Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-49146 (GCVE-0-2025-49146)
Vulnerability from cvelistv5 – Published: 2025-06-11 14:32 – Updated: 2025-06-11 14:46
VLAI
EPSS
Title
pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration
Summary
pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.
Severity
8.2 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/pgjdbc/pgjdbc/security/advisor… | x_refsource_CONFIRM |
| https://github.com/pgjdbc/pgjdbc/commit/9217ed16c… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49146",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-11T14:46:03.689878Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T14:46:17.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pgjdbc",
"vendor": "pgjdbc",
"versions": [
{
"status": "affected",
"version": "\u003e= 42.7.4, \u003c 42.7.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T14:32:39.348Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54"
},
{
"name": "https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0"
}
],
"source": {
"advisory": "GHSA-hq9p-pm7w-8p54",
"discovery": "UNKNOWN"
},
"title": "pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49146",
"datePublished": "2025-06-11T14:32:39.348Z",
"dateReserved": "2025-06-02T10:39:41.635Z",
"dateUpdated": "2025-06-11T14:46:17.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-49146",
"date": "2026-05-27",
"epss": "0.0004",
"percentile": "0.12203"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-49146\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-11T15:15:42.850\",\"lastModified\":\"2025-10-06T19:29:58.977\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.\"},{\"lang\":\"es\",\"value\":\"pgjdbc es un controlador JDBC de PostgreSQL de c\u00f3digo abierto. Desde la versi\u00f3n 42.7.4 hasta la 42.7.7, cuando el controlador JDBC de PostgreSQL se configura con el enlace de canal establecido como obligatorio (el valor predeterminado es prefer), el controlador permit\u00eda incorrectamente que las conexiones procedieran con m\u00e9todos de autenticaci\u00f3n que no admiten el enlace de canal (como la autenticaci\u00f3n por contrase\u00f1a, MD5, GSS o SSPI). Esto podr\u00eda permitir que un atacante intermediario interceptara conexiones que los usuarios cre\u00edan protegidas por los requisitos de enlace de canal. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 42.7.7.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"42.7.4\",\"versionEndExcluding\":\"42.7.7\",\"matchCriteriaId\":\"AB6CB167-5F75-4516-99E3-B2E895411166\"}]}]}],\"references\":[{\"url\":\"https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-49146\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-11T14:46:03.689878Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-11T14:46:07.867Z\"}}], \"cna\": {\"title\": \"pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration\", \"source\": {\"advisory\": \"GHSA-hq9p-pm7w-8p54\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"pgjdbc\", \"product\": \"pgjdbc\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 42.7.4, \u003c 42.7.7\"}]}], \"references\": [{\"url\": \"https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54\", \"name\": \"https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0\", \"name\": \"https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-06-11T14:32:39.348Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-49146\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-11T14:46:17.286Z\", \"dateReserved\": \"2025-06-02T10:39:41.635Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-06-11T14:32:39.348Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GHSA-HQ9P-PM7W-8P54
Vulnerability from github – Published: 2025-06-11 14:44 – Updated: 2025-06-11 16:17
VLAI
Summary
pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration
Details
Impact
When the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements.
Patches
TBD
Workarounds
Configure sslMode=verify-full to prevent MITM attacks.
References
- https://www.postgresql.org/docs/current/sasl-authentication.html#SASL-SCRAM-SHA-256
- https://datatracker.ietf.org/doc/html/rfc7677
- https://datatracker.ietf.org/doc/html/rfc5802
Severity
8.2 (High)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.postgresql:postgresql"
},
"ranges": [
{
"events": [
{
"introduced": "42.7.4"
},
{
"fixed": "42.7.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-49146"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-11T14:44:04Z",
"nvd_published_at": "2025-06-11T15:15:42Z",
"severity": "HIGH"
},
"details": "### Impact\nWhen the PostgreSQL JDBC driver is configured with channel binding set to `required` (default value is `prefer`), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements.\n\n### Patches\nTBD\n\n### Workarounds\n\nConfigure `sslMode=verify-full` to prevent MITM attacks.\n\n### References\n\n* https://www.postgresql.org/docs/current/sasl-authentication.html#SASL-SCRAM-SHA-256\n* https://datatracker.ietf.org/doc/html/rfc7677\n* https://datatracker.ietf.org/doc/html/rfc5802",
"id": "GHSA-hq9p-pm7w-8p54",
"modified": "2025-06-11T16:17:03Z",
"published": "2025-06-11T14:44:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49146"
},
{
"type": "WEB",
"url": "https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0"
},
{
"type": "WEB",
"url": "https://datatracker.ietf.org/doc/html/rfc5802"
},
{
"type": "WEB",
"url": "https://datatracker.ietf.org/doc/html/rfc7677"
},
{
"type": "PACKAGE",
"url": "https://github.com/pgjdbc/pgjdbc"
},
{
"type": "WEB",
"url": "https://www.postgresql.org/docs/current/sasl-authentication.html#SASL-SCRAM-SHA-256"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration"
}
NCSC-2026-0034
Vulnerability from csaf_ncscnl - Published: 2026-01-22 09:03 - Updated: 2026-01-22 09:03Summary
Kwetsbaarheden verholpen in Atlassian producten
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: Atlassian heeft kwetsbaarheden verholpen in verschillende producten, welke gebruik maken van Oracle middle-ware producten zoals de Oracle Utilities Application Framework, WebLogic Server, Data Integrator en Business Intelligence Enterprise Edition.
Interpretaties: Deze kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om een denial of service (DoS) of om zich toegang te verschaffen tot gevoelige gegevens.
Een reeks kwetsbaarheden is afkomstig van diverse Oracle-middleware software, welke in Atlassian-producten is verwerkt. Deze kwetsbaarheden zijn verholpen in de Critical Patch Update van januari 2026 van Oracle en verwerkt in de getroffen Atlassian producten.
Oplossingen: Atlassian heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-20: Improper Input Validation
CWE-23: Relative Path Traversal
CWE-121: Stack-based Buffer Overflow
CWE-285: Improper Authorization
CWE-287: Improper Authentication
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-400: Uncontrolled Resource Consumption
CWE-404: Improper Resource Shutdown or Release
CWE-459: Incomplete Cleanup
CWE-611: Improper Restriction of XML External Entity Reference
CWE-697: Incorrect Comparison
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-787: Out-of-bounds Write
CWE-863: Incorrect Authorization
CWE-918: Server-Side Request Forgery (SSRF)
CWE-937: CWE-937
CWE-1035: CWE-1035
CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-1333: Inefficient Regular Expression Complexity
Recent updates address critical security vulnerabilities across various software, including Ansible, Node.js, and Golang packages, with significant fixes for ReDoS and sensitive data exposure issues.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Multiple versions of the semver package are vulnerable to Regular Expression Denial of Service (ReDoS) through the new Range function, prompting updates in various products to mitigate this risk.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Multiple Oracle products, including Utilities Application Framework, WebLogic Server, Data Integrator, and Business Intelligence Enterprise Edition, have vulnerabilities allowing unauthenticated denial of service attacks, all with a CVSS score of 7.5.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Recent updates across various AWS packages, Node.js versions, and Python libraries address security vulnerabilities, enhance functionality, and improve performance, while several vulnerability reports highlight critical issues in Oracle Communications, HPE Unified OSS Console, and the cross-spawn package.
CWE-1333 - Inefficient Regular Expression ComplexityAffected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Apache Tomcat versions 11.0.0-M1 to 11.0.0-M20, 10.1.0-M1 to 10.1.24, and 9.0.13 to 9.0.89 are vulnerable to OutOfMemoryError and Denial of Service due to improper TLS handshake handling.
8.6 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Multiple vulnerabilities in the path-to-regexp library and related components can lead to Denial of Service (DoS) attacks, particularly affecting Node.js applications and IBM App Connect Enterprise due to backtracking regex issues.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Multiple vulnerabilities across Oracle products and DOMPurify allow for data compromise, denial of service, and XSS attacks, with CVSS scores ranging from 6.3 to 7.3.
7.3 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Oracle Database Server versions 23.4.0-23.26.0 have a vulnerability in the Fleet Patching and Provisioning component, while Eclipse Jersey versions 2.45, 3.0.16, and 3.1.9 may ignore critical SSL configurations due to a race condition.
8.7 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
The `qs` module's `arrayLimit` option is vulnerable to denial-of-service attacks due to its failure to enforce limits for bracket notation, allowing attackers to exploit memory exhaustion.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Recent vulnerabilities in axios, pgadmin4, and HPE software expose systems to SSRF and credential leakage, particularly through the use of absolute URLs, necessitating updates to mitigate these risks.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Multiple vulnerabilities have been identified in Oracle Financial Services and Retail products, as well as the Spring Framework, allowing unauthorized access to sensitive data and potentially leading to information disclosure.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Multiple denial-of-service vulnerabilities have been identified in Oracle Application Testing Suite, Oracle Agile PLM, Apache Commons FileUpload, and HPE IceWall Identity Manager, with CVSS scores of 7.5 for some products.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Recent updates for Apache Tomcat versions 9, 10, and 11 address the 'MadeYouReset' DoS vulnerability and other issues, with specific versions being susceptible to Denial of Service attacks from malformed client requests.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Multiple vulnerabilities in the Oracle Enterprise Data Quality product and PostgreSQL JDBC Driver allow unauthorized access and insecure authentication, with CVSS scores indicating significant risk.
8.2 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Apache Tomcat versions 9.0.0.M1 to 9.0.106 have multiple vulnerabilities, including a race condition affecting HTTP/2 connections and denial of service flaws, alongside issues in Oracle Graph Server and HPE Unified OSS Console.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Multiple vulnerabilities affect Oracle Communications Unified Assurance and Oracle Business Intelligence Enterprise Edition, allowing denial of service attacks, while older jackson-core versions are prone to StackoverflowErrors when parsing nested data.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Apache Jackrabbit versions prior to 2.23.2 are vulnerable to blind XXE attacks due to an unsecured document build for loading privileges.
8.8 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Apache Tika versions 1.13 to 3.2.1 have a critical XXE vulnerability, while Oracle PeopleSoft's OpenSearch component in versions 8.60 to 8.62 is also affected by an easily exploitable vulnerability.
9.8 (Critical)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Recent updates to Netty and Oracle Communications products address critical vulnerabilities, including the 'MadeYouReset' attack in HTTP/2, which can lead to denial of service and resource exhaustion.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Apache Tomcat versions 1.0.0-M1 to 11.0.10 are vulnerable to a directory traversal issue that may allow remote code execution if HTTP PUT requests are enabled, alongside other security vulnerabilities in HPE UOCAM.
8.1 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Apache Struts versions 2.0.0 to 6.7.0 and 7.0.0 to 7.0.3 have a Denial of Service vulnerability due to file leak in multipart request processing, affecting NetApp products.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Apache Tika has multiple critical XML External Entity (XXE) injection vulnerabilities, particularly affecting PDF parsing, allowing remote attackers to exploit crafted documents for sensitive data disclosure and remote code execution.
10.0 (Critical)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
The document outlines a vulnerability in the `create-hash` package due to inadequate input type checks, leading to potential hash state manipulation and security risks, particularly in the `cipher-base` npm package versions up to 1.0.4.
9.1 (Critical)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
The document outlines a vulnerability in `sha.js` versions up to 2.4.11 due to insufficient input type checks, leading to potential denial of service and private key extraction risks.
9.1 (Critical)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
A high severity XXE vulnerability in Crowd Data Center and Server version 7.1.0 has a CVSS score of 7.9, allowing authenticated attackers to access sensitive content without user interaction.
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
References
26 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Atlassian heeft kwetsbaarheden verholpen in verschillende producten, welke gebruik maken van Oracle middle-ware producten zoals de Oracle Utilities Application Framework, WebLogic Server, Data Integrator en Business Intelligence Enterprise Edition.",
"title": "Feiten"
},
{
"category": "description",
"text": "Deze kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om een denial of service (DoS) of om zich toegang te verschaffen tot gevoelige gegevens.\nEen reeks kwetsbaarheden is afkomstig van diverse Oracle-middleware software, welke in Atlassian-producten is verwerkt. Deze kwetsbaarheden zijn verholpen in de Critical Patch Update van januari 2026 van Oracle en verwerkt in de getroffen Atlassian producten.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Atlassian heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "general",
"text": "Relative Path Traversal",
"title": "CWE-23"
},
{
"category": "general",
"text": "Stack-based Buffer Overflow",
"title": "CWE-121"
},
{
"category": "general",
"text": "Improper Authorization",
"title": "CWE-285"
},
{
"category": "general",
"text": "Improper Authentication",
"title": "CWE-287"
},
{
"category": "general",
"text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"title": "CWE-362"
},
{
"category": "general",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Incomplete Cleanup",
"title": "CWE-459"
},
{
"category": "general",
"text": "Improper Restriction of XML External Entity Reference",
"title": "CWE-611"
},
{
"category": "general",
"text": "Incorrect Comparison",
"title": "CWE-697"
},
{
"category": "general",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "Out-of-bounds Write",
"title": "CWE-787"
},
{
"category": "general",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
},
{
"category": "general",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "general",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "general",
"text": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"title": "CWE-1321"
},
{
"category": "general",
"text": "Inefficient Regular Expression Complexity",
"title": "CWE-1333"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://confluence.atlassian.com/security/security-bulletin-january-20-2026-1712324819.html"
}
],
"title": "Kwetsbaarheden verholpen in Atlassian producten",
"tracking": {
"current_release_date": "2026-01-22T09:03:42.667958Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2026-0034",
"initial_release_date": "2026-01-22T09:03:42.667958Z",
"revision_history": [
{
"date": "2026-01-22T09:03:42.667958Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "Bamboo"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "Bitbucket"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "Confluence"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-4"
}
}
],
"category": "product_name",
"name": "Crowd Server"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-5"
}
}
],
"category": "product_name",
"name": "Crucible"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-6"
}
}
],
"category": "product_name",
"name": "Fisheye"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-7"
}
}
],
"category": "product_name",
"name": "Jira"
}
],
"category": "vendor",
"name": "Atlassian"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-3807",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "other",
"text": "Inefficient Regular Expression Complexity",
"title": "CWE-1333"
},
{
"category": "other",
"text": "Incorrect Comparison",
"title": "CWE-697"
},
{
"category": "description",
"text": "Recent updates address critical security vulnerabilities across various software, including Ansible, Node.js, and Golang packages, with significant fixes for ReDoS and sensitive data exposure issues.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2021-3807 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2021/cve-2021-3807.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2021-3807"
},
{
"cve": "CVE-2022-25883",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"notes": [
{
"category": "other",
"text": "Inefficient Regular Expression Complexity",
"title": "CWE-1333"
},
{
"category": "description",
"text": "Multiple versions of the semver package are vulnerable to Regular Expression Denial of Service (ReDoS) through the new Range function, prompting updates in various products to mitigate this risk.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2022-25883 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-2022-25883.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2022-25883"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Write",
"title": "CWE-787"
},
{
"category": "description",
"text": "Multiple Oracle products, including Utilities Application Framework, WebLogic Server, Data Integrator, and Business Intelligence Enterprise Edition, have vulnerabilities allowing unauthenticated denial of service attacks, all with a CVSS score of 7.5.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2022-45693 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-2022-45693.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2022-45693"
},
{
"cve": "CVE-2024-21538",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"notes": [
{
"category": "other",
"text": "Inefficient Regular Expression Complexity",
"title": "CWE-1333"
},
{
"category": "description",
"text": "Recent updates across various AWS packages, Node.js versions, and Python libraries address security vulnerabilities, enhance functionality, and improve performance, while several vulnerability reports highlight critical issues in Oracle Communications, HPE Unified OSS Console, and the cross-spawn package.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-21538 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-21538.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2024-21538"
},
{
"cve": "CVE-2024-38286",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "Apache Tomcat versions 11.0.0-M1 to 11.0.0-M20, 10.1.0-M1 to 10.1.24, and 9.0.13 to 9.0.89 are vulnerable to OutOfMemoryError and Denial of Service due to improper TLS handshake handling.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-38286 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-38286.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2024-38286"
},
{
"cve": "CVE-2024-45296",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"notes": [
{
"category": "other",
"text": "Inefficient Regular Expression Complexity",
"title": "CWE-1333"
},
{
"category": "description",
"text": "Multiple vulnerabilities in the path-to-regexp library and related components can lead to Denial of Service (DoS) attacks, particularly affecting Node.js applications and IBM App Connect Enterprise due to backtracking regex issues.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45296 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-45296.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2024-45296"
},
{
"cve": "CVE-2024-45801",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"notes": [
{
"category": "other",
"text": "Inefficient Regular Expression Complexity",
"title": "CWE-1333"
},
{
"category": "other",
"text": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"title": "CWE-1321"
},
{
"category": "description",
"text": "Multiple vulnerabilities across Oracle products and DOMPurify allow for data compromise, denial of service, and XSS attacks, with CVSS scores ranging from 6.3 to 7.3.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45801 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-45801.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2024-45801"
},
{
"cve": "CVE-2025-12383",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"notes": [
{
"category": "other",
"text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"title": "CWE-362"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Oracle Database Server versions 23.4.0-23.26.0 have a vulnerability in the Fleet Patching and Provisioning component, while Eclipse Jersey versions 2.45, 3.0.16, and 3.1.9 may ignore critical SSL configurations due to a race condition.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-12383 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-12383.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-12383"
},
{
"cve": "CVE-2025-15284",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "The `qs` module\u0027s `arrayLimit` option is vulnerable to denial-of-service attacks due to its failure to enforce limits for bracket notation, allowing attackers to exploit memory exhaustion.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-15284 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-15284.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-15284"
},
{
"cve": "CVE-2025-27152",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"notes": [
{
"category": "other",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
},
{
"category": "description",
"text": "Recent vulnerabilities in axios, pgadmin4, and HPE software expose systems to SSRF and credential leakage, particularly through the use of absolute URLs, necessitating updates to mitigate these risks.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-27152 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-27152.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-27152"
},
{
"cve": "CVE-2025-41249",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"notes": [
{
"category": "other",
"text": "Improper Authorization",
"title": "CWE-285"
},
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Multiple vulnerabilities have been identified in Oracle Financial Services and Retail products, as well as the Spring Framework, allowing unauthorized access to sensitive data and potentially leading to information disclosure.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-41249 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-41249.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-41249"
},
{
"cve": "CVE-2025-48976",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "Multiple denial-of-service vulnerabilities have been identified in Oracle Application Testing Suite, Oracle Agile PLM, Apache Commons FileUpload, and HPE IceWall Identity Manager, with CVSS scores of 7.5 for some products.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48976 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-48976"
},
{
"cve": "CVE-2025-48989",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "description",
"text": "Recent updates for Apache Tomcat versions 9, 10, and 11 address the \u0027MadeYouReset\u0027 DoS vulnerability and other issues, with specific versions being susceptible to Denial of Service attacks from malformed client requests.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48989 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48989.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-48989"
},
{
"cve": "CVE-2025-49146",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "other",
"text": "Improper Authentication",
"title": "CWE-287"
},
{
"category": "description",
"text": "Multiple vulnerabilities in the Oracle Enterprise Data Quality product and PostgreSQL JDBC Driver allow unauthorized access and insecure authentication, with CVSS scores indicating significant risk.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49146 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49146.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-49146"
},
{
"cve": "CVE-2025-52434",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"notes": [
{
"category": "other",
"text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"title": "CWE-362"
},
{
"category": "description",
"text": "Apache Tomcat versions 9.0.0.M1 to 9.0.106 have multiple vulnerabilities, including a race condition affecting HTTP/2 connections and denial of service flaws, alongside issues in Oracle Graph Server and HPE Unified OSS Console.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-52434 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-52434.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-52434"
},
{
"cve": "CVE-2025-52999",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "other",
"text": "Stack-based Buffer Overflow",
"title": "CWE-121"
},
{
"category": "description",
"text": "Multiple vulnerabilities affect Oracle Communications Unified Assurance and Oracle Business Intelligence Enterprise Edition, allowing denial of service attacks, while older jackson-core versions are prone to StackoverflowErrors when parsing nested data.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-52999 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-52999.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-52999"
},
{
"cve": "CVE-2025-53689",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"notes": [
{
"category": "other",
"text": "Improper Restriction of XML External Entity Reference",
"title": "CWE-611"
},
{
"category": "description",
"text": "Apache Jackrabbit versions prior to 2.23.2 are vulnerable to blind XXE attacks due to an unsecured document build for loading privileges.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-53689 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53689.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-53689"
},
{
"cve": "CVE-2025-54988",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"notes": [
{
"category": "other",
"text": "Improper Restriction of XML External Entity Reference",
"title": "CWE-611"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Apache Tika versions 1.13 to 3.2.1 have a critical XXE vulnerability, while Oracle PeopleSoft\u0027s OpenSearch component in versions 8.60 to 8.62 is also affected by an easily exploitable vulnerability.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-54988 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-54988.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-54988"
},
{
"cve": "CVE-2025-55163",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Recent updates to Netty and Oracle Communications products address critical vulnerabilities, including the \u0027MadeYouReset\u0027 attack in HTTP/2, which can lead to denial of service and resource exhaustion.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-55163 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55163.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-55163"
},
{
"cve": "CVE-2025-55752",
"cwe": {
"id": "CWE-23",
"name": "Relative Path Traversal"
},
"notes": [
{
"category": "other",
"text": "Relative Path Traversal",
"title": "CWE-23"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Apache Tomcat versions 1.0.0-M1 to 11.0.10 are vulnerable to a directory traversal issue that may allow remote code execution if HTTP PUT requests are enabled, alongside other security vulnerabilities in HPE UOCAM.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-55752 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55752.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-55752"
},
{
"cve": "CVE-2025-64775",
"cwe": {
"id": "CWE-459",
"name": "Incomplete Cleanup"
},
"notes": [
{
"category": "other",
"text": "Incomplete Cleanup",
"title": "CWE-459"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Apache Struts versions 2.0.0 to 6.7.0 and 7.0.0 to 7.0.3 have a Denial of Service vulnerability due to file leak in multipart request processing, affecting NetApp products.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-64775 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-64775.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-64775"
},
{
"cve": "CVE-2025-66516",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"notes": [
{
"category": "other",
"text": "Improper Restriction of XML External Entity Reference",
"title": "CWE-611"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Apache Tika has multiple critical XML External Entity (XXE) injection vulnerabilities, particularly affecting PDF parsing, allowing remote attackers to exploit crafted documents for sensitive data disclosure and remote code execution.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-66516 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-66516.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-66516"
},
{
"cve": "CVE-2025-9287",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "description",
"text": "The document outlines a vulnerability in the `create-hash` package due to inadequate input type checks, leading to potential hash state manipulation and security risks, particularly in the `cipher-base` npm package versions up to 1.0.4.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-9287 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-9287.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-9287"
},
{
"cve": "CVE-2025-9288",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "description",
"text": "The document outlines a vulnerability in `sha.js` versions up to 2.4.11 due to insufficient input type checks, leading to potential denial of service and private key extraction risks.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-9288 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-9288.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-9288"
},
{
"cve": "CVE-2026-21569",
"notes": [
{
"category": "description",
"text": "A high severity XXE vulnerability in Crowd Data Center and Server version 7.1.0 has a CVSS score of 7.9, allowing authenticated attackers to access sensitive content without user interaction.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-21569 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21569.json"
}
],
"title": "CVE-2026-21569"
}
]
}
OPENSUSE-SU-2025:15264-1
Vulnerability from csaf_opensuse - Published: 2025-07-03 00:00 - Updated: 2025-07-03 00:00Summary
postgresql-jdbc-42.7.7-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: postgresql-jdbc-42.7.7-1.1 on GA media
Description of the patch: These are all security issues fixed in the postgresql-jdbc-42.7.7-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-15264
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.2 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "postgresql-jdbc-42.7.7-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the postgresql-jdbc-42.7.7-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15264",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15264-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-49146 page",
"url": "https://www.suse.com/security/cve/CVE-2025-49146/"
}
],
"title": "postgresql-jdbc-42.7.7-1.1 on GA media",
"tracking": {
"current_release_date": "2025-07-03T00:00:00Z",
"generator": {
"date": "2025-07-03T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15264-1",
"initial_release_date": "2025-07-03T00:00:00Z",
"revision_history": [
{
"date": "2025-07-03T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "postgresql-jdbc-42.7.7-1.1.aarch64",
"product": {
"name": "postgresql-jdbc-42.7.7-1.1.aarch64",
"product_id": "postgresql-jdbc-42.7.7-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "postgresql-jdbc-javadoc-42.7.7-1.1.aarch64",
"product": {
"name": "postgresql-jdbc-javadoc-42.7.7-1.1.aarch64",
"product_id": "postgresql-jdbc-javadoc-42.7.7-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "postgresql-jdbc-42.7.7-1.1.ppc64le",
"product": {
"name": "postgresql-jdbc-42.7.7-1.1.ppc64le",
"product_id": "postgresql-jdbc-42.7.7-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "postgresql-jdbc-javadoc-42.7.7-1.1.ppc64le",
"product": {
"name": "postgresql-jdbc-javadoc-42.7.7-1.1.ppc64le",
"product_id": "postgresql-jdbc-javadoc-42.7.7-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "postgresql-jdbc-42.7.7-1.1.s390x",
"product": {
"name": "postgresql-jdbc-42.7.7-1.1.s390x",
"product_id": "postgresql-jdbc-42.7.7-1.1.s390x"
}
},
{
"category": "product_version",
"name": "postgresql-jdbc-javadoc-42.7.7-1.1.s390x",
"product": {
"name": "postgresql-jdbc-javadoc-42.7.7-1.1.s390x",
"product_id": "postgresql-jdbc-javadoc-42.7.7-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "postgresql-jdbc-42.7.7-1.1.x86_64",
"product": {
"name": "postgresql-jdbc-42.7.7-1.1.x86_64",
"product_id": "postgresql-jdbc-42.7.7-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "postgresql-jdbc-javadoc-42.7.7-1.1.x86_64",
"product": {
"name": "postgresql-jdbc-javadoc-42.7.7-1.1.x86_64",
"product_id": "postgresql-jdbc-javadoc-42.7.7-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql-jdbc-42.7.7-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.aarch64"
},
"product_reference": "postgresql-jdbc-42.7.7-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql-jdbc-42.7.7-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.ppc64le"
},
"product_reference": "postgresql-jdbc-42.7.7-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql-jdbc-42.7.7-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.s390x"
},
"product_reference": "postgresql-jdbc-42.7.7-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql-jdbc-42.7.7-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.x86_64"
},
"product_reference": "postgresql-jdbc-42.7.7-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql-jdbc-javadoc-42.7.7-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.aarch64"
},
"product_reference": "postgresql-jdbc-javadoc-42.7.7-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql-jdbc-javadoc-42.7.7-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.ppc64le"
},
"product_reference": "postgresql-jdbc-javadoc-42.7.7-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql-jdbc-javadoc-42.7.7-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.s390x"
},
"product_reference": "postgresql-jdbc-javadoc-42.7.7-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql-jdbc-javadoc-42.7.7-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.x86_64"
},
"product_reference": "postgresql-jdbc-javadoc-42.7.7-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-49146",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-49146"
}
],
"notes": [
{
"category": "general",
"text": "pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.aarch64",
"openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.ppc64le",
"openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.s390x",
"openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.x86_64",
"openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.aarch64",
"openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.ppc64le",
"openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.s390x",
"openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-49146",
"url": "https://www.suse.com/security/cve/CVE-2025-49146"
},
{
"category": "external",
"summary": "SUSE Bug 1244490 for CVE-2025-49146",
"url": "https://bugzilla.suse.com/1244490"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.aarch64",
"openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.ppc64le",
"openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.s390x",
"openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.x86_64",
"openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.aarch64",
"openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.ppc64le",
"openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.s390x",
"openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.aarch64",
"openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.ppc64le",
"openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.s390x",
"openSUSE Tumbleweed:postgresql-jdbc-42.7.7-1.1.x86_64",
"openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.aarch64",
"openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.ppc64le",
"openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.s390x",
"openSUSE Tumbleweed:postgresql-jdbc-javadoc-42.7.7-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-03T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-49146"
}
]
}
RHSA-2025:10323
Vulnerability from csaf_redhat - Published: 2025-07-03 12:45 - Updated: 2026-05-06 20:35Summary
Red Hat Security Advisory: Red Hat build of Cryostat security update
Severity
Important
Notes
Topic: An update is now available for the Red Hat build of Cryostat 4 on RHEL 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: An update is now available for the Red Hat build of Cryostat 4 on RHEL 9.
Security Fix(es):
* pgjdbc: pgjdbc insecure authentication in channel binding (CVE-2025-49146)
* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to send hidden or unauthorized requests.
5.4 (Medium)
Affected products
Fixed
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3_arm64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A connection handling flaw was found in the pgjdbc connection driver in configurations that require channel binding. Connections created with authentication methods that should not allow channel binding permit connections to use channel binding. This flaw allows attackers to position themselves in the middle of a connection and intercept the connection.
8.2 (High)
Affected products
Fixed
22 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3_arm64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
19 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for the Red Hat build of Cryostat 4 on RHEL 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "An update is now available for the Red Hat build of Cryostat 4 on RHEL 9.\n\nSecurity Fix(es):\n\n* pgjdbc: pgjdbc insecure authentication in channel binding (CVE-2025-49146)\n* net/http: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:10323",
"url": "https://access.redhat.com/errata/RHSA-2025:10323"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "external",
"summary": "2372307",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372307"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10323.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Cryostat security update",
"tracking": {
"current_release_date": "2026-05-06T20:35:08+00:00",
"generator": {
"date": "2026-05-06T20:35:08+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2025:10323",
"initial_release_date": "2025-07-03T12:45:38+00:00",
"revision_history": [
{
"date": "2025-07-03T12:45:38+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-07-03T12:45:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-06T20:35:08+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Cryostat 4 on RHEL 9",
"product": {
"name": "Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cryostat:4::el9"
}
}
}
],
"category": "product_family",
"name": "Cryostat"
},
{
"branches": [
{
"category": "product_version",
"name": "cryostat/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf_arm64",
"product": {
"name": "cryostat/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf_arm64",
"product_id": "cryostat/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-agent-init-rhel9\u0026tag=0.5.1-2"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929_arm64",
"product": {
"name": "cryostat/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929_arm64",
"product_id": "cryostat/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-db-rhel9\u0026tag=4.0.1-5"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de_arm64",
"product": {
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de_arm64",
"product_id": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-grafana-dashboard-rhel9\u0026tag=4.0.1-4"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f_arm64",
"product": {
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f_arm64",
"product_id": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-openshift-console-plugin-rhel9\u0026tag=4.0.1-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e_arm64",
"product": {
"name": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e_arm64",
"product_id": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-ose-oauth-proxy-rhel9\u0026tag=4.0.1-5"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903_arm64",
"product": {
"name": "cryostat/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903_arm64",
"product_id": "cryostat/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-reports-rhel9\u0026tag=4.0.1-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd_arm64",
"product": {
"name": "cryostat/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd_arm64",
"product_id": "cryostat/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-rhel9\u0026tag=4.0.1-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e_arm64",
"product": {
"name": "cryostat/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e_arm64",
"product_id": "cryostat/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-operator-bundle\u0026tag=4.0.1-2"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d_arm64",
"product": {
"name": "cryostat/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d_arm64",
"product_id": "cryostat/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-rhel9-operator\u0026tag=4.0.1-5"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1_arm64",
"product": {
"name": "cryostat/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1_arm64",
"product_id": "cryostat/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-storage-rhel9\u0026tag=4.0.1-5"
}
}
},
{
"category": "product_version",
"name": "cryostat/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3_arm64",
"product": {
"name": "cryostat/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3_arm64",
"product_id": "cryostat/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/jfr-datasource-rhel9\u0026tag=4.0.1-3"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "cryostat/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5_amd64",
"product": {
"name": "cryostat/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5_amd64",
"product_id": "cryostat/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-agent-init-rhel9\u0026tag=0.5.1-2"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f_amd64",
"product": {
"name": "cryostat/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f_amd64",
"product_id": "cryostat/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-db-rhel9\u0026tag=4.0.1-5"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc_amd64",
"product": {
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc_amd64",
"product_id": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-grafana-dashboard-rhel9\u0026tag=4.0.1-4"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3_amd64",
"product": {
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3_amd64",
"product_id": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-openshift-console-plugin-rhel9\u0026tag=4.0.1-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c_amd64",
"product": {
"name": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c_amd64",
"product_id": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-ose-oauth-proxy-rhel9\u0026tag=4.0.1-5"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9_amd64",
"product": {
"name": "cryostat/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9_amd64",
"product_id": "cryostat/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-reports-rhel9\u0026tag=4.0.1-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749_amd64",
"product": {
"name": "cryostat/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749_amd64",
"product_id": "cryostat/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-rhel9\u0026tag=4.0.1-3"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1_amd64",
"product": {
"name": "cryostat/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1_amd64",
"product_id": "cryostat/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-operator-bundle\u0026tag=4.0.1-2"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d_amd64",
"product": {
"name": "cryostat/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d_amd64",
"product_id": "cryostat/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-rhel9-operator\u0026tag=4.0.1-5"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79_amd64",
"product": {
"name": "cryostat/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79_amd64",
"product_id": "cryostat/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-storage-rhel9\u0026tag=4.0.1-5"
}
}
},
{
"category": "product_version",
"name": "cryostat/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744_amd64",
"product": {
"name": "cryostat/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744_amd64",
"product_id": "cryostat/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/jfr-datasource-rhel9\u0026tag=4.0.1-3"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf_arm64"
},
"product_reference": "cryostat/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5_amd64"
},
"product_reference": "cryostat/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929_arm64"
},
"product_reference": "cryostat/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f_amd64"
},
"product_reference": "cryostat/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de_arm64"
},
"product_reference": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc_amd64"
},
"product_reference": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3_amd64"
},
"product_reference": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f_arm64"
},
"product_reference": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e_arm64"
},
"product_reference": "cryostat/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1_amd64"
},
"product_reference": "cryostat/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e_arm64"
},
"product_reference": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c_amd64"
},
"product_reference": "cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903_arm64"
},
"product_reference": "cryostat/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9_amd64"
},
"product_reference": "cryostat/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d_arm64"
},
"product_reference": "cryostat/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d_amd64"
},
"product_reference": "cryostat/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd_arm64"
},
"product_reference": "cryostat/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749_amd64"
},
"product_reference": "cryostat/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79_amd64"
},
"product_reference": "cryostat/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1_arm64"
},
"product_reference": "cryostat/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744_amd64"
},
"product_reference": "cryostat/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3_arm64"
},
"product_reference": "cryostat/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22871",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2025-04-08T21:01:32.229479+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2358493"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling\u2014where an attacker tricks the system to send hidden or unauthorized requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite is rated as Low severity for this vulnerability. However, other affected components remain Moderate. Satellite uses the affected Go net/http component solely as a client to make requests, not as a server. Since this vulnerability only affects server-side usage, Satellite is not directly exposed to the flaw, justifying the lower severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf_arm64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c_amd64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1_arm64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22871"
},
{
"category": "external",
"summary": "RHBZ#2358493",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22871"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
},
{
"category": "external",
"summary": "https://go.dev/cl/652998",
"url": "https://go.dev/cl/652998"
},
{
"category": "external",
"summary": "https://go.dev/issue/71988",
"url": "https://go.dev/issue/71988"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk",
"url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3563",
"url": "https://pkg.go.dev/vuln/GO-2025-3563"
}
],
"release_date": "2025-04-08T20:04:34.769000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-03T12:45:38+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf_arm64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c_amd64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1_arm64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10323"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf_arm64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c_amd64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1_arm64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf_arm64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c_amd64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1_arm64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http"
},
{
"cve": "CVE-2025-49146",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"discovery_date": "2025-06-11T15:01:33.735376+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372307"
}
],
"notes": [
{
"category": "description",
"text": "A connection handling flaw was found in the pgjdbc connection driver in configurations that require channel binding. Connections created with authentication methods that should not allow channel binding permit connections to use channel binding. This flaw allows attackers to position themselves in the middle of a connection and intercept the connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pgjdbc: pgjdbc insecure authentication in channel binding",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf_arm64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c_amd64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1_arm64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49146"
},
{
"category": "external",
"summary": "RHBZ#2372307",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372307"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49146",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49146"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49146",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49146"
},
{
"category": "external",
"summary": "https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0",
"url": "https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0"
},
{
"category": "external",
"summary": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54",
"url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54"
}
],
"release_date": "2025-06-11T14:32:39.348000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-03T12:45:38+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf_arm64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c_amd64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1_arm64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10323"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf_arm64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c_amd64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1_arm64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:aa01ceadbd32d164f7feb7caaa2c58297b899155d3a3599c874c83bd9f57feaf_arm64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:d08b2861242a21f3beb558cbbe1d9e7fda14cd64a98a5353fa22c9bcfaf04ec5_amd64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:6005d655a5a31306699b6188bb4ece4f8db0babf1b55dd4400aecc1ef5ade929_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:90561085fd86da05310ac57e3f97de218a69b7a5e696b74b743d1afdc444fa2f_amd64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:131c25a073ea4c1d5d3c769471ec7b20ee36f87cd53f1bb647c7f26128f343de_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:e6c71b8d8d6a0ec6a7a3565be7520386220269237ccd7ed3e000c237a8d079cc_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:1c747d0841043cd68d1fb7f145575126028880e1f5cf2c779f5b94ea7add9df3_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:4d2c7508e6314333cd44ff44b60b7f4fd8aa9ce311abd42f820664681b17aa5f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:379db267d1a41c692837d46f28e67b8ec7116bc2039983e4a75af8a4233d854e_arm64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:9e988f77ee49c4dfd6be170995bc4e06146a8d9aa534cfd72d7317d4ffdbd4d1_amd64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:2c6ed9078f50ac596532748df08fa6ab94ee5a0013832a70e21d82e0986f352e_arm64",
"9Base-Cryostat-4:cryostat/cryostat-ose-oauth-proxy-rhel9@sha256:8ac34200ee4ae6fe029b764f4583853012403bec5ba4976f55e21b73809bb37c_amd64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:51e431b8322892158c98ef5167c5969ca7be393e8d3604c5edcb1b6fbae9f903_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:93c9bc777689846ce98d380a9e40510e0335650098c4f1cd78d6e22708b665e9_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:7ee8a548ff6dcf60f03c343d0855f31971be31dbd22f860e78cbbdb47431286d_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:a5256c3b639babff0f7ce7e1703496de30678cc66a4e75fc9fa5aa598af85c3d_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:6ba83d32690961d0d460d82f0e55515b2d65a6b61b7bcc42f793c24b5edec1bd_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:da64589a8fd2ddfe48c41dbf62b24a567ea443d2861dfe6a7a3eaf64d0d26749_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:372f7df5da148869525a6d92726f6d9ba877e8b225ef2c23bd87248f5b209e79_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:76a9c70cb1c3061ad99c1d85d78e9f401ad340afd89ed2a5ddcad66fa694f9f1_arm64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:0827195b202e1a0783535915d03eeaad933af6834e7e5f8addf5ff47bcc8d744_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:bbb5fda56e73084e91f6ea8f1b32bd642fbe02163efba82d3e70166968313da3_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "pgjdbc: pgjdbc insecure authentication in channel binding"
}
]
}
RHSA-2025:13010
Vulnerability from csaf_redhat - Published: 2025-08-07 10:54 - Updated: 2026-03-18 03:05Summary
Red Hat Security Advisory: Red Hat build of Quarkus 3.20.2 release and security update
Severity
Important
Notes
Topic: An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details: This release of Red Hat build of Quarkus 3.20.2 includes the following CVE fixes:
* quarkus-bom: pgjdbc insecure authentication in channel binding [quarkus-3.20] (CVE-2025-49146)
* quarkus-bom: Quarkus potential data leak [quarkus-3.20] (CVE-2025-49574)
For more information, see the release notes page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A connection handling flaw was found in the pgjdbc connection driver in configurations that require channel binding. Connections created with authentication methods that should not allow channel binding permit connections to use channel binding. This flaw allows attackers to position themselves in the middle of a connection and intercept the connection.
8.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 3.20.2
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:3.20::el8
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A data leak vulnerability has been discovered in the io.quarkus:quarkus-vertx package. This flaw can lead to information disclosure if a Vert.x context that has already been duplicated is subsequently duplicated again. In such a scenario, sensitive data residing within that context may be unintentionally exposed.
6.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 3.20.2
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:3.20::el8
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
65 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 3.20.2 includes the following CVE fixes:\n\n* quarkus-bom: pgjdbc insecure authentication in channel binding [quarkus-3.20] (CVE-2025-49146)\n\n* quarkus-bom: Quarkus potential data leak [quarkus-3.20] (CVE-2025-49574)\n\nFor more information, see the release notes page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:13010",
"url": "https://access.redhat.com/errata/RHSA-2025:13010"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/4966181",
"url": "https://access.redhat.com/articles/4966181"
},
{
"category": "external",
"summary": "https://access.redhat.com/products/quarkus/",
"url": "https://access.redhat.com/products/quarkus/"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.20.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.20.2"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.20",
"url": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.20"
},
{
"category": "external",
"summary": "QUARKUS-5653",
"url": "https://issues.redhat.com/browse/QUARKUS-5653"
},
{
"category": "external",
"summary": "QUARKUS-5662",
"url": "https://issues.redhat.com/browse/QUARKUS-5662"
},
{
"category": "external",
"summary": "QUARKUS-5663",
"url": "https://issues.redhat.com/browse/QUARKUS-5663"
},
{
"category": "external",
"summary": "QUARKUS-5858",
"url": "https://issues.redhat.com/browse/QUARKUS-5858"
},
{
"category": "external",
"summary": "QUARKUS-6336",
"url": "https://issues.redhat.com/browse/QUARKUS-6336"
},
{
"category": "external",
"summary": "QUARKUS-6337",
"url": "https://issues.redhat.com/browse/QUARKUS-6337"
},
{
"category": "external",
"summary": "QUARKUS-6338",
"url": "https://issues.redhat.com/browse/QUARKUS-6338"
},
{
"category": "external",
"summary": "QUARKUS-6339",
"url": "https://issues.redhat.com/browse/QUARKUS-6339"
},
{
"category": "external",
"summary": "QUARKUS-6342",
"url": "https://issues.redhat.com/browse/QUARKUS-6342"
},
{
"category": "external",
"summary": "QUARKUS-6343",
"url": "https://issues.redhat.com/browse/QUARKUS-6343"
},
{
"category": "external",
"summary": "QUARKUS-6344",
"url": "https://issues.redhat.com/browse/QUARKUS-6344"
},
{
"category": "external",
"summary": "QUARKUS-6346",
"url": "https://issues.redhat.com/browse/QUARKUS-6346"
},
{
"category": "external",
"summary": "QUARKUS-6347",
"url": "https://issues.redhat.com/browse/QUARKUS-6347"
},
{
"category": "external",
"summary": "QUARKUS-6348",
"url": "https://issues.redhat.com/browse/QUARKUS-6348"
},
{
"category": "external",
"summary": "QUARKUS-6349",
"url": "https://issues.redhat.com/browse/QUARKUS-6349"
},
{
"category": "external",
"summary": "QUARKUS-6350",
"url": "https://issues.redhat.com/browse/QUARKUS-6350"
},
{
"category": "external",
"summary": "QUARKUS-6353",
"url": "https://issues.redhat.com/browse/QUARKUS-6353"
},
{
"category": "external",
"summary": "QUARKUS-6356",
"url": "https://issues.redhat.com/browse/QUARKUS-6356"
},
{
"category": "external",
"summary": "QUARKUS-6359",
"url": "https://issues.redhat.com/browse/QUARKUS-6359"
},
{
"category": "external",
"summary": "QUARKUS-6360",
"url": "https://issues.redhat.com/browse/QUARKUS-6360"
},
{
"category": "external",
"summary": "QUARKUS-6361",
"url": "https://issues.redhat.com/browse/QUARKUS-6361"
},
{
"category": "external",
"summary": "QUARKUS-6362",
"url": "https://issues.redhat.com/browse/QUARKUS-6362"
},
{
"category": "external",
"summary": "QUARKUS-6363",
"url": "https://issues.redhat.com/browse/QUARKUS-6363"
},
{
"category": "external",
"summary": "QUARKUS-6364",
"url": "https://issues.redhat.com/browse/QUARKUS-6364"
},
{
"category": "external",
"summary": "QUARKUS-6365",
"url": "https://issues.redhat.com/browse/QUARKUS-6365"
},
{
"category": "external",
"summary": "QUARKUS-6367",
"url": "https://issues.redhat.com/browse/QUARKUS-6367"
},
{
"category": "external",
"summary": "QUARKUS-6368",
"url": "https://issues.redhat.com/browse/QUARKUS-6368"
},
{
"category": "external",
"summary": "QUARKUS-6369",
"url": "https://issues.redhat.com/browse/QUARKUS-6369"
},
{
"category": "external",
"summary": "QUARKUS-6370",
"url": "https://issues.redhat.com/browse/QUARKUS-6370"
},
{
"category": "external",
"summary": "QUARKUS-6371",
"url": "https://issues.redhat.com/browse/QUARKUS-6371"
},
{
"category": "external",
"summary": "QUARKUS-6373",
"url": "https://issues.redhat.com/browse/QUARKUS-6373"
},
{
"category": "external",
"summary": "QUARKUS-6375",
"url": "https://issues.redhat.com/browse/QUARKUS-6375"
},
{
"category": "external",
"summary": "QUARKUS-6377",
"url": "https://issues.redhat.com/browse/QUARKUS-6377"
},
{
"category": "external",
"summary": "QUARKUS-6378",
"url": "https://issues.redhat.com/browse/QUARKUS-6378"
},
{
"category": "external",
"summary": "QUARKUS-6379",
"url": "https://issues.redhat.com/browse/QUARKUS-6379"
},
{
"category": "external",
"summary": "QUARKUS-6382",
"url": "https://issues.redhat.com/browse/QUARKUS-6382"
},
{
"category": "external",
"summary": "QUARKUS-6384",
"url": "https://issues.redhat.com/browse/QUARKUS-6384"
},
{
"category": "external",
"summary": "QUARKUS-6385",
"url": "https://issues.redhat.com/browse/QUARKUS-6385"
},
{
"category": "external",
"summary": "QUARKUS-6386",
"url": "https://issues.redhat.com/browse/QUARKUS-6386"
},
{
"category": "external",
"summary": "QUARKUS-6387",
"url": "https://issues.redhat.com/browse/QUARKUS-6387"
},
{
"category": "external",
"summary": "QUARKUS-6388",
"url": "https://issues.redhat.com/browse/QUARKUS-6388"
},
{
"category": "external",
"summary": "QUARKUS-6389",
"url": "https://issues.redhat.com/browse/QUARKUS-6389"
},
{
"category": "external",
"summary": "QUARKUS-6390",
"url": "https://issues.redhat.com/browse/QUARKUS-6390"
},
{
"category": "external",
"summary": "QUARKUS-6391",
"url": "https://issues.redhat.com/browse/QUARKUS-6391"
},
{
"category": "external",
"summary": "QUARKUS-6392",
"url": "https://issues.redhat.com/browse/QUARKUS-6392"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_13010.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.20.2 release and security update",
"tracking": {
"current_release_date": "2026-03-18T03:05:16+00:00",
"generator": {
"date": "2026-03-18T03:05:16+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2025:13010",
"initial_release_date": "2025-08-07T10:54:22+00:00",
"revision_history": [
{
"date": "2025-08-07T10:54:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-08-07T10:54:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-18T03:05:16+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus 3.20.2",
"product": {
"name": "Red Hat build of Quarkus 3.20.2",
"product_id": "Red Hat build of Quarkus 3.20.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:3.20::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-49146",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"discovery_date": "2025-06-11T15:01:33.735376+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372307"
}
],
"notes": [
{
"category": "description",
"text": "A connection handling flaw was found in the pgjdbc connection driver in configurations that require channel binding. Connections created with authentication methods that should not allow channel binding permit connections to use channel binding. This flaw allows attackers to position themselves in the middle of a connection and intercept the connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pgjdbc: pgjdbc insecure authentication in channel binding",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.20.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49146"
},
{
"category": "external",
"summary": "RHBZ#2372307",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372307"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49146",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49146"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49146",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49146"
},
{
"category": "external",
"summary": "https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0",
"url": "https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0"
},
{
"category": "external",
"summary": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54",
"url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54"
}
],
"release_date": "2025-06-11T14:32:39.348000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-07T10:54:22+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.20.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:13010"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.20.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.20.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "pgjdbc: pgjdbc insecure authentication in channel binding"
},
{
"cve": "CVE-2025-49574",
"cwe": {
"id": "CWE-668",
"name": "Exposure of Resource to Wrong Sphere"
},
"discovery_date": "2025-06-23T20:00:57.216622+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2374376"
}
],
"notes": [
{
"category": "description",
"text": "A data leak vulnerability has been discovered in the io.quarkus:quarkus-vertx package. This flaw can lead to information disclosure if a Vert.x context that has already been duplicated is subsequently duplicated again. In such a scenario, sensitive data residing within that context may be unintentionally exposed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.quarkus/quarkus-vertx: Quarkus potential data leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.20.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49574"
},
{
"category": "external",
"summary": "RHBZ#2374376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49574",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49574"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49574",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49574"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/commit/2b58f59f4bf0bae7d35b1abb585b65f2a66787d1",
"url": "https://github.com/quarkusio/quarkus/commit/2b58f59f4bf0bae7d35b1abb585b65f2a66787d1"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/issues/48227",
"url": "https://github.com/quarkusio/quarkus/issues/48227"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-9623-mj7j-p9v4",
"url": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-9623-mj7j-p9v4"
}
],
"release_date": "2025-06-23T19:47:05.454000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-07T10:54:22+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.20.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:13010"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.20.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.20.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.quarkus/quarkus-vertx: Quarkus potential data leak"
}
]
}
RHSA-2025:13012
Vulnerability from csaf_redhat - Published: 2025-08-07 10:51 - Updated: 2026-03-18 03:05Summary
Red Hat Security Advisory: Red Hat build of Quarkus 3.15.6 release and security update
Severity
Important
Notes
Topic: An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details: This release of Red Hat build of Quarkus 3.15.6 includes the following CVE fixes:
* quarkus-bom: pgjdbc insecure authentication in channel binding [quarkus-3.15] (CVE-2025-49146)
* quarkus-bom: Quarkus potential data leak [quarkus-3.15] (CVE-2025-49574)
For more information, see the release notes page listed in the References
section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A connection handling flaw was found in the pgjdbc connection driver in configurations that require channel binding. Connections created with authentication methods that should not allow channel binding permit connections to use channel binding. This flaw allows attackers to position themselves in the middle of a connection and intercept the connection.
8.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 3.15.6
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:3.15::el8
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A data leak vulnerability has been discovered in the io.quarkus:quarkus-vertx package. This flaw can lead to information disclosure if a Vert.x context that has already been duplicated is subsequently duplicated again. In such a scenario, sensitive data residing within that context may be unintentionally exposed.
6.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 3.15.6
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:quarkus:3.15::el8
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
27 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 3.15.6 includes the following CVE fixes:\n\n* quarkus-bom: pgjdbc insecure authentication in channel binding [quarkus-3.15] (CVE-2025-49146)\n\n* quarkus-bom: Quarkus potential data leak [quarkus-3.15] (CVE-2025-49574)\n\nFor more information, see the release notes page listed in the References\nsection.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:13012",
"url": "https://access.redhat.com/errata/RHSA-2025:13012"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/4966181",
"url": "https://access.redhat.com/articles/4966181"
},
{
"category": "external",
"summary": "https://access.redhat.com/products/quarkus/",
"url": "https://access.redhat.com/products/quarkus/"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.15.6",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.15.6"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/3.15",
"url": "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/3.15"
},
{
"category": "external",
"summary": "QUARKUS-5632",
"url": "https://issues.redhat.com/browse/QUARKUS-5632"
},
{
"category": "external",
"summary": "QUARKUS-6294",
"url": "https://issues.redhat.com/browse/QUARKUS-6294"
},
{
"category": "external",
"summary": "QUARKUS-6318",
"url": "https://issues.redhat.com/browse/QUARKUS-6318"
},
{
"category": "external",
"summary": "QUARKUS-6320",
"url": "https://issues.redhat.com/browse/QUARKUS-6320"
},
{
"category": "external",
"summary": "QUARKUS-6328",
"url": "https://issues.redhat.com/browse/QUARKUS-6328"
},
{
"category": "external",
"summary": "QUARKUS-6331",
"url": "https://issues.redhat.com/browse/QUARKUS-6331"
},
{
"category": "external",
"summary": "QUARKUS-6332",
"url": "https://issues.redhat.com/browse/QUARKUS-6332"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_13012.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.15.6 release and security update",
"tracking": {
"current_release_date": "2026-03-18T03:05:14+00:00",
"generator": {
"date": "2026-03-18T03:05:14+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2025:13012",
"initial_release_date": "2025-08-07T10:51:36+00:00",
"revision_history": [
{
"date": "2025-08-07T10:51:36+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-08-07T10:51:36+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-18T03:05:14+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus 3.15.6",
"product": {
"name": "Red Hat build of Quarkus 3.15.6",
"product_id": "Red Hat build of Quarkus 3.15.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:3.15::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-49146",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"discovery_date": "2025-06-11T15:01:33.735376+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372307"
}
],
"notes": [
{
"category": "description",
"text": "A connection handling flaw was found in the pgjdbc connection driver in configurations that require channel binding. Connections created with authentication methods that should not allow channel binding permit connections to use channel binding. This flaw allows attackers to position themselves in the middle of a connection and intercept the connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pgjdbc: pgjdbc insecure authentication in channel binding",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.15.6"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49146"
},
{
"category": "external",
"summary": "RHBZ#2372307",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372307"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49146",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49146"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49146",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49146"
},
{
"category": "external",
"summary": "https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0",
"url": "https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0"
},
{
"category": "external",
"summary": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54",
"url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54"
}
],
"release_date": "2025-06-11T14:32:39.348000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-07T10:51:36+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.15.6"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:13012"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.15.6"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.15.6"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "pgjdbc: pgjdbc insecure authentication in channel binding"
},
{
"cve": "CVE-2025-49574",
"cwe": {
"id": "CWE-668",
"name": "Exposure of Resource to Wrong Sphere"
},
"discovery_date": "2025-06-23T20:00:57.216622+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2374376"
}
],
"notes": [
{
"category": "description",
"text": "A data leak vulnerability has been discovered in the io.quarkus:quarkus-vertx package. This flaw can lead to information disclosure if a Vert.x context that has already been duplicated is subsequently duplicated again. In such a scenario, sensitive data residing within that context may be unintentionally exposed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.quarkus/quarkus-vertx: Quarkus potential data leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.15.6"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49574"
},
{
"category": "external",
"summary": "RHBZ#2374376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49574",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49574"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49574",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49574"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/commit/2b58f59f4bf0bae7d35b1abb585b65f2a66787d1",
"url": "https://github.com/quarkusio/quarkus/commit/2b58f59f4bf0bae7d35b1abb585b65f2a66787d1"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/issues/48227",
"url": "https://github.com/quarkusio/quarkus/issues/48227"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-9623-mj7j-p9v4",
"url": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-9623-mj7j-p9v4"
}
],
"release_date": "2025-06-23T19:47:05.454000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-07T10:51:36+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.15.6"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:13012"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.15.6"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.15.6"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.quarkus/quarkus-vertx: Quarkus potential data leak"
}
]
}
RHSA-2025:13274
Vulnerability from csaf_redhat - Published: 2025-08-06 16:17 - Updated: 2026-04-30 13:31Summary
Red Hat Security Advisory: Red Hat AMQ Broker 7.13.1 release and security update
Severity
Important
Notes
Topic: Red Hat AMQ Broker 7.13.1 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.
This release of Red Hat AMQ Broker 7.13.1 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
* (CVE-2025-1948) jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability
* (CVE-2025-48734) commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default
* (CVE-2025-49146) postgresql: pgjdbc insecure authentication in channel binding
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Broker 7.13.1
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7.13
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Apache Commons BeanUtils. This vulnerability allows remote attackers to execute arbitrary code via uncontrolled access to the declaredClass property on Java enum objects, which can expose the class loader when property paths are passed from external sources to methods like getProperty() or getNestedProperty().
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Broker 7.13.1
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7.13
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A connection handling flaw was found in the pgjdbc connection driver in configurations that require channel binding. Connections created with authentication methods that should not allow channel binding permit connections to use channel binding. This flaw allows attackers to position themselves in the middle of a connection and intercept the connection.
8.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Broker 7.13.1
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7.13
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
36 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat AMQ Broker 7.13.1 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.\n\nThis release of Red Hat AMQ Broker 7.13.1 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* (CVE-2025-1948) jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability\n* (CVE-2025-48734) commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum\u0027s declaredClass property by default\n* (CVE-2025-49146) postgresql: pgjdbc insecure authentication in channel binding\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:13274",
"url": "https://access.redhat.com/errata/RHSA-2025:13274"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification#important",
"url": "https://access.redhat.com/security/updates/classification#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.broker\u0026version=7.13.1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.broker\u0026version=7.13.1"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_amq_broker/7.13",
"url": "https://docs.redhat.com/en/documentation/red_hat_amq_broker/7.13"
},
{
"category": "external",
"summary": "2365137",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
},
{
"category": "external",
"summary": "2368956",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2368956"
},
{
"category": "external",
"summary": "2372307",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372307"
},
{
"category": "external",
"summary": "ENTMQBR-7388",
"url": "https://issues.redhat.com/browse/ENTMQBR-7388"
},
{
"category": "external",
"summary": "ENTMQBR-9783",
"url": "https://issues.redhat.com/browse/ENTMQBR-9783"
},
{
"category": "external",
"summary": "ENTMQBR-9821",
"url": "https://issues.redhat.com/browse/ENTMQBR-9821"
},
{
"category": "external",
"summary": "ENTMQBR-9838",
"url": "https://issues.redhat.com/browse/ENTMQBR-9838"
},
{
"category": "external",
"summary": "ENTMQBR-9840",
"url": "https://issues.redhat.com/browse/ENTMQBR-9840"
},
{
"category": "external",
"summary": "ENTMQBR-9843",
"url": "https://issues.redhat.com/browse/ENTMQBR-9843"
},
{
"category": "external",
"summary": "ENTMQBR-9873",
"url": "https://issues.redhat.com/browse/ENTMQBR-9873"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_13274.json"
}
],
"title": "Red Hat Security Advisory: Red Hat AMQ Broker 7.13.1 release and security update",
"tracking": {
"current_release_date": "2026-04-30T13:31:45+00:00",
"generator": {
"date": "2026-04-30T13:31:45+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2025:13274",
"initial_release_date": "2025-08-06T16:17:31+00:00",
"revision_history": [
{
"date": "2025-08-06T16:17:31+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-08-06T16:17:31+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-30T13:31:45+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat AMQ Broker 7.13.1",
"product": {
"name": "Red Hat AMQ Broker 7.13.1",
"product_id": "Red Hat AMQ Broker 7.13.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:amq_broker:7.13"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss AMQ"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-1948",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2025-05-08T18:00:52.156301+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2365137"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Broker 7.13.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-1948"
},
{
"category": "external",
"summary": "RHBZ#2365137",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-1948",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1948"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56",
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56"
}
],
"release_date": "2025-05-08T17:48:40.831000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-06T16:17:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Broker 7.13.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:13274"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat AMQ Broker 7.13.1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat AMQ Broker 7.13.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability"
},
{
"cve": "CVE-2025-48734",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2025-05-28T14:00:56.619771+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2368956"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons BeanUtils. This vulnerability allows remote attackers to execute arbitrary code via uncontrolled access to the declaredClass property on Java enum objects, which can expose the class loader when property paths are passed from external sources to methods like getProperty() or getNestedProperty().",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum\u0027s declaredClass property by default",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as important severity because a flaw exists in Apache Commons BeanUtils, where PropertyUtilsBean and BeanUtilsBean allow uncontrolled access to the declaredClass property of Java enum objects. Applications that pass untrusted property paths directly to getProperty() or getNestedProperty() methods are at risk, as attackers can exploit this behavior to retrieve the ClassLoader instance and execute arbitrary code in the context of the affected application. This issue leads to compromise of confidentiality, integrity, and availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Broker 7.13.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48734"
},
{
"category": "external",
"summary": "RHBZ#2368956",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2368956"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48734"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48734",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48734"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-wxr5-93ph-8wr9",
"url": "https://github.com/advisories/GHSA-wxr5-93ph-8wr9"
},
{
"category": "external",
"summary": "https://github.com/apache/commons-beanutils/commit/28ad955a1613ed5885870cc7da52093c1ce739dc",
"url": "https://github.com/apache/commons-beanutils/commit/28ad955a1613ed5885870cc7da52093c1ce739dc"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9",
"url": "https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2025/05/28/6",
"url": "https://www.openwall.com/lists/oss-security/2025/05/28/6"
}
],
"release_date": "2025-05-28T13:32:08.300000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-06T16:17:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Broker 7.13.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:13274"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat AMQ Broker 7.13.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum\u0027s declaredClass property by default"
},
{
"cve": "CVE-2025-49146",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"discovery_date": "2025-06-11T15:01:33.735376+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372307"
}
],
"notes": [
{
"category": "description",
"text": "A connection handling flaw was found in the pgjdbc connection driver in configurations that require channel binding. Connections created with authentication methods that should not allow channel binding permit connections to use channel binding. This flaw allows attackers to position themselves in the middle of a connection and intercept the connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pgjdbc: pgjdbc insecure authentication in channel binding",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Broker 7.13.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49146"
},
{
"category": "external",
"summary": "RHBZ#2372307",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372307"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49146",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49146"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49146",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49146"
},
{
"category": "external",
"summary": "https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0",
"url": "https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0"
},
{
"category": "external",
"summary": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54",
"url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54"
}
],
"release_date": "2025-06-11T14:32:39.348000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-06T16:17:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Broker 7.13.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:13274"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat AMQ Broker 7.13.1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ Broker 7.13.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "pgjdbc: pgjdbc insecure authentication in channel binding"
}
]
}
RHSA-2025:16409
Vulnerability from csaf_redhat - Published: 2025-09-22 23:39 - Updated: 2026-04-30 13:32Summary
Red Hat Security Advisory: Red Hat AMQ Broker 7.12.5 release and security update
Severity
Important
Notes
Topic: Red Hat AMQ Broker 7.12.5 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.
This release of Red Hat AMQ Broker 7.12.5 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
* (CVE-2025-48734) commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default
* (CVE-2025-49146) postgresql: pgjdbc insecure authentication in channel binding
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Apache Commons BeanUtils. This vulnerability allows remote attackers to execute arbitrary code via uncontrolled access to the declaredClass property on Java enum objects, which can expose the class loader when property paths are passed from external sources to methods like getProperty() or getNestedProperty().
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Broker 7.12.5
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7.12
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A connection handling flaw was found in the pgjdbc connection driver in configurations that require channel binding. Connections created with authentication methods that should not allow channel binding permit connections to use channel binding. This flaw allows attackers to position themselves in the middle of a connection and intercept the connection.
8.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Broker 7.12.5
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7.12
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
22 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat AMQ Broker 7.12.5 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.\n\nThis release of Red Hat AMQ Broker 7.12.5 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* (CVE-2025-48734) commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum\u0027s declaredClass property by default\n* (CVE-2025-49146) postgresql: pgjdbc insecure authentication in channel binding\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:16409",
"url": "https://access.redhat.com/errata/RHSA-2025:16409"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification#important",
"url": "https://access.redhat.com/security/updates/classification#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.broker\u0026version=7.12.5",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.broker\u0026version=7.12.5"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_amq_broker/7.12",
"url": "https://docs.redhat.com/en/documentation/red_hat_amq_broker/7.12"
},
{
"category": "external",
"summary": "2368956",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2368956"
},
{
"category": "external",
"summary": "2372307",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372307"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_16409.json"
}
],
"title": "Red Hat Security Advisory: Red Hat AMQ Broker 7.12.5 release and security update",
"tracking": {
"current_release_date": "2026-04-30T13:32:43+00:00",
"generator": {
"date": "2026-04-30T13:32:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2025:16409",
"initial_release_date": "2025-09-22T23:39:35+00:00",
"revision_history": [
{
"date": "2025-09-22T23:39:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-09-22T23:39:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-30T13:32:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat AMQ Broker 7.12.5",
"product": {
"name": "Red Hat AMQ Broker 7.12.5",
"product_id": "Red Hat AMQ Broker 7.12.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:amq_broker:7.12"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss AMQ"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48734",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2025-05-28T14:00:56.619771+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2368956"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons BeanUtils. This vulnerability allows remote attackers to execute arbitrary code via uncontrolled access to the declaredClass property on Java enum objects, which can expose the class loader when property paths are passed from external sources to methods like getProperty() or getNestedProperty().",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum\u0027s declaredClass property by default",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as important severity because a flaw exists in Apache Commons BeanUtils, where PropertyUtilsBean and BeanUtilsBean allow uncontrolled access to the declaredClass property of Java enum objects. Applications that pass untrusted property paths directly to getProperty() or getNestedProperty() methods are at risk, as attackers can exploit this behavior to retrieve the ClassLoader instance and execute arbitrary code in the context of the affected application. This issue leads to compromise of confidentiality, integrity, and availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Broker 7.12.5"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48734"
},
{
"category": "external",
"summary": "RHBZ#2368956",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2368956"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48734"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48734",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48734"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-wxr5-93ph-8wr9",
"url": "https://github.com/advisories/GHSA-wxr5-93ph-8wr9"
},
{
"category": "external",
"summary": "https://github.com/apache/commons-beanutils/commit/28ad955a1613ed5885870cc7da52093c1ce739dc",
"url": "https://github.com/apache/commons-beanutils/commit/28ad955a1613ed5885870cc7da52093c1ce739dc"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9",
"url": "https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2025/05/28/6",
"url": "https://www.openwall.com/lists/oss-security/2025/05/28/6"
}
],
"release_date": "2025-05-28T13:32:08.300000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-22T23:39:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Broker 7.12.5"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:16409"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat AMQ Broker 7.12.5"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum\u0027s declaredClass property by default"
},
{
"cve": "CVE-2025-49146",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"discovery_date": "2025-06-11T15:01:33.735376+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372307"
}
],
"notes": [
{
"category": "description",
"text": "A connection handling flaw was found in the pgjdbc connection driver in configurations that require channel binding. Connections created with authentication methods that should not allow channel binding permit connections to use channel binding. This flaw allows attackers to position themselves in the middle of a connection and intercept the connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pgjdbc: pgjdbc insecure authentication in channel binding",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Broker 7.12.5"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49146"
},
{
"category": "external",
"summary": "RHBZ#2372307",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372307"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49146",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49146"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49146",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49146"
},
{
"category": "external",
"summary": "https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0",
"url": "https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0"
},
{
"category": "external",
"summary": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54",
"url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54"
}
],
"release_date": "2025-06-11T14:32:39.348000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-22T23:39:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Broker 7.12.5"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:16409"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat AMQ Broker 7.12.5"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ Broker 7.12.5"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "pgjdbc: pgjdbc insecure authentication in channel binding"
}
]
}
RHSA-2025:9697
Vulnerability from csaf_redhat - Published: 2025-06-25 19:47 - Updated: 2026-05-05 10:06Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel 4.10.3 for Spring Boot patch release.
Severity
Important
Notes
Topic: Red Hat build of Apache Camel 4.10.3 for Spring Boot patch release and security update is now available.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Details: Red Hat build of Apache Camel 4.10.3 for Spring Boot patch release and security update is now available.
The purpose of this text-only errata is to inform you about the security issues
fixed.
Security Fix(es):
* jetty-server: Jetty: Gzip Request Body Buffer Corruption (CVE-2024-13009)
* commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default (CVE-2025-48734)
* postgresql: pgjdbc insecure authentication in channel binding (CVE-2025-49146)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Eclipse Jetty. This vulnerability allows corrupted and inadvertent data sharing between requests via a gzip error when inflating a request body. If the request body is malformed, the gzip decompression process can fail, resulting in the application inadvertently using data from a previous request when processing the current one.
7.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Apache Commons BeanUtils. This vulnerability allows remote attackers to execute arbitrary code via uncontrolled access to the declaredClass property on Java enum objects, which can expose the class loader when property paths are passed from external sources to methods like getProperty() or getNestedProperty().
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A connection handling flaw was found in the pgjdbc connection driver in configurations that require channel binding. Connections created with authentication methods that should not allow channel binding permit connections to use channel binding. This flaw allows attackers to position themselves in the middle of a connection and intercept the connection.
8.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_spring_boot:4
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
26 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat build of Apache Camel 4.10.3 for Spring Boot patch release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of\nImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives\na detailed severity rating, is available for each vulnerability from the CVE\nlink(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Apache Camel 4.10.3 for Spring Boot patch release and security update is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues\nfixed.\n\nSecurity Fix(es):\n \n* jetty-server: Jetty: Gzip Request Body Buffer Corruption (CVE-2024-13009)\n\n* commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum\u0027s declaredClass property by default (CVE-2025-48734)\n\n* postgresql: pgjdbc insecure authentication in channel binding (CVE-2025-49146)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:9697",
"url": "https://access.redhat.com/errata/RHSA-2025:9697"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2365135",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365135"
},
{
"category": "external",
"summary": "2368956",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2368956"
},
{
"category": "external",
"summary": "2372307",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372307"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_9697.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.10.3 for Spring Boot patch release.",
"tracking": {
"current_release_date": "2026-05-05T10:06:19+00:00",
"generator": {
"date": "2026-05-05T10:06:19+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2025:9697",
"initial_release_date": "2025-06-25T19:47:43+00:00",
"revision_history": [
{
"date": "2025-06-25T19:47:43+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-06-25T19:47:43+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-05T10:06:19+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7",
"product": {
"name": "Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7",
"product_id": "Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:apache_camel_spring_boot:4"
}
}
}
],
"category": "product_family",
"name": "Red Hat Build of Apache Camel"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-13009",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"discovery_date": "2025-05-08T18:00:47.047186+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2365135"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Eclipse Jetty. This vulnerability allows corrupted and inadvertent data sharing between requests via a gzip error when inflating a request body. If the request body is malformed, the gzip decompression process can fail, resulting in the application inadvertently using data from a previous request when processing the current one.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty-server: Jetty: Gzip Request Body Buffer Corruption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as an IMPORTANT severity because a buffer management vulnerability exists within the GzipHandler\u0027s buffer release mechanism when encountering gzip errors during request body inflation, this flaw can lead to the incorrect release and subsequent inadvertent sharing and corruption of request body data between concurrent uncompressed requests, results in data exposure and incorrect processing of requests due to corrupted input.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-13009"
},
{
"category": "external",
"summary": "RHBZ#2365135",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365135"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-13009",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-13009"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-13009",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13009"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/48",
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/48"
}
],
"release_date": "2025-05-08T17:29:31.380000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-25T19:47:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:9697"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty-server: Jetty: Gzip Request Body Buffer Corruption"
},
{
"cve": "CVE-2025-48734",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2025-05-28T14:00:56.619771+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2368956"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons BeanUtils. This vulnerability allows remote attackers to execute arbitrary code via uncontrolled access to the declaredClass property on Java enum objects, which can expose the class loader when property paths are passed from external sources to methods like getProperty() or getNestedProperty().",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum\u0027s declaredClass property by default",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as important severity because a flaw exists in Apache Commons BeanUtils, where PropertyUtilsBean and BeanUtilsBean allow uncontrolled access to the declaredClass property of Java enum objects. Applications that pass untrusted property paths directly to getProperty() or getNestedProperty() methods are at risk, as attackers can exploit this behavior to retrieve the ClassLoader instance and execute arbitrary code in the context of the affected application. This issue leads to compromise of confidentiality, integrity, and availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48734"
},
{
"category": "external",
"summary": "RHBZ#2368956",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2368956"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48734"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48734",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48734"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-wxr5-93ph-8wr9",
"url": "https://github.com/advisories/GHSA-wxr5-93ph-8wr9"
},
{
"category": "external",
"summary": "https://github.com/apache/commons-beanutils/commit/28ad955a1613ed5885870cc7da52093c1ce739dc",
"url": "https://github.com/apache/commons-beanutils/commit/28ad955a1613ed5885870cc7da52093c1ce739dc"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9",
"url": "https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2025/05/28/6",
"url": "https://www.openwall.com/lists/oss-security/2025/05/28/6"
}
],
"release_date": "2025-05-28T13:32:08.300000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-25T19:47:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:9697"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum\u0027s declaredClass property by default"
},
{
"cve": "CVE-2025-49146",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"discovery_date": "2025-06-11T15:01:33.735376+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2372307"
}
],
"notes": [
{
"category": "description",
"text": "A connection handling flaw was found in the pgjdbc connection driver in configurations that require channel binding. Connections created with authentication methods that should not allow channel binding permit connections to use channel binding. This flaw allows attackers to position themselves in the middle of a connection and intercept the connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pgjdbc: pgjdbc insecure authentication in channel binding",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49146"
},
{
"category": "external",
"summary": "RHBZ#2372307",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372307"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49146",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49146"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49146",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49146"
},
{
"category": "external",
"summary": "https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0",
"url": "https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0"
},
{
"category": "external",
"summary": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54",
"url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54"
}
],
"release_date": "2025-06-11T14:32:39.348000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-25T19:47:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:9697"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "pgjdbc: pgjdbc insecure authentication in channel binding"
}
]
}
WID-SEC-W-2025-1328
Vulnerability from csaf_certbund - Published: 2025-06-15 22:00 - Updated: 2025-11-09 23:00Summary
PostgreSQL JDBC Treiber: Schwachstelle ermöglicht Offenlegung von Informationen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: PostgreSQL ist eine frei verfügbare Datenbank für unterschiedliche Betriebssysteme.
Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle im PostgreSQL JDBC Treiber ausnutzen, um Informationen offenzulegen.
Betroffene Betriebssysteme: - Linux
- UNIX
- Windows
Affected products
Known affected
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAS Institute Base SAS <9.4M9 (TS1M9)
SAS Institute / Base SAS
|
<9.4M9 (TS1M9) | ||
|
Red Hat Enterprise Linux
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
SOS GmbH JobScheduler <2.7.6
SOS GmbH / JobScheduler
|
<2.7.6 | ||
|
Atlassian Bitbucket <9.6.5
Atlassian / Bitbucket
|
<9.6.5 | ||
|
IBM Storage Scale <5.1.9.11
IBM / Storage Scale
|
<5.1.9.11 | ||
|
Atlassian Bitbucket <9.4.9 LTS
Atlassian / Bitbucket
|
<9.4.9 LTS | ||
|
IBM Storage Scale <5.2.3.3
IBM / Storage Scale
|
<5.2.3.3 | ||
|
Atlassian Bamboo <10.2.6 (LTS)
Atlassian / Bamboo
|
<10.2.6 (LTS) | ||
|
Atlassian Bamboo <11.0.3
Atlassian / Bamboo
|
<11.0.3 | ||
|
IBM Sterling Connect:Direct
IBM
|
cpe:/a:ibm:sterling_connect%3adirect:-
|
— | |
|
Atlassian Bamboo <9.6.15 (LTS)
Atlassian / Bamboo
|
<9.6.15 (LTS) | ||
|
Red Hat Enterprise Linux Cryostat 4
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:cryostat_4
|
Cryostat 4 | |
|
IBM Storage Scale <6.2.3.2
IBM / Storage Scale
|
<6.2.3.2 | ||
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Atlassian Bitbucket <8.19.21 LTS
Atlassian / Bitbucket
|
<8.19.21 LTS | ||
|
Open Source Keycloak <26.3.2
Open Source / Keycloak
|
<26.3.2 | ||
|
Red Hat JBoss A-MQ <7.12.5
Red Hat / JBoss A-MQ
|
<7.12.5 | ||
|
Open Source PostgreSQL JDBC <42.7.7
Open Source / PostgreSQL
|
JDBC <42.7.7 | ||
|
SOS GmbH JobScheduler <2.8.1
SOS GmbH / JobScheduler
|
<2.8.1 | ||
|
IBM Cognos Analytics Certified Containers <12.1.1
IBM / Cognos Analytics
|
Certified Containers <12.1.1 |
References
19 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "PostgreSQL ist eine frei verf\u00fcgbare Datenbank f\u00fcr unterschiedliche Betriebssysteme.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle im PostgreSQL JDBC Treiber ausnutzen, um Informationen offenzulegen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-1328 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1328.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-1328 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1328"
},
{
"category": "external",
"summary": "PostgreSQL JDBC 42.7.7 Security update for CVE-2025-49146 vom 2025-06-15",
"url": "https://www.postgresql.org/about/news/postgresql-jdbc-4277-security-update-for-cve-2025-49146-3088/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:9697 vom 2025-06-26",
"url": "https://access.redhat.com/errata/RHSA-2025:9697"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:10323 vom 2025-07-03",
"url": "https://access.redhat.com/errata/RHSA-2025:10323"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15264-1 vom 2025-07-05",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/G22QBO2YMQDFFWTF5U3HTUBLFY6KJACA/"
},
{
"category": "external",
"summary": "Atlassian Security Bulletin - July 15 2025",
"url": "https://confluence.atlassian.com/security/security-bulletin-july-15-2025-1590658642.html"
},
{
"category": "external",
"summary": "Keycloak 26.3.2 Release Notes",
"url": "https://www.keycloak.org/2025/07/keycloak-2632-released"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:13274 vom 2025-08-06",
"url": "https://access.redhat.com/errata/RHSA-2025:13274"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:13010 vom 2025-08-07",
"url": "https://access.redhat.com/errata/RHSA-2025:13010"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:13012 vom 2025-08-07",
"url": "https://access.redhat.com/errata/RHSA-2025:13012"
},
{
"category": "external",
"summary": "SOS Release Notes vom 2025-08-11",
"url": "https://kb.sos-berlin.com/display/PKB/Vulnerability+Remediation+Release+2.8.1"
},
{
"category": "external",
"summary": "SOS Release Notes vom 2025-08-15",
"url": "https://kb.sos-berlin.com/display/PKB/Vulnerability+Remediation+Release+2.7.6"
},
{
"category": "external",
"summary": "Atlassian Security Bulletin - August 19 2025 vom 2025-08-19",
"url": "https://confluence.atlassian.com/security/security-bulletin-august-19-2025-1621491738.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7243824 vom 2025-09-02",
"url": "https://www.ibm.com/support/pages/node/7243824"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:16409 vom 2025-09-23",
"url": "https://access.redhat.com/errata/RHSA-2025:16409"
},
{
"category": "external",
"summary": "SAS Security Update vom 2025-10-02",
"url": "https://support.sas.com/en/security-bulletins/sas-security-update-for-sas-94m9-ts1m9.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7247284 vom 2025-10-07",
"url": "https://www.ibm.com/support/pages/node/7247284"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7250395 vom 2025-11-07",
"url": "https://www.ibm.com/support/pages/node/7250395"
}
],
"source_lang": "en-US",
"title": "PostgreSQL JDBC Treiber: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
"tracking": {
"current_release_date": "2025-11-09T23:00:00.000+00:00",
"generator": {
"date": "2025-11-10T11:32:30.400+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-1328",
"initial_release_date": "2025-06-15T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-06-15T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-06-25T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-07-03T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-07-06T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2025-07-15T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-07-23T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-08-06T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-08-11T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-08-17T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-08-19T22:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-09-02T22:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-09-22T22:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-10-05T22:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-10-06T22:00:00.000+00:00",
"number": "14",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-11-09T23:00:00.000+00:00",
"number": "15",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "15"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c11.0.3",
"product": {
"name": "Atlassian Bamboo \u003c11.0.3",
"product_id": "T045447"
}
},
{
"category": "product_version",
"name": "11.0.3",
"product": {
"name": "Atlassian Bamboo 11.0.3",
"product_id": "T045447-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:bamboo:11.0.3"
}
}
},
{
"category": "product_version_range",
"name": "\u003c10.2.6 (LTS)",
"product": {
"name": "Atlassian Bamboo \u003c10.2.6 (LTS)",
"product_id": "T045448"
}
},
{
"category": "product_version",
"name": "10.2.6 (LTS)",
"product": {
"name": "Atlassian Bamboo 10.2.6 (LTS)",
"product_id": "T045448-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:bamboo:10.2.6_%28lts%29"
}
}
},
{
"category": "product_version_range",
"name": "\u003c9.6.15 (LTS)",
"product": {
"name": "Atlassian Bamboo \u003c9.6.15 (LTS)",
"product_id": "T045449"
}
},
{
"category": "product_version",
"name": "9.6.15 (LTS)",
"product": {
"name": "Atlassian Bamboo 9.6.15 (LTS)",
"product_id": "T045449-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:bamboo:9.6.15_%28lts%29"
}
}
}
],
"category": "product_name",
"name": "Bamboo"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c9.6.5",
"product": {
"name": "Atlassian Bitbucket \u003c9.6.5",
"product_id": "T046338"
}
},
{
"category": "product_version",
"name": "9.6.5",
"product": {
"name": "Atlassian Bitbucket 9.6.5",
"product_id": "T046338-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:bitbucket:9.6.5"
}
}
},
{
"category": "product_version_range",
"name": "\u003c9.4.9 LTS",
"product": {
"name": "Atlassian Bitbucket \u003c9.4.9 LTS",
"product_id": "T046339"
}
},
{
"category": "product_version",
"name": "9.4.9 LTS",
"product": {
"name": "Atlassian Bitbucket 9.4.9 LTS",
"product_id": "T046339-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:bitbucket:9.4.9::lts"
}
}
},
{
"category": "product_version_range",
"name": "\u003c8.19.21 LTS",
"product": {
"name": "Atlassian Bitbucket \u003c8.19.21 LTS",
"product_id": "T046340"
}
},
{
"category": "product_version",
"name": "8.19.21 LTS",
"product": {
"name": "Atlassian Bitbucket 8.19.21 LTS",
"product_id": "T046340-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:bitbucket:8.19.21::lts"
}
}
}
],
"category": "product_name",
"name": "Bitbucket"
}
],
"category": "vendor",
"name": "Atlassian"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Certified Containers \u003c12.1.1",
"product": {
"name": "IBM Cognos Analytics Certified Containers \u003c12.1.1",
"product_id": "T048389"
}
},
{
"category": "product_version",
"name": "Certified Containers 12.1.1",
"product": {
"name": "IBM Cognos Analytics Certified Containers 12.1.1",
"product_id": "T048389-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:cognos_analytics:certified_containers__12.1.1"
}
}
}
],
"category": "product_name",
"name": "Cognos Analytics"
},
{
"category": "product_name",
"name": "IBM Sterling Connect:Direct",
"product": {
"name": "IBM Sterling Connect:Direct",
"product_id": "T045428",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:sterling_connect%3adirect:-"
}
}
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c5.1.9.11",
"product": {
"name": "IBM Storage Scale \u003c5.1.9.11",
"product_id": "T046657"
}
},
{
"category": "product_version",
"name": "5.1.9.11",
"product": {
"name": "IBM Storage Scale 5.1.9.11",
"product_id": "T046657-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spectrum_scale:5.1.9.11"
}
}
},
{
"category": "product_version_range",
"name": "\u003c5.2.3.3",
"product": {
"name": "IBM Storage Scale \u003c5.2.3.3",
"product_id": "T046658"
}
},
{
"category": "product_version",
"name": "5.2.3.3",
"product": {
"name": "IBM Storage Scale 5.2.3.3",
"product_id": "T046658-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spectrum_scale:5.2.3.3"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.2.3.2",
"product": {
"name": "IBM Storage Scale \u003c6.2.3.2",
"product_id": "T046659"
}
},
{
"category": "product_version",
"name": "6.2.3.2",
"product": {
"name": "IBM Storage Scale 6.2.3.2",
"product_id": "T046659-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spectrum_scale:6.2.3.2"
}
}
}
],
"category": "product_name",
"name": "Storage Scale"
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c26.3.2",
"product": {
"name": "Open Source Keycloak \u003c26.3.2",
"product_id": "T045651"
}
},
{
"category": "product_version",
"name": "26.3.2",
"product": {
"name": "Open Source Keycloak 26.3.2",
"product_id": "T045651-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:keycloak:keycloak:26.3.2"
}
}
}
],
"category": "product_name",
"name": "Keycloak"
},
{
"branches": [
{
"category": "product_version_range",
"name": "JDBC \u003c42.7.7",
"product": {
"name": "Open Source PostgreSQL JDBC \u003c42.7.7",
"product_id": "T044641"
}
},
{
"category": "product_version",
"name": "JDBC 42.7.7",
"product": {
"name": "Open Source PostgreSQL JDBC 42.7.7",
"product_id": "T044641-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:postgresql:postgresql:42.7.7::jdbc"
}
}
}
],
"category": "product_name",
"name": "PostgreSQL"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"category": "product_version",
"name": "Cryostat 4",
"product": {
"name": "Red Hat Enterprise Linux Cryostat 4",
"product_id": "T042558",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:cryostat_4"
}
}
}
],
"category": "product_name",
"name": "Enterprise Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c7.12.5",
"product": {
"name": "Red Hat JBoss A-MQ \u003c7.12.5",
"product_id": "T047116"
}
},
{
"category": "product_version",
"name": "7.12.5",
"product": {
"name": "Red Hat JBoss A-MQ 7.12.5",
"product_id": "T047116-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_amq:7.12.5"
}
}
}
],
"category": "product_name",
"name": "JBoss A-MQ"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c9.4M9 (TS1M9)",
"product": {
"name": "SAS Institute Base SAS \u003c9.4M9 (TS1M9)",
"product_id": "T047382"
}
},
{
"category": "product_version",
"name": "9.4M9 (TS1M9)",
"product": {
"name": "SAS Institute Base SAS 9.4M9 (TS1M9)",
"product_id": "T047382-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:sas:base_sas:9.4m9_%28ts1m9%29"
}
}
}
],
"category": "product_name",
"name": "Base SAS"
}
],
"category": "vendor",
"name": "SAS Institute"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2.8.1",
"product": {
"name": "SOS GmbH JobScheduler \u003c2.8.1",
"product_id": "T045972"
}
},
{
"category": "product_version",
"name": "2.8.1",
"product": {
"name": "SOS GmbH JobScheduler 2.8.1",
"product_id": "T045972-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:sos_gmbh:jobscheduler:2.8.1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c2.7.6",
"product": {
"name": "SOS GmbH JobScheduler \u003c2.7.6",
"product_id": "T046292"
}
},
{
"category": "product_version",
"name": "2.7.6",
"product": {
"name": "SOS GmbH JobScheduler 2.7.6",
"product_id": "T046292-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:sos_gmbh:jobscheduler:2.7.6"
}
}
}
],
"category": "product_name",
"name": "JobScheduler"
}
],
"category": "vendor",
"name": "SOS GmbH"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-49146",
"product_status": {
"known_affected": [
"T047382",
"67646",
"T046292",
"T046338",
"T046657",
"T046339",
"T046658",
"T045448",
"T045447",
"T045428",
"T045449",
"T042558",
"T046659",
"T027843",
"T046340",
"T045651",
"T047116",
"T044641",
"T045972",
"T048389"
]
},
"release_date": "2025-06-15T22:00:00.000+00:00",
"title": "CVE-2025-49146"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…