "8.1.3.2",
"product": {
"name": "Oracle Financial Services Applications 8.1.3.2",
"product_id": "T047911",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.3.2"
}
}
},
{
"category": "product_version_range",
"name": "\u003c=7.2.0.0.0",
"product": {
"name": "Oracle Financial Services Applications \u003c=7.2.0.0.0",
"product_id": "T047912"
}
},
{
"category": "product_version_range",
"name": "\u003c=7.2.0.0.0",
"product": {
"name": "Oracle Financial Services Applications \u003c=7.2.0.0.0",
"product_id": "T047912-fixed"
}
}
],
"category": "product_name",
"name": "Financial Services Applications"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-11988",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2020-11988"
},
{
"cve": "CVE-2024-28168",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2024-28168"
},
{
"cve": "CVE-2025-27553",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-27553"
},
{
"cve": "CVE-2025-27817",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-27817"
},
{
"cve": "CVE-2025-31672",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-31672"
},
{
"cve": "CVE-2025-32415",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-32415"
},
{
"cve": "CVE-2025-41249",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-41249"
},
{
"cve": "CVE-2025-48924",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-48924"
},
{
"cve": "CVE-2025-48976",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-48976"
},
{
"cve": "CVE-2025-48989",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-48989"
},
{
"cve": "CVE-2025-50074",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-50074"
},
{
"cve": "CVE-2025-50075",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-50075"
},
{
"cve": "CVE-2025-5115",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-5115"
},
{
"cve": "CVE-2025-53034",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-53034"
},
{
"cve": "CVE-2025-53035",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-53035"
},
{
"cve": "CVE-2025-53036",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-53036"
},
{
"cve": "CVE-2025-53037",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-53037"
},
{
"cve": "CVE-2025-55163",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-55163"
},
{
"cve": "CVE-2025-59375",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-59375"
},
{
"cve": "CVE-2025-61751",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-61751"
},
{
"cve": "CVE-2025-61756",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-61756"
},
{
"cve": "CVE-2025-6965",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-6965"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…