Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-48976 (GCVE-0-2025-48976)
Vulnerability from cvelistv5 – Published: 2025-06-16 15:00 – Updated: 2025-11-03 20:05
VLAI
EPSS
Title
Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers
Summary
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.
This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.
Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Allocation of resources with insufficient limits
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Commons FileUpload |
Affected:
1.0 , < 1.6
(semver)
|
|
| Apache Software Foundation | Apache Commons FileUpload |
Affected:
2.0.0-M1 , < 2.0.0-M4
(semver)
|
Credits
TERASOLUNA Framework Security Team of NTT DATA Group Corporation
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:05:02.486Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/06/16/4"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-48976",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T14:04:56.145891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T14:07:34.067Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "commons-fileupload:commons-fileupload",
"product": "Apache Commons FileUpload",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.6",
"status": "affected",
"version": "1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.commons:commons-fileupload2",
"product": "Apache Commons FileUpload",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.0-M4",
"status": "affected",
"version": "2.0.0-M1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TERASOLUNA Framework Security Team of NTT DATA Group Corporation"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.\u003c/p\u003e"
}
],
"value": "Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.\n\nThis issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.\n\nUsers are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Allocation of resources with insufficient limits",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T15:00:48.140Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-48976",
"datePublished": "2025-06-16T15:00:48.140Z",
"dateReserved": "2025-05-29T07:19:14.431Z",
"dateUpdated": "2025-11-03T20:05:02.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-48976",
"date": "2026-06-04",
"epss": "0.01278",
"percentile": "0.79901"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-48976\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-06-16T15:15:24.460\",\"lastModified\":\"2025-11-03T20:19:07.730\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.\\n\\nThis issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.\\n\\nUsers are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.\"},{\"lang\":\"es\",\"value\":\"La asignaci\u00f3n de recursos para encabezados multiparte con l\u00edmites insuficientes gener\u00f3 una vulnerabilidad de denegaci\u00f3n de servicio (DoS) en Apache Commons FileUpload. Este problema afecta a Apache Commons FileUpload: de la versi\u00f3n 1.0 a la 1.6; de la versi\u00f3n 2.0.0-M1 a la 2.0.0-M4. Se recomienda actualizar a las versiones 1.6 o 2.0.0-M4, que solucionan el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.0\",\"versionEndExcluding\":\"1.6\",\"matchCriteriaId\":\"20D93D43-A57F-4C1E-82AC-EB50648742EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_fileupload:2.0.0:m1:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B415BCF-AACF-4882-8882-10D99610C79D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_fileupload:2.0.0:m1-rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB892667-4AF8-41C6-9F40-D800CA16A8C6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_fileupload:2.0.0:m2:*:*:*:*:*:*\",\"matchCriteriaId\":\"9AE1594A-1C38-461E-B949-76A0C24A3C7F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_fileupload:2.0.0:m2-rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"827AA598-1A62-4529-A7C7-37EB9D56BE6A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_fileupload:2.0.0:m3:*:*:*:*:*:*\",\"matchCriteriaId\":\"AA5C9AC9-56E6-4864-9965-827C93755F8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_fileupload:2.0.0:m3-rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2395D9D-DEF6-4CC7-87F9-6D8FC9DCEE74\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/06/16/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/06/16/4\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T20:05:02.486Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48976\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-17T14:04:56.145891Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770 Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-17T14:05:58.653Z\"}}], \"cna\": {\"title\": \"Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"TERASOLUNA Framework Security Team of NTT DATA Group Corporation\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"important\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Commons FileUpload\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0\", \"lessThan\": \"1.6\", \"versionType\": \"semver\"}], \"packageName\": \"commons-fileupload:commons-fileupload\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Commons FileUpload\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0.0-M1\", \"lessThan\": \"2.0.0-M4\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.commons:commons-fileupload2\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.\\n\\nThis issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.\\n\\nUsers are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eAllocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"Allocation of resources with insufficient limits\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-06-16T15:00:48.140Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-48976\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T20:05:02.486Z\", \"dateReserved\": \"2025-05-29T07:19:14.431Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-06-16T15:00:48.140Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2025-48976
Vulnerability from fkie_nvd - Published: 2025-06-16 15:15 - Updated: 2025-11-03 20:19
Severity
Summary
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.
This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.
Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | commons_fileupload | * | |
| apache | commons_fileupload | 2.0.0 | |
| apache | commons_fileupload | 2.0.0 | |
| apache | commons_fileupload | 2.0.0 | |
| apache | commons_fileupload | 2.0.0 | |
| apache | commons_fileupload | 2.0.0 | |
| apache | commons_fileupload | 2.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*",
"matchCriteriaId": "20D93D43-A57F-4C1E-82AC-EB50648742EE",
"versionEndExcluding": "1.6",
"versionStartIncluding": "1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:commons_fileupload:2.0.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "3B415BCF-AACF-4882-8882-10D99610C79D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:commons_fileupload:2.0.0:m1-rc1:*:*:*:*:*:*",
"matchCriteriaId": "EB892667-4AF8-41C6-9F40-D800CA16A8C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:commons_fileupload:2.0.0:m2:*:*:*:*:*:*",
"matchCriteriaId": "9AE1594A-1C38-461E-B949-76A0C24A3C7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:commons_fileupload:2.0.0:m2-rc1:*:*:*:*:*:*",
"matchCriteriaId": "827AA598-1A62-4529-A7C7-37EB9D56BE6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:commons_fileupload:2.0.0:m3:*:*:*:*:*:*",
"matchCriteriaId": "AA5C9AC9-56E6-4864-9965-827C93755F8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:commons_fileupload:2.0.0:m3-rc1:*:*:*:*:*:*",
"matchCriteriaId": "C2395D9D-DEF6-4CC7-87F9-6D8FC9DCEE74",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.\n\nThis issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.\n\nUsers are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue."
},
{
"lang": "es",
"value": "La asignaci\u00f3n de recursos para encabezados multiparte con l\u00edmites insuficientes gener\u00f3 una vulnerabilidad de denegaci\u00f3n de servicio (DoS) en Apache Commons FileUpload. Este problema afecta a Apache Commons FileUpload: de la versi\u00f3n 1.0 a la 1.6; de la versi\u00f3n 2.0.0-M1 a la 2.0.0-M4. Se recomienda actualizar a las versiones 1.6 o 2.0.0-M4, que solucionan el problema."
}
],
"id": "CVE-2025-48976",
"lastModified": "2025-11-03T20:19:07.730",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-06-16T15:15:24.460",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/06/16/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
GHSA-VV7R-C36W-3PRJ
Vulnerability from github – Published: 2025-06-16 15:32 – Updated: 2025-11-03 22:59
VLAI
Summary
Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers
Details
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.
This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.
Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
Severity
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "commons-fileupload:commons-fileupload"
},
"ranges": [
{
"events": [
{
"introduced": "1.0"
},
{
"fixed": "1.6.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.commons:commons-fileupload2-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0-M1"
},
{
"fixed": "2.0.0-M4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48976"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-16T16:52:30Z",
"nvd_published_at": "2025-06-16T15:15:24Z",
"severity": "HIGH"
},
"details": "Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.\n\nThis issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.\n\nUsers are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.",
"id": "GHSA-vv7r-c36w-3prj",
"modified": "2025-11-03T22:59:04Z",
"published": "2025-06-16T15:32:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48976"
},
{
"type": "WEB",
"url": "https://github.com/apache/commons-fileupload/commit/b247774a72a044f5d5380ae947140ee80af4e78b"
},
{
"type": "WEB",
"url": "https://github.com/apache/commons-fileupload/commit/bf68f63cfb312ef4710fb3dfb4d8e4e1665f4497"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/97790a35a27d236fa053e660676c3f8196284d93"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/commons-fileupload"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/06/16/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers"
}
ICSA-25-254-06
Vulnerability from csaf_cisa - Published: 2025-09-09 00:00 - Updated: 2025-09-09 00:00Summary
Siemens Industrial Edge Management
Notes
Summary: Industrial Edge Management is affected by a vulnerability that could allow a remote attacker to cause a denial of service condition.
Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
General Recommendations: As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
Additional Resources: For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use: The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.
Legal Notice: All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Advisory Conversion Disclaimer: This ICSA is a verbatim republication of Siemens ProductCERT SSA-640476 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory.
Critical infrastructure sectors: Energy
Countries/areas deployed: Worldwide
Company headquarters location: Germany
Recommended Practices: CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities.
Recommended Practices: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Recommended Practices: Locate control system networks and remote devices behind firewalls and isolate them from business networks.
Recommended Practices: When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.
Recommended Practices: CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices: CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices: CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices: Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
7.5 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Industrial Edge Management OS (IEM-OS)
Siemens / Industrial Edge Management OS (IEM-OS)
|
vers:all/* |
Mitigation
Mitigation
No Fix Planned
|
References
10 references
Acknowledgments
Siemens
{
"document": {
"acknowledgments": [
{
"organization": "Siemens",
"summary": "reporting this vulnerability to CISA."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Industrial Edge Management is affected by a vulnerability that could allow a remote attacker to cause a denial of service condition.\n\nSiemens recommends specific countermeasures for products where fixes are not, or not yet available.",
"title": "Summary"
},
{
"category": "general",
"text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"title": "General Recommendations"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.",
"title": "Terms of Use"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "other",
"text": "This ICSA is a verbatim republication of Siemens ProductCERT SSA-640476 from a direct conversion of the vendor\u0027s Common Security Advisory Framework (CSAF) advisory. This is republished to CISA\u0027s website as a means of increasing visibility and is provided \"as-is\" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory.",
"title": "Advisory Conversion Disclaimer"
},
{
"category": "other",
"text": "Energy",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Germany",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Locate control system networks and remote devices behind firewalls and isolate them from business networks.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "other",
"contact_details": "central@cisa.dhs.gov",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "SSA-640476: Denial of Service Vulnerability in Industrial Edge Management - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-640476.json"
},
{
"category": "self",
"summary": "SSA-640476: Denial of Service Vulnerability in Industrial Edge Management - HTML Version",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-640476.html"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-25-254-06 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2025/icsa-25-254-06.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-25-254-06 - Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-06"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/topics/industrial-control-systems"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "Siemens Industrial Edge Management",
"tracking": {
"current_release_date": "2025-09-09T00:00:00.000000Z",
"generator": {
"date": "2025-09-10T22:19:26.907284Z",
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-25-254-06",
"initial_release_date": "2025-09-09T00:00:00.000000Z",
"revision_history": [
{
"date": "2025-09-09T00:00:00.000000Z",
"legacy_version": "1.0",
"number": "1",
"summary": "Publication Date"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Industrial Edge Management OS (IEM-OS)",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "Industrial Edge Management OS (IEM-OS)"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48976",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "summary",
"text": "Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to trusted users and systems only",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "mitigation",
"details": "Migrate to Industrial Edge Management Virtual (IEM-V)",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "no_fix_planned",
"details": "Currently no fix is planned",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2025-48976"
}
]
}
JVNDB-2025-000044
Vulnerability from jvndb - Published: 2025-06-26 14:41 - Updated:2025-10-01 14:18
Severity
Summary
Denial-of-service (DoS) vulnerabilities in multiple Apache products
Details
Multiple Apache products provided by The Apache Software Foundation contain vulnerabilities listed below.
- Allocation of resources without limits or throttling (CWE-770) - CVE-2025-48976, CVE-2025-48988
References
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000044.html",
"dc:date": "2025-10-01T14:18+09:00",
"dcterms:issued": "2025-06-26T14:41+09:00",
"dcterms:modified": "2025-10-01T14:18+09:00",
"description": "Multiple Apache products provided by The Apache Software Foundation contain vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eAllocation of resources without limits or throttling (CWE-770) - CVE-2025-48976, CVE-2025-48988\u003c/li\u003e\u003c/ul\u003e\r\nTERASOLUNA Framework Security Team of NTT DATA Group Corporation reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000044.html",
"sec:cpe": [
{
"#text": "cpe:/a:apache:commons_fileupload",
"@product": "Commons FileUpload",
"@vendor": "Apache Software Foundation",
"@version": "2.2"
},
{
"#text": "cpe:/a:apache:tomcat",
"@product": "Apache Tomcat",
"@vendor": "Apache Software Foundation",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "5.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-000044",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN09924566/index.html",
"@id": "JVN#09924566",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-48976",
"@id": "CVE-2025-48976",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-48988",
"@id": "CVE-2025-48988",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Denial-of-service (DoS) vulnerabilities in multiple Apache products"
}
JVNDB-2026-002030
Vulnerability from jvndb - Published: 2026-01-29 10:32 - Updated:2026-01-29 10:32Summary
Multiple Vulnerabilities in Cosminexus
Details
Multiple vulnerabilities exist in Cosminexus Component Container.
CVE-2025-48988, CVE-2025-48976
Affected products and versions are listed below. Please upgrade your version to the appropriate version.
These vulnerabilities exist in Cosminexus Component Container which is a component product of other Hitachi products.
For details about the fixed version about Cosminexus products, contact your Hitachi support service representative.
References
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-002030.html",
"dc:date": "2026-01-29T10:32+09:00",
"dcterms:issued": "2026-01-29T10:32+09:00",
"dcterms:modified": "2026-01-29T10:32+09:00",
"description": "Multiple vulnerabilities exist in Cosminexus Component Container.\r\n\r\nCVE-2025-48988, CVE-2025-48976\r\n\r\nAffected products and versions are listed below. Please upgrade your version to the appropriate version.\r\nThese vulnerabilities exist in Cosminexus Component Container which is a component product of other Hitachi products.\r\nFor details about the fixed version about Cosminexus products, contact your Hitachi support service representative.",
"link": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-002030.html",
"sec:cpe": [
{
"#text": "cpe:/a:hitachi:hitachi_application_server64",
"@product": "uCosminexus Application Server(64)",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
},
{
"#text": "cpe:/a:hitachi:hitachi_application_server_r",
"@product": "uCosminexus Application Server-R",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
},
{
"#text": "cpe:/a:hitachi:programming_environment_for_java",
"@product": "Programming Environment for Java",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
},
{
"#text": "cpe:/a:hitachi:ucosminexus_application_server",
"@product": "uCosminexus Application Server",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
},
{
"#text": "cpe:/a:hitachi:ucosminexus_developer",
"@product": "uCosminexus Developer",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
},
{
"#text": "cpe:/a:hitachi:ucosminexus_primary_server_base",
"@product": "uCosminexus Primary Server Base",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
},
{
"#text": "cpe:/a:hitachi:ucosminexus_primary_server_base64",
"@product": "uCosminexus Primary Server Base(64)",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
},
{
"#text": "cpe:/a:hitachi:ucosminexus_service_architect",
"@product": "uCosminexus Service Architect",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
},
{
"#text": "cpe:/a:hitachi:ucosminexus_service_platform",
"@product": "uCosminexus Service Platform",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
},
{
"#text": "cpe:/a:hitachi:ucosminexus_service_platform_64",
"@product": "uCosminexus Service Platform(64)",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
}
],
"sec:identifier": "JVNDB-2026-002030",
"sec:references": [
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-48976",
"@id": "CVE-2025-48976",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-48988",
"@id": "CVE-2025-48988",
"@source": "CVE"
}
],
"title": "Multiple Vulnerabilities in Cosminexus"
}
JVNDB-2026-007524
Vulnerability from jvndb - Published: 2026-03-17 16:42 - Updated:2026-03-17 16:42Summary
Vulnerability in Hitachi Command Suite
Details
Vulnerability(CVE-2025-48976) has been found in Hitachi Command Suite.
References
| Type | URL | |
|---|---|---|
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-007524.html",
"dc:date": "2026-03-17T16:42+09:00",
"dcterms:issued": "2026-03-17T16:42+09:00",
"dcterms:modified": "2026-03-17T16:42+09:00",
"description": "Vulnerability(CVE-2025-48976) has been found in Hitachi Command Suite.",
"link": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-007524.html",
"sec:cpe": [
{
"#text": "cpe:/a:hitachi:compute_systems_manager",
"@product": "Hitachi Compute Systems Manager",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
},
{
"#text": "cpe:/a:hitachi:device_manager",
"@product": "Hitachi Device Manager",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
},
{
"#text": "cpe:/a:hitachi:tuning_manager",
"@product": "Hitachi Tuning Manager",
"@vendor": "Hitachi, Ltd",
"@version": "2.2"
}
],
"sec:identifier": "JVNDB-2026-007524",
"sec:references": {
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-48976",
"@id": "CVE-2025-48976",
"@source": "CVE"
},
"title": "Vulnerability in Hitachi Command Suite"
}
NCSC-2025-0195
Vulnerability from csaf_ncscnl - Published: 2025-06-18 08:01 - Updated: 2025-06-18 08:01Summary
Kwetsbaarheden verholpen in Apache Tomcat
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: Apache heeft kwetsbaarheden verholpen in Apache Tomcat (Specifiek voor versies 11.0.0-M1 tot 11.0.7, 10.1.0-M1 tot 10.1.41, en 9.0.0-M1 tot 9.0.105).
Interpretaties: De kwetsbaarheden omvatten een denial-of-service door onvoldoende limieten op multipart headers, een gebrek aan resource allocatie zonder limieten, een onbetrouwbaar zoekpad in de Windows installer, en een kritieke authenticatie omzeiling door onjuiste padverwerking. Aanvallers kunnen deze kwetsbaarheden misbruiken door speciaal samengestelde verzoeken te sturen, wat kan leiden tot ongeoorloofde toegang tot gevoelige bestanden en geheugenuitputting, met als gevolg een verstoring van de service.
Oplossingen: Apache heeft updates uitgebracht om de kwetsbaarheden te verhelpen, waaronder upgrades naar versies 11.0.8, 10.1.42, of 9.0.106. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-426: Untrusted Search Path
CWE-404: Improper Resource Shutdown or Release
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-288: Authentication Bypass Using an Alternate Path or Channel
7.5 (High)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/10.1.0-m1|<=10.1.41
Apache Software Foundation / Apache Tomcat
|
vers:semver/10.1.0-m1|<=10.1.41 | ||
|
vers:semver/11.0.0-m1|<=11.0.7
Apache Software Foundation / Apache Tomcat
|
vers:semver/11.0.0-m1|<=11.0.7 | ||
|
vers:semver/9.0.0.m1|<=9.0.105
Apache Software Foundation / Apache Tomcat
|
vers:semver/9.0.0.m1|<=9.0.105 |
7.5 (High)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/10.1.0-m1|<=10.1.41
Apache Software Foundation / Apache Tomcat
|
vers:semver/10.1.0-m1|<=10.1.41 | ||
|
vers:semver/11.0.0-m1|<=11.0.7
Apache Software Foundation / Apache Tomcat
|
vers:semver/11.0.0-m1|<=11.0.7 | ||
|
vers:semver/9.0.0.m1|<=9.0.105
Apache Software Foundation / Apache Tomcat
|
vers:semver/9.0.0.m1|<=9.0.105 |
8.4 (High)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/10.1.0-m1|<=10.1.41
Apache Software Foundation / Apache Tomcat
|
vers:semver/10.1.0-m1|<=10.1.41 | ||
|
vers:semver/11.0.0-m1|<=11.0.7
Apache Software Foundation / Apache Tomcat
|
vers:semver/11.0.0-m1|<=11.0.7 | ||
|
vers:semver/9.0.0.m1|<=9.0.105
Apache Software Foundation / Apache Tomcat
|
vers:semver/9.0.0.m1|<=9.0.105 |
7.5 (High)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:semver/10.1.0-m1|<=10.1.41
Apache Software Foundation / Apache Tomcat
|
vers:semver/10.1.0-m1|<=10.1.41 | ||
|
vers:semver/11.0.0-m1|<=11.0.7
Apache Software Foundation / Apache Tomcat
|
vers:semver/11.0.0-m1|<=11.0.7 | ||
|
vers:semver/9.0.0.m1|<=9.0.105
Apache Software Foundation / Apache Tomcat
|
vers:semver/9.0.0.m1|<=9.0.105 |
References
7 references
| URL | Category |
|---|---|
| https://tomcat.apache.org/security-10.html | external |
| https://tomcat.apache.org/security-11.html | external |
| https://tomcat.apache.org/security-9.html | external |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Apache heeft kwetsbaarheden verholpen in Apache Tomcat (Specifiek voor versies 11.0.0-M1 tot 11.0.7, 10.1.0-M1 tot 10.1.41, en 9.0.0-M1 tot 9.0.105).",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden omvatten een denial-of-service door onvoldoende limieten op multipart headers, een gebrek aan resource allocatie zonder limieten, een onbetrouwbaar zoekpad in de Windows installer, en een kritieke authenticatie omzeiling door onjuiste padverwerking. Aanvallers kunnen deze kwetsbaarheden misbruiken door speciaal samengestelde verzoeken te sturen, wat kan leiden tot ongeoorloofde toegang tot gevoelige bestanden en geheugenuitputting, met als gevolg een verstoring van de service.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Apache heeft updates uitgebracht om de kwetsbaarheden te verhelpen, waaronder upgrades naar versies 11.0.8, 10.1.42, of 9.0.106. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Untrusted Search Path",
"title": "CWE-426"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "Authentication Bypass Using an Alternate Path or Channel",
"title": "CWE-288"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference - certbundde; github; ibm",
"url": "https://tomcat.apache.org/security-10.html"
},
{
"category": "external",
"summary": "Reference - certbundde; github",
"url": "https://tomcat.apache.org/security-11.html"
},
{
"category": "external",
"summary": "Reference - certbundde; cisagov; github",
"url": "https://tomcat.apache.org/security-9.html"
}
],
"title": "Kwetsbaarheden verholpen in Apache Tomcat",
"tracking": {
"current_release_date": "2025-06-18T08:01:06.984131Z",
"generator": {
"date": "2025-06-05T14:45:00Z",
"engine": {
"name": "V.A.",
"version": "1.1"
}
},
"id": "NCSC-2025-0195",
"initial_release_date": "2025-06-18T08:01:06.984131Z",
"revision_history": [
{
"date": "2025-06-18T08:01:06.984131Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:semver/10.1.0-m1|\u003c=10.1.41",
"product": {
"name": "vers:semver/10.1.0-m1|\u003c=10.1.41",
"product_id": "CSAFPID-2919030"
}
},
{
"category": "product_version_range",
"name": "vers:semver/11.0.0-m1|\u003c=11.0.7",
"product": {
"name": "vers:semver/11.0.0-m1|\u003c=11.0.7",
"product_id": "CSAFPID-2919017"
}
},
{
"category": "product_version_range",
"name": "vers:semver/9.0.0.m1|\u003c=9.0.105",
"product": {
"name": "vers:semver/9.0.0.m1|\u003c=9.0.105",
"product_id": "CSAFPID-2919031"
}
}
],
"category": "product_name",
"name": "Apache Tomcat"
}
],
"category": "vendor",
"name": "Apache Software Foundation"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48976",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2919030",
"CSAFPID-2919017",
"CSAFPID-2919031"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48976 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-2919030",
"CSAFPID-2919017",
"CSAFPID-2919031"
]
}
],
"title": "CVE-2025-48976"
},
{
"cve": "CVE-2025-48988",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2919030",
"CSAFPID-2919017",
"CSAFPID-2919031"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48988 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48988.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-2919030",
"CSAFPID-2919017",
"CSAFPID-2919031"
]
}
],
"title": "CVE-2025-48988"
},
{
"cve": "CVE-2025-49124",
"cwe": {
"id": "CWE-426",
"name": "Untrusted Search Path"
},
"notes": [
{
"category": "other",
"text": "Untrusted Search Path",
"title": "CWE-426"
},
{
"category": "general",
"text": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2919030",
"CSAFPID-2919017",
"CSAFPID-2919031"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49124 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49124.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-2919030",
"CSAFPID-2919017",
"CSAFPID-2919031"
]
}
],
"title": "CVE-2025-49124"
},
{
"cve": "CVE-2025-49125",
"cwe": {
"id": "CWE-288",
"name": "Authentication Bypass Using an Alternate Path or Channel"
},
"notes": [
{
"category": "other",
"text": "Authentication Bypass Using an Alternate Path or Channel",
"title": "CWE-288"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-2919030",
"CSAFPID-2919017",
"CSAFPID-2919031"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49125 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49125.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-2919030",
"CSAFPID-2919017",
"CSAFPID-2919031"
]
}
],
"title": "CVE-2025-49125"
}
]
}
NCSC-2025-0274
Vulnerability from csaf_ncscnl - Published: 2025-09-09 11:06 - Updated: 2025-09-09 11:06Summary
Kwetsbaarheden verholpen in Siemens producten
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: Siemens heeft kwetsbaarheden verholpen in diverse producten als Apogee, Industial Edge, RUGGEDCOM, SIMATIC, SIMOTION en SINAMICS.
Interpretaties: De kwetsbaarheden stellen een kwaadwillende mogelijk in staat aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:
- Denial-of-Service (DoS)
- Manipulatie van gegevens
- Omzeilen van een beveiligingsmaatregel
- (Remote) code execution (root/admin rechten)
- Toegang tot systeemgegevens
- Toegang tot gevoelige gegevens
- Verhogen van rechten
De kwaadwillende heeft hiervoor toegang nodig tot de productieomgeving. Het is goed gebruik een dergelijke omgeving niet publiek toegankelijk te hebben.
Oplossingen: Siemens heeft beveiligingsupdates uitgebracht om de kwetsbaarheden te verhelpen. Voor de kwetsbaarheden waar nog geen updates voor zijn, heeft Siemens mitigerende maatregelen gepubliceerd om de risico's zoveel als mogelijk te beperken. Zie de bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-121: Stack-based Buffer Overflow
CWE-125: Out-of-bounds Read
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-269: Improper Privilege Management
CWE-400: Uncontrolled Resource Consumption
CWE-404: Improper Resource Shutdown or Release
CWE-732: Incorrect Permission Assignment for Critical Resource
CWE-754: Improper Check for Unusual or Exceptional Conditions
CWE-770: Allocation of Resources Without Limits or Throttling
6.3 (Medium)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Siemens / APOGEE PXC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / APOGEE PXC Series (P2 Ethernet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / RUGGEDCOM RST2428P
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V4.1
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V5.0
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC Virtualization as a Service (SIVaaS)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS G220 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S200 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S210 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / TALON TC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / User Management Component (UMC)
|
vers:unknown/* |
5.3 (Medium)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Siemens / APOGEE PXC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / APOGEE PXC Series (P2 Ethernet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / RUGGEDCOM RST2428P
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V4.1
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V5.0
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC Virtualization as a Service (SIVaaS)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS G220 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S200 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S210 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / TALON TC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / User Management Component (UMC)
|
vers:unknown/* |
9.8 (Critical)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Siemens / APOGEE PXC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / APOGEE PXC Series (P2 Ethernet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / RUGGEDCOM RST2428P
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V4.1
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V5.0
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC Virtualization as a Service (SIVaaS)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS G220 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S200 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S210 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / TALON TC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / User Management Component (UMC)
|
vers:unknown/* |
7.5 (High)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Siemens / APOGEE PXC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / APOGEE PXC Series (P2 Ethernet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / RUGGEDCOM RST2428P
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V4.1
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V5.0
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC Virtualization as a Service (SIVaaS)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS G220 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S200 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S210 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / TALON TC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / User Management Component (UMC)
|
vers:unknown/* |
7.5 (High)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Siemens / APOGEE PXC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / APOGEE PXC Series (P2 Ethernet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / RUGGEDCOM RST2428P
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V4.1
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V5.0
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC Virtualization as a Service (SIVaaS)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS G220 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S200 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S210 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / TALON TC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / User Management Component (UMC)
|
vers:unknown/* |
7.5 (High)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Siemens / APOGEE PXC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / APOGEE PXC Series (P2 Ethernet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / RUGGEDCOM RST2428P
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V4.1
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V5.0
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC Virtualization as a Service (SIVaaS)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS G220 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S200 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S210 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / TALON TC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / User Management Component (UMC)
|
vers:unknown/* |
CWE-400
- Uncontrolled Resource Consumption
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Siemens / APOGEE PXC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / APOGEE PXC Series (P2 Ethernet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / RUGGEDCOM RST2428P
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V4.1
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V5.0
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC Virtualization as a Service (SIVaaS)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS G220 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S200 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S210 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / TALON TC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / User Management Component (UMC)
|
vers:unknown/* |
CWE-200
- Exposure of Sensitive Information to an Unauthorized Actor
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Siemens / APOGEE PXC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / APOGEE PXC Series (P2 Ethernet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / RUGGEDCOM RST2428P
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V4.1
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V5.0
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC Virtualization as a Service (SIVaaS)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS G220 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S200 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S210 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / TALON TC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / User Management Component (UMC)
|
vers:unknown/* |
9.1 (Critical)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Siemens / APOGEE PXC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / APOGEE PXC Series (P2 Ethernet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / RUGGEDCOM RST2428P
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V4.1
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V5.0
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC Virtualization as a Service (SIVaaS)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS G220 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S200 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S210 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / TALON TC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / User Management Component (UMC)
|
vers:unknown/* |
8.1 (High)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Siemens / APOGEE PXC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / APOGEE PXC Series (P2 Ethernet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / RUGGEDCOM RST2428P
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V4.1
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V5.0
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC Virtualization as a Service (SIVaaS)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS G220 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S200 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S210 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / TALON TC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / User Management Component (UMC)
|
vers:unknown/* |
7.5 (High)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Siemens / APOGEE PXC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / APOGEE PXC Series (P2 Ethernet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / RUGGEDCOM RST2428P
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V4.1
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC PCS neo V5.0
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SIMATIC Virtualization as a Service (SIVaaS)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS G220 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S200 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / SINAMICS S210 V6.4
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / TALON TC Series (BACnet)
|
vers:unknown/* | ||
|
vers:unknown/*
Siemens / User Management Component (UMC)
|
vers:unknown/* |
References
18 references
| URL | Category |
|---|---|
| https://cert-portal.siemens.com/productcert/pdf/s… | external |
| https://cert-portal.siemens.com/productcert/pdf/s… | external |
| https://cert-portal.siemens.com/productcert/pdf/s… | external |
| https://cert-portal.siemens.com/productcert/pdf/s… | external |
| https://cert-portal.siemens.com/productcert/pdf/s… | external |
| https://cert-portal.siemens.com/productcert/pdf/s… | external |
| https://cert-portal.siemens.com/productcert/pdf/s… | external |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Siemens heeft kwetsbaarheden verholpen in diverse producten als Apogee, Industial Edge, RUGGEDCOM, SIMATIC, SIMOTION en SINAMICS.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden stellen een kwaadwillende mogelijk in staat aanvallen uit te voeren die kunnen leiden tot de volgende categorie\u00ebn schade:\n\n- Denial-of-Service (DoS)\n- Manipulatie van gegevens\n- Omzeilen van een beveiligingsmaatregel\n- (Remote) code execution (root/admin rechten)\n- Toegang tot systeemgegevens\n- Toegang tot gevoelige gegevens\n- Verhogen van rechten\n\nDe kwaadwillende heeft hiervoor toegang nodig tot de productieomgeving. Het is goed gebruik een dergelijke omgeving niet publiek toegankelijk te hebben.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Siemens heeft beveiligingsupdates uitgebracht om de kwetsbaarheden te verhelpen. Voor de kwetsbaarheden waar nog geen updates voor zijn, heeft Siemens mitigerende maatregelen gepubliceerd om de risico\u0027s zoveel als mogelijk te beperken. Zie de bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Stack-based Buffer Overflow",
"title": "CWE-121"
},
{
"category": "general",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "general",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "general",
"text": "Improper Privilege Management",
"title": "CWE-269"
},
{
"category": "general",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Incorrect Permission Assignment for Critical Resource",
"title": "CWE-732"
},
{
"category": "general",
"text": "Improper Check for Unusual or Exceptional Conditions",
"title": "CWE-754"
},
{
"category": "general",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-027652.pdf"
},
{
"category": "external",
"summary": "Reference",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-494539.pdf"
},
{
"category": "external",
"summary": "Reference",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-534283.pdf"
},
{
"category": "external",
"summary": "Reference",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-563922.pdf"
},
{
"category": "external",
"summary": "Reference",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-640476.pdf"
},
{
"category": "external",
"summary": "Reference",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-722410.pdf"
},
{
"category": "external",
"summary": "Reference",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-916339.pdf"
}
],
"title": "Kwetsbaarheden verholpen in Siemens producten",
"tracking": {
"current_release_date": "2025-09-09T11:06:34.785987Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.2"
}
},
"id": "NCSC-2025-0274",
"initial_release_date": "2025-09-09T11:06:34.785987Z",
"revision_history": [
{
"date": "2025-09-09T11:06:34.785987Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "APOGEE PXC Series (BACnet)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "APOGEE PXC Series (P2 Ethernet)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "RUGGEDCOM RST2428P"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-4"
}
}
],
"category": "product_name",
"name": "SIMATIC PCS neo V4.1"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-5"
}
}
],
"category": "product_name",
"name": "SIMATIC PCS neo V5.0"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-6"
}
}
],
"category": "product_name",
"name": "SIMATIC Virtualization as a Service (SIVaaS)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-7"
}
}
],
"category": "product_name",
"name": "SINAMICS G220 V6.4"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-8"
}
}
],
"category": "product_name",
"name": "SINAMICS S200 V6.4"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-9"
}
}
],
"category": "product_name",
"name": "SINAMICS S210 V6.4"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-10"
}
}
],
"category": "product_name",
"name": "TALON TC Series (BACnet)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-11"
}
}
],
"category": "product_name",
"name": "User Management Component (UMC)"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-40594",
"cwe": {
"id": "CWE-269",
"name": "Improper Privilege Management"
},
"notes": [
{
"category": "other",
"text": "Improper Privilege Management",
"title": "CWE-269"
},
{
"category": "general",
"text": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-40594 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-40594.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-40594"
},
{
"cve": "CVE-2025-40757",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "other",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-40757 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-40757.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-40757"
},
{
"cve": "CVE-2025-40795",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "other",
"text": "Stack-based Buffer Overflow",
"title": "CWE-121"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-40795 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-40795.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-40795"
},
{
"cve": "CVE-2025-40796",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-40796 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-40796.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-40796"
},
{
"cve": "CVE-2025-40797",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-40797 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-40797.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-40797"
},
{
"cve": "CVE-2025-40798",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-40798 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-40798.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-40798"
},
{
"cve": "CVE-2025-40802",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-40802 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-40802.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-40802"
},
{
"cve": "CVE-2025-40803",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "other",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-40803 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-40803.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-40803"
},
{
"cve": "CVE-2025-40804",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "other",
"text": "Incorrect Permission Assignment for Critical Resource",
"title": "CWE-732"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-40804 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-40804.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-40804"
},
{
"cve": "CVE-2025-43715",
"cwe": {
"id": "CWE-754",
"name": "Improper Check for Unusual or Exceptional Conditions"
},
"notes": [
{
"category": "other",
"text": "Improper Check for Unusual or Exceptional Conditions",
"title": "CWE-754"
},
{
"category": "general",
"text": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-43715 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-43715.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-43715"
},
{
"cve": "CVE-2025-48976",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48976 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-48976"
}
]
}
NCSC-2025-0328
Vulnerability from csaf_ncscnl - Published: 2025-10-23 07:19 - Updated: 2025-10-23 07:19Summary
Kwetsbaarheden verholpen in Oracle Database producten
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: Oracle heeft kwetsbaarheden verholpen in Oracle Database Server producten
Interpretaties: De kwetsbaarheden in Oracle Database Server stellen ongeauthenticeerde aanvallers in staat om ongeoorloofde toegang te verkrijgen tot kritieke gegevens, wat kan leiden tot schending van de vertrouwelijkheid, integriteit en beschikbaarheid van de data. Specifieke kwetsbaarheden, zoals die in de Portable Clusterware en de Unified Audit componenten, kunnen worden misbruikt door aanvallers met beperkte privileges, wat aanzienlijke risico's met zich meebrengt. De CVSS-scores variëren van 2.7 tot 9.8, afhankelijk van de ernst van de kwetsbaarheid.
Oplossingen: Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-20: Improper Input Validation
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-125: Out-of-bounds Read
CWE-190: Integer Overflow or Wraparound
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-284: Improper Access Control
CWE-404: Improper Resource Shutdown or Release
CWE-502: Deserialization of Untrusted Data
CWE-611: Improper Restriction of XML External Entity Reference
CWE-674: Uncontrolled Recursion
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-827: Improper Control of Document Type Definition
CWE-937: CWE-937
CWE-1035: CWE-1035
Recent updates address vulnerabilities in various Oracle applications and Apache HttpComponents, with several rated as high risk, allowing potential remote exploitation affecting data integrity and system security.
5.3 (Medium)
Affected products
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Clusterware
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Database Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Big Data and Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Stream Analytics
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate for Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Veridata
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Graph Server And Client
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Java Virtual Machine
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / REST Data Services
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / SQLcl
|
vers:unknown/* |
Critical vulnerabilities in Oracle GoldenGate Stream Analytics and Apache Ignite could allow unauthenticated access and arbitrary code execution, respectively, with severe implications for system integrity and security.
9.8 (Critical)
Affected products
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Clusterware
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Database Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Big Data and Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Stream Analytics
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate for Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Veridata
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Graph Server And Client
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Java Virtual Machine
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / REST Data Services
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / SQLcl
|
vers:unknown/* |
Multiple security vulnerabilities across various Oracle products and the Netplex Json-smart library can lead to Denial of Service (DoS) due to stack exhaustion and other exploits, affecting versions 2.5.0 to 2.5.1 and specific Oracle software.
7.5 (High)
Affected products
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Clusterware
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Database Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Big Data and Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Stream Analytics
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate for Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Veridata
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Graph Server And Client
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Java Virtual Machine
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / REST Data Services
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / SQLcl
|
vers:unknown/* |
Recent updates to Python versions 3.6 through 3.13.5 address multiple security vulnerabilities, particularly in the tarfile module, while enhancing various functionalities and resolving issues related to memory management and IPv6 handling.
9.4 (Critical)
Affected products
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Clusterware
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Database Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Big Data and Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Stream Analytics
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate for Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Veridata
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Graph Server And Client
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Java Virtual Machine
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / REST Data Services
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / SQLcl
|
vers:unknown/* |
Recent vulnerabilities in Oracle Database Server's SQLcl component and Eclipse JGit versions expose critical data to unauthorized access and denial of service through XML parsing flaws and require user interaction for exploitation.
9.8 (Critical)
Affected products
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Clusterware
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Database Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Big Data and Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Stream Analytics
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate for Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Veridata
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Graph Server And Client
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Java Virtual Machine
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / REST Data Services
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / SQLcl
|
vers:unknown/* |
Multiple vulnerabilities in the Bouncy Castle Java library and Oracle GoldenGate products allow for excessive resource allocation and denial of service, affecting various versions and potentially leading to significant disruptions.
5.3 (Medium)
Affected products
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Clusterware
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Database Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Big Data and Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Stream Analytics
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate for Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Veridata
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Graph Server And Client
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Java Virtual Machine
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / REST Data Services
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / SQLcl
|
vers:unknown/* |
Bouncy Castle for Java and BCPKIX FIPS have a vulnerability allowing excessive resource allocation, while Oracle Communications Cloud Native Core Certificate Management and certain NetApp products face denial of service risks.
7.5 (High)
Affected products
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Clusterware
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Database Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Big Data and Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Stream Analytics
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate for Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Veridata
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Graph Server And Client
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Java Virtual Machine
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / REST Data Services
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / SQLcl
|
vers:unknown/* |
Multiple vulnerabilities affecting Oracle Application Testing Suite and Apache Commons FileUpload, including DoS risks due to insufficient multipart header limits, have been identified, with CVSS scores reaching 7.5.
7.5 (High)
Affected products
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Clusterware
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Database Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Big Data and Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Stream Analytics
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate for Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Veridata
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Graph Server And Client
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Java Virtual Machine
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / REST Data Services
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / SQLcl
|
vers:unknown/* |
Apache Tomcat versions 11.0.0-M1 to 11.0.8, 10.1.0-M1 to 10.1.42, and 9.0.0.M1 to 9.0.106 are vulnerable to Denial of Service due to an Integer Overflow vulnerability, while Oracle Graph Server versions 24.4.3 and 25.3.0 also exhibit a similar flaw.
7.5 (High)
Affected products
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Clusterware
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Database Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Big Data and Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Stream Analytics
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate for Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Veridata
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Graph Server And Client
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Java Virtual Machine
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / REST Data Services
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / SQLcl
|
vers:unknown/* |
A vulnerability in Oracle Database Server's Portable Clusterware component affects specific versions, allowing unauthenticated network attackers to access certain data, with a CVSS score of 5.8 indicating confidentiality impacts.
5.8 (Medium)
Affected products
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Clusterware
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Database Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Big Data and Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Stream Analytics
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate for Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Veridata
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Graph Server And Client
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Java Virtual Machine
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / REST Data Services
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / SQLcl
|
vers:unknown/* |
A vulnerability in Oracle Database Server's RDBMS Functional Index component (versions 23.4-23.9) allows high-privileged SYSDBA attackers to potentially gain unauthorized read access to certain data, with a CVSS 3.1 Base Score of 2.7.
CWE-125 - Out-of-bounds ReadAffected products
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Clusterware
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Database Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Big Data and Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Stream Analytics
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate for Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Veridata
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Graph Server And Client
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Java Virtual Machine
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / REST Data Services
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / SQLcl
|
vers:unknown/* |
Recent vulnerabilities in Oracle GoldenGate and Connect2id Nimbus JOSE + JWT expose systems to denial of service attacks, with CVSS scores indicating significant availability impacts due to issues with deeply nested JSON objects.
5.8 (Medium)
Affected products
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Clusterware
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Database Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Big Data and Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Stream Analytics
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate for Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Veridata
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Graph Server And Client
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Java Virtual Machine
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / REST Data Services
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / SQLcl
|
vers:unknown/* |
A vulnerability in Oracle Database Server's Unified Audit component (versions 23.4-23.9) allows high-privileged DBA attackers to compromise audit integrity, with a CVSS 3.1 Base Score of 2.7.
CWE-284 - Improper Access ControlAffected products
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Clusterware
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Database Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Big Data and Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Stream Analytics
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate for Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Veridata
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Graph Server And Client
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Java Virtual Machine
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / REST Data Services
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / SQLcl
|
vers:unknown/* |
A vulnerability in Oracle Essbase version 21.7.3.0.0 allows low-privileged attackers with HTTP access to compromise the system, posing significant risks to data integrity and confidentiality with a CVSS score of 8.1.
8.1 (High)
Affected products
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Clusterware
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Database Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Big Data and Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Stream Analytics
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate for Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Veridata
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Graph Server And Client
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Java Virtual Machine
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / REST Data Services
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / SQLcl
|
vers:unknown/* |
A vulnerability in the Java VM component of Oracle Database Server allows unauthenticated network attackers to compromise the Java VM, potentially leading to unauthorized data manipulation, with a CVSS 3.1 Base Score of 5.9.
5.9 (Medium)
Affected products
Known affected
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Clusterware
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Database Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Essbase Server
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Big Data and Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate Stream Analytics
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / GoldenGate for Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Application Adapters
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Big Data
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Goldengate Veridata
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Graph Server And Client
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Java Virtual Machine
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / REST Data Services
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / SQLcl
|
vers:unknown/* |
References
16 references
| URL | Category |
|---|---|
| https://www.oracle.com/docs/tech/security-alerts/… | external |
| https://vulnerabilities.ncsc.nl/csaf/v2/2020/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Oracle heeft kwetsbaarheden verholpen in Oracle Database Server producten",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden in Oracle Database Server stellen ongeauthenticeerde aanvallers in staat om ongeoorloofde toegang te verkrijgen tot kritieke gegevens, wat kan leiden tot schending van de vertrouwelijkheid, integriteit en beschikbaarheid van de data. Specifieke kwetsbaarheden, zoals die in de Portable Clusterware en de Unified Audit componenten, kunnen worden misbruikt door aanvallers met beperkte privileges, wat aanzienlijke risico\u0027s met zich meebrengt. De CVSS-scores vari\u00ebren van 2.7 tot 9.8, afhankelijk van de ernst van de kwetsbaarheid.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "general",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "general",
"text": "Integer Overflow or Wraparound",
"title": "CWE-190"
},
{
"category": "general",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "general",
"text": "Improper Access Control",
"title": "CWE-284"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "general",
"text": "Improper Restriction of XML External Entity Reference",
"title": "CWE-611"
},
{
"category": "general",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "general",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "Improper Control of Document Type Definition",
"title": "CWE-827"
},
{
"category": "general",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "general",
"text": "CWE-1035",
"title": "CWE-1035"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://www.oracle.com/docs/tech/security-alerts/cpuoct2025csaf.json"
}
],
"title": "Kwetsbaarheden verholpen in Oracle Database producten",
"tracking": {
"current_release_date": "2025-10-23T07:19:57.652532Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2025-0328",
"initial_release_date": "2025-10-23T07:19:57.652532Z",
"revision_history": [
{
"date": "2025-10-23T07:19:57.652532Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "Clusterware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "Database Server"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "Essbase"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-4"
}
}
],
"category": "product_name",
"name": "Essbase Server"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-5"
}
}
],
"category": "product_name",
"name": "GoldenGate Big Data and Application Adapters"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-6"
}
}
],
"category": "product_name",
"name": "GoldenGate Stream Analytics"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-7"
}
}
],
"category": "product_name",
"name": "GoldenGate for Big Data"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-8"
}
}
],
"category": "product_name",
"name": "Goldengate Application Adapters"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-9"
}
}
],
"category": "product_name",
"name": "Goldengate Big Data"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-10"
}
}
],
"category": "product_name",
"name": "Goldengate Veridata"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-11"
}
}
],
"category": "product_name",
"name": "Graph Server And Client"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-12"
}
}
],
"category": "product_name",
"name": "Java Virtual Machine"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-13"
}
}
],
"category": "product_name",
"name": "REST Data Services"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-14"
}
}
],
"category": "product_name",
"name": "SQLcl"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-13956",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "Recent updates address vulnerabilities in various Oracle applications and Apache HttpComponents, with several rated as high risk, allowing potential remote exploitation affecting data integrity and system security.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2020-13956 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2020/cve-2020-13956.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
}
],
"title": "CVE-2020-13956"
},
{
"cve": "CVE-2024-52577",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "other",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "description",
"text": "Critical vulnerabilities in Oracle GoldenGate Stream Analytics and Apache Ignite could allow unauthenticated access and arbitrary code execution, respectively, with severe implications for system integrity and security.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-52577 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-52577.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
}
],
"title": "CVE-2024-52577"
},
{
"cve": "CVE-2024-57699",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "description",
"text": "Multiple security vulnerabilities across various Oracle products and the Netplex Json-smart library can lead to Denial of Service (DoS) due to stack exhaustion and other exploits, affecting versions 2.5.0 to 2.5.1 and specific Oracle software.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-57699 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-57699.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
}
],
"title": "CVE-2024-57699"
},
{
"cve": "CVE-2025-4517",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "description",
"text": "Recent updates to Python versions 3.6 through 3.13.5 address multiple security vulnerabilities, particularly in the tarfile module, while enhancing various functionalities and resolving issues related to memory management and IPv6 handling.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-4517 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-4517.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
}
],
"title": "CVE-2025-4517"
},
{
"cve": "CVE-2025-4949",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"notes": [
{
"category": "other",
"text": "Improper Restriction of XML External Entity Reference",
"title": "CWE-611"
},
{
"category": "other",
"text": "Improper Control of Document Type Definition",
"title": "CWE-827"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Recent vulnerabilities in Oracle Database Server\u0027s SQLcl component and Eclipse JGit versions expose critical data to unauthorized access and denial of service through XML parsing flaws and require user interaction for exploitation.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-4949 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-4949.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
}
],
"title": "CVE-2025-4949"
},
{
"cve": "CVE-2025-8885",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "Multiple vulnerabilities in the Bouncy Castle Java library and Oracle GoldenGate products allow for excessive resource allocation and denial of service, affecting various versions and potentially leading to significant disruptions.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-8885 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-8885.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
}
],
"title": "CVE-2025-8885"
},
{
"cve": "CVE-2025-8916",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Bouncy Castle for Java and BCPKIX FIPS have a vulnerability allowing excessive resource allocation, while Oracle Communications Cloud Native Core Certificate Management and certain NetApp products face denial of service risks.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-8916 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-8916.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
}
],
"title": "CVE-2025-8916"
},
{
"cve": "CVE-2025-48976",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "Multiple vulnerabilities affecting Oracle Application Testing Suite and Apache Commons FileUpload, including DoS risks due to insufficient multipart header limits, have been identified, with CVSS scores reaching 7.5.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48976 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
}
],
"title": "CVE-2025-48976"
},
{
"cve": "CVE-2025-52520",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"category": "other",
"text": "Integer Overflow or Wraparound",
"title": "CWE-190"
},
{
"category": "description",
"text": "Apache Tomcat versions 11.0.0-M1 to 11.0.8, 10.1.0-M1 to 10.1.42, and 9.0.0.M1 to 9.0.106 are vulnerable to Denial of Service due to an Integer Overflow vulnerability, while Oracle Graph Server versions 24.4.3 and 25.3.0 also exhibit a similar flaw.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-52520 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-52520.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
}
],
"title": "CVE-2025-52520"
},
{
"cve": "CVE-2025-53047",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "other",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "description",
"text": "A vulnerability in Oracle Database Server\u0027s Portable Clusterware component affects specific versions, allowing unauthenticated network attackers to access certain data, with a CVSS score of 5.8 indicating confidentiality impacts.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-53047 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53047.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
}
],
"title": "CVE-2025-53047"
},
{
"cve": "CVE-2025-53051",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "description",
"text": "A vulnerability in Oracle Database Server\u0027s RDBMS Functional Index component (versions 23.4-23.9) allows high-privileged SYSDBA attackers to potentially gain unauthorized read access to certain data, with a CVSS 3.1 Base Score of 2.7.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-53051 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53051.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
}
],
"title": "CVE-2025-53051"
},
{
"cve": "CVE-2025-53864",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "description",
"text": "Recent vulnerabilities in Oracle GoldenGate and Connect2id Nimbus JOSE + JWT expose systems to denial of service attacks, with CVSS scores indicating significant availability impacts due to issues with deeply nested JSON objects.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-53864 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53864.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
}
],
"title": "CVE-2025-53864"
},
{
"cve": "CVE-2025-61749",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "other",
"text": "Improper Access Control",
"title": "CWE-284"
},
{
"category": "description",
"text": "A vulnerability in Oracle Database Server\u0027s Unified Audit component (versions 23.4-23.9) allows high-privileged DBA attackers to compromise audit integrity, with a CVSS 3.1 Base Score of 2.7.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-61749 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-61749.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
}
],
"title": "CVE-2025-61749"
},
{
"cve": "CVE-2025-61763",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "other",
"text": "Improper Access Control",
"title": "CWE-284"
},
{
"category": "description",
"text": "A vulnerability in Oracle Essbase version 21.7.3.0.0 allows low-privileged attackers with HTTP access to compromise the system, posing significant risks to data integrity and confidentiality with a CVSS score of 8.1.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-61763 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-61763.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
}
],
"title": "CVE-2025-61763"
},
{
"cve": "CVE-2025-61881",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "other",
"text": "Improper Access Control",
"title": "CWE-284"
},
{
"category": "description",
"text": "A vulnerability in the Java VM component of Oracle Database Server allows unauthenticated network attackers to compromise the Java VM, potentially leading to unauthorized data manipulation, with a CVSS 3.1 Base Score of 5.9.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-61881 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-61881.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14"
]
}
],
"title": "CVE-2025-61881"
}
]
}
NCSC-2025-0329
Vulnerability from csaf_ncscnl - Published: 2025-10-23 07:20 - Updated: 2025-10-23 07:20Summary
Kwetsbaarheden verholpen in Oracle Commerce
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: Oracle heeft kwetsbaarheden verholpen in verschillende subcomponenten van Oracle Commerce producten, waaronder Oracle Middleware Common Libraries, Oracle Documaker, Oracle WebCenter Forms Recognition, Oracle WebLogic Server, en Oracle Application Testing Suite.
Interpretaties: De kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om gedeeltelijke of volledige Denial of Service (DoS) te veroorzaken, met CVSS-scores variërend van 2.7 tot 7.5. Dit kan leiden tot systeemuitval en ongeoorloofde toegang tot gegevens. Aanvallers kunnen deze kwetsbaarheden misbruiken door specifieke verzoeken te sturen die de systemen overbelasten of door gebruik te maken van onbetrouwbare invoer. De kwetsbaarheden zijn aangetroffen in verschillende versies van de betrokken producten, wat de impact vergroot.
Oplossingen: Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-20: Improper Input Validation
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-400: Uncontrolled Resource Consumption
CWE-404: Improper Resource Shutdown or Release
CWE-674: Uncontrolled Recursion
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-937: CWE-937
CWE-1035: CWE-1035
Multiple vulnerabilities across Oracle Middleware, Documaker, and Apache Commons IO components allow unauthenticated attackers to exploit denial of service risks, with CVSS scores ranging from 4.3 to 7.5.
7.5 (High)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Commerce
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Guided Search
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Platform
|
vers:unknown/* |
Multiple security vulnerabilities across various Oracle products and the Netplex Json-smart library can lead to Denial of Service (DoS) due to stack exhaustion and other exploits, affecting versions 2.5.0 to 2.5.1 and specific Oracle software.
7.5 (High)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Commerce
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Guided Search
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Platform
|
vers:unknown/* |
CVE-2024-38820 identifies a vulnerability in the Spring Framework affecting multiple versions, while a separate issue in the Oracle Commerce Platform's Dynamo Application Framework allows low-privileged attackers to manipulate data.
CWE-20 - Improper Input ValidationAffected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Commerce
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Guided Search
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Platform
|
vers:unknown/* |
Recent vulnerabilities in Oracle WebCenter Forms Recognition and Apache CXF expose systems to data compromise and denial of service risks, with CVSS scores indicating significant impacts on confidentiality, integrity, and availability.
5.6 (Medium)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Commerce
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Guided Search
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Platform
|
vers:unknown/* |
Recent vulnerabilities in Oracle WebLogic Server and Apache Commons Lang versions expose systems to denial of service risks, including an uncontrolled recursion flaw leading to StackOverflowErrors.
6.5 (Medium)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Commerce
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Guided Search
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Platform
|
vers:unknown/* |
Multiple vulnerabilities affecting Oracle Application Testing Suite and Apache Commons FileUpload, including DoS risks due to insufficient multipart header limits, have been identified, with CVSS scores reaching 7.5.
7.5 (High)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Commerce
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Guided Search
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Platform
|
vers:unknown/* |
Recent updates for Apache Tomcat versions 9, 10, and 11 address the 'MadeYouReset' DoS vulnerability in HTTP/2, along with various enhancements to components like Catalina and Coyote.
7.5 (High)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Commerce
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Guided Search
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Platform
|
vers:unknown/* |
Recent updates to Netty address critical vulnerabilities, including the 'MadeYouReset' DDoS attack in HTTP/2, which can lead to denial of service through resource exhaustion in various affected versions.
7.5 (High)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Commerce
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Guided Search
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Platform
|
vers:unknown/* |
References
9 references
| URL | Category |
|---|---|
| https://www.oracle.com/docs/tech/security-alerts/… | external |
| https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Oracle heeft kwetsbaarheden verholpen in verschillende subcomponenten van Oracle Commerce producten, waaronder Oracle Middleware Common Libraries, Oracle Documaker, Oracle WebCenter Forms Recognition, Oracle WebLogic Server, en Oracle Application Testing Suite.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om gedeeltelijke of volledige Denial of Service (DoS) te veroorzaken, met CVSS-scores vari\u00ebrend van 2.7 tot 7.5. Dit kan leiden tot systeemuitval en ongeoorloofde toegang tot gegevens. Aanvallers kunnen deze kwetsbaarheden misbruiken door specifieke verzoeken te sturen die de systemen overbelasten of door gebruik te maken van onbetrouwbare invoer. De kwetsbaarheden zijn aangetroffen in verschillende versies van de betrokken producten, wat de impact vergroot.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "general",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "general",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "general",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "general",
"text": "CWE-1035",
"title": "CWE-1035"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://www.oracle.com/docs/tech/security-alerts/cpuoct2025csaf.json"
}
],
"title": "Kwetsbaarheden verholpen in Oracle Commerce",
"tracking": {
"current_release_date": "2025-10-23T07:20:51.213314Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2025-0329",
"initial_release_date": "2025-10-23T07:20:51.213314Z",
"revision_history": [
{
"date": "2025-10-23T07:20:51.213314Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "Commerce"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "Oracle Commerce Guided Search"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "Oracle Commerce Platform"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-47554",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "description",
"text": "Multiple vulnerabilities across Oracle Middleware, Documaker, and Apache Commons IO components allow unauthenticated attackers to exploit denial of service risks, with CVSS scores ranging from 4.3 to 7.5.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-47554 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-47554.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
}
],
"title": "CVE-2024-47554"
},
{
"cve": "CVE-2024-57699",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "description",
"text": "Multiple security vulnerabilities across various Oracle products and the Netplex Json-smart library can lead to Denial of Service (DoS) due to stack exhaustion and other exploits, affecting versions 2.5.0 to 2.5.1 and specific Oracle software.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-57699 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-57699.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
}
],
"title": "CVE-2024-57699"
},
{
"cve": "CVE-2025-22233",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "description",
"text": "CVE-2024-38820 identifies a vulnerability in the Spring Framework affecting multiple versions, while a separate issue in the Oracle Commerce Platform\u0027s Dynamo Application Framework allows low-privileged attackers to manipulate data.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-22233 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-22233.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
}
],
"title": "CVE-2025-22233"
},
{
"cve": "CVE-2025-48795",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "other",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "description",
"text": "Recent vulnerabilities in Oracle WebCenter Forms Recognition and Apache CXF expose systems to data compromise and denial of service risks, with CVSS scores indicating significant impacts on confidentiality, integrity, and availability.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48795 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48795.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
}
],
"title": "CVE-2025-48795"
},
{
"cve": "CVE-2025-48924",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "description",
"text": "Recent vulnerabilities in Oracle WebLogic Server and Apache Commons Lang versions expose systems to denial of service risks, including an uncontrolled recursion flaw leading to StackOverflowErrors.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48924 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48924.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
}
],
"title": "CVE-2025-48924"
},
{
"cve": "CVE-2025-48976",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "Multiple vulnerabilities affecting Oracle Application Testing Suite and Apache Commons FileUpload, including DoS risks due to insufficient multipart header limits, have been identified, with CVSS scores reaching 7.5.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48976 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
}
],
"title": "CVE-2025-48976"
},
{
"cve": "CVE-2025-48989",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "description",
"text": "Recent updates for Apache Tomcat versions 9, 10, and 11 address the \u0027MadeYouReset\u0027 DoS vulnerability in HTTP/2, along with various enhancements to components like Catalina and Coyote.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48989 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48989.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
}
],
"title": "CVE-2025-48989"
},
{
"cve": "CVE-2025-55163",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Recent updates to Netty address critical vulnerabilities, including the \u0027MadeYouReset\u0027 DDoS attack in HTTP/2, which can lead to denial of service through resource exhaustion in various affected versions.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-55163 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55163.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
}
],
"title": "CVE-2025-55163"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…