Vulnerability-Lookup

CVE-2025-52999 (GCVE-0-2025-52999)

Vulnerability from cvelistv5 – Published: 2025-06-25 17:02 – Updated: 2025-06-25 18:04

Title

jackson-core Has Potential for StackoverflowError if user parses an input file that contains very deeply nested data

Summary

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-121 - Stack-based Buffer Overflow

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/FasterXML/jackson-core/securit…	x_refsource_CONFIRM
https://github.com/FasterXML/jackson-core/pull/943	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
FasterXML	jackson-core	Affected: < 2.15.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-52999",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-25T18:04:07.206576Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-25T18:04:23.296Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jackson-core",
          "vendor": "FasterXML",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.15.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jackson-core contains core low-level incremental (\"streaming\") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121: Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-25T17:02:57.428Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"
        },
        {
          "name": "https://github.com/FasterXML/jackson-core/pull/943",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-core/pull/943"
        }
      ],
      "source": {
        "advisory": "GHSA-h46c-h94j-95f3",
        "discovery": "UNKNOWN"
      },
      "title": "jackson-core Has Potential for StackoverflowError if user parses an input file that contains very deeply nested data"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-52999",
    "datePublished": "2025-06-25T17:02:57.428Z",
    "dateReserved": "2025-06-24T03:50:36.795Z",
    "dateUpdated": "2025-06-25T18:04:23.296Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-52999",
      "date": "2026-06-04",
      "epss": "0.00252",
      "percentile": "0.48752"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-52999\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-25T17:15:39.820\",\"lastModified\":\"2025-06-26T18:57:43.670\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"jackson-core contains core low-level incremental (\\\"streaming\\\") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.\"},{\"lang\":\"es\",\"value\":\"jackson-core contiene las abstracciones principales del analizador incremental (\\\"streaming\\\") de bajo nivel y del generador utilizadas por Jackson Data Processor. En versiones anteriores a la 2.15.0, si un usuario analiza un archivo de entrada con datos profundamente anidados, Jackson pod\u00eda generar un error de Stackoverflow si la profundidad era excesiva. jackson-core 2.15.0 incluye un l\u00edmite configurable para la profundidad que Jackson recorrer\u00e1 en un documento de entrada, con una profundidad predeterminada de 1000. jackson-core generar\u00e1 una excepci\u00f3n StreamConstraintsException si se alcanza el l\u00edmite. jackson-databind tambi\u00e9n se beneficia de este cambio, ya que utiliza jackson-core para analizar las entradas JSON. Como soluci\u00f3n alternativa, se recomienda a los usuarios evitar analizar archivos de entrada de fuentes no confiables.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-121\"}]}],\"references\":[{\"url\":\"https://github.com/FasterXML/jackson-core/pull/943\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"jackson-core Has Potential for StackoverflowError if user parses an input file that contains very deeply nested data\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-121\", \"lang\": \"en\", \"description\": \"CWE-121: Stack-based Buffer Overflow\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV4_0\": {\"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"baseScore\": 8.7, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"version\": \"4.0\"}}], \"references\": [{\"name\": \"https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3\"}, {\"name\": \"https://github.com/FasterXML/jackson-core/pull/943\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/FasterXML/jackson-core/pull/943\"}], \"affected\": [{\"vendor\": \"FasterXML\", \"product\": \"jackson-core\", \"versions\": [{\"version\": \"\u003c 2.15.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-06-25T17:02:57.428Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"jackson-core contains core low-level incremental (\\\"streaming\\\") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.\"}], \"source\": {\"advisory\": \"GHSA-h46c-h94j-95f3\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-52999\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-25T18:04:07.206576Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-25T18:04:19.172Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-52999\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2025-06-24T03:50:36.795Z\", \"datePublished\": \"2025-06-25T17:02:57.428Z\", \"dateUpdated\": \"2025-06-25T18:04:23.296Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

NCSC-2026-0028

Vulnerability from csaf_ncscnl - Published: 2026-01-21 10:10 - Updated: 2026-01-21 10:10

Summary

Kwetsbaarheden verholpen in Oracle Analytics

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: Oracle heeft kwetsbaarheden verholpen in Oracle Business Intelligence Enterprise Edition.

Interpretaties: De kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om een Denial-of-Service te veroorzaken, of kunnen leiden tot ongeautoriseerde toegang en wijziging van kritieke gegevens.

Oplossingen: Oracle heeft updates uitgebracht om de kwetsbaarheid te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans: medium

Schade: high

CWE-20: Improper Input Validation

CWE-121: Stack-based Buffer Overflow

CWE-125: Out-of-bounds Read

CWE-285: Improper Authorization

CWE-404: Improper Resource Shutdown or Release

CWE-502: Deserialization of Untrusted Data

CWE-611: Improper Restriction of XML External Entity Reference

CWE-674: Uncontrolled Recursion

CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CWE-787: Out-of-bounds Write

CVE-2021-23926

Multiple vulnerabilities across Oracle products, including Middleware, Business Intelligence, and SOA Suite, as well as XMLBeans, expose systems to unauthorized access and denial of service, with CVSS scores ranging from 7.3 to 9.1.

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Business Intelligence		vers:unknown/*
vers:unknown/* Oracle / Business Intelligence Enterprise Edition		vers:unknown/*

CVE-2022-45047

Recent updates and vulnerabilities in Apache MINA SSHD, Oracle products, and Red Hat JBoss Data Grid highlight significant security risks, including unsafe Java deserialization and unauthenticated access leading to potential system compromises.

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Business Intelligence		vers:unknown/*
vers:unknown/* Oracle / Business Intelligence Enterprise Edition		vers:unknown/*

CVE-2024-57699

Multiple vulnerabilities across Oracle Business Intelligence, Primavera Gateway, Oracle GoldenGate, and HPE Telco Service Orchestrator allow for denial of service, with CVSS scores ranging from 2.7 to 7.5.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Business Intelligence		vers:unknown/*
vers:unknown/* Oracle / Business Intelligence Enterprise Edition		vers:unknown/*

CVE-2025-9230

Multiple vulnerabilities related to out-of-bounds read and write issues in OpenSSL affect various products, with moderate severity assessments and low likelihood of successful exploitation.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-125 - Out-of-bounds Read

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Business Intelligence		vers:unknown/*
vers:unknown/* Oracle / Business Intelligence Enterprise Edition		vers:unknown/*

CVE-2025-31672

Multiple vulnerabilities have been identified across various Oracle and Apache POI products, including improper input validation and unauthorized data access, affecting versions 5.4.0 and earlier, with CVSS scores of 5.3.

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE-20 - Improper Input Validation

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Business Intelligence		vers:unknown/*
vers:unknown/* Oracle / Business Intelligence Enterprise Edition		vers:unknown/*

CVE-2025-48924

Multiple vulnerabilities have been identified in Oracle WebLogic Server and Oracle Communications ASAP, both allowing unauthenticated partial denial of service, alongside an uncontrolled recursion issue in Apache Commons Lang leading to potential application crashes.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Business Intelligence		vers:unknown/*
vers:unknown/* Oracle / Business Intelligence Enterprise Edition		vers:unknown/*

CVE-2025-52999

Multiple vulnerabilities affect Oracle Communications Unified Assurance and Oracle Business Intelligence Enterprise Edition, allowing denial of service attacks, while older jackson-core versions are prone to StackoverflowErrors when parsing nested data.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-121 - Stack-based Buffer Overflow

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Business Intelligence		vers:unknown/*
vers:unknown/* Oracle / Business Intelligence Enterprise Edition		vers:unknown/*

CVE-2026-21976

A vulnerability in Oracle Business Intelligence Enterprise Edition (versions 7.6.0.0.0 and 8.2.0.0.0) allows low-privileged attackers to compromise the system, with a CVSS score of 7.1 indicating significant impacts on confidentiality and integrity.

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Business Intelligence		vers:unknown/*
vers:unknown/* Oracle / Business Intelligence Enterprise Edition		vers:unknown/*

References

9 references

URL	Category
https://www.oracle.com/security-alerts/cpujan2026.html	external
https://vulnerabilities.ncsc.nl/csaf/v2/2021/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Oracle heeft kwetsbaarheden verholpen in Oracle Business Intelligence Enterprise Edition.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om een Denial-of-Service te veroorzaken, of kunnen leiden tot ongeautoriseerde toegang en wijziging van kritieke gegevens.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Oracle heeft updates uitgebracht om de kwetsbaarheid te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Input Validation",
        "title": "CWE-20"
      },
      {
        "category": "general",
        "text": "Stack-based Buffer Overflow",
        "title": "CWE-121"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Read",
        "title": "CWE-125"
      },
      {
        "category": "general",
        "text": "Improper Authorization",
        "title": "CWE-285"
      },
      {
        "category": "general",
        "text": "Improper Resource Shutdown or Release",
        "title": "CWE-404"
      },
      {
        "category": "general",
        "text": "Deserialization of Untrusted Data",
        "title": "CWE-502"
      },
      {
        "category": "general",
        "text": "Improper Restriction of XML External Entity Reference",
        "title": "CWE-611"
      },
      {
        "category": "general",
        "text": "Uncontrolled Recursion",
        "title": "CWE-674"
      },
      {
        "category": "general",
        "text": "Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
        "title": "CWE-776"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Write",
        "title": "CWE-787"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://www.oracle.com/security-alerts/cpujan2026.html"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Oracle Analytics",
    "tracking": {
      "current_release_date": "2026-01-21T10:10:15.985753Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2026-0028",
      "initial_release_date": "2026-01-21T10:10:15.985753Z",
      "revision_history": [
        {
          "date": "2026-01-21T10:10:15.985753Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "Business Intelligence"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-2"
                }
              }
            ],
            "category": "product_name",
            "name": "Business Intelligence Enterprise Edition"
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-23926",
      "cwe": {
        "id": "CWE-776",
        "name": "Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
          "title": "CWE-776"
        },
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle products, including Middleware, Business Intelligence, and SOA Suite, as well as XMLBeans, expose systems to unauthorized access and denial of service, with CVSS scores ranging from 7.3 to 9.1.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2021-23926 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2021/cve-2021-23926.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2021-23926"
    },
    {
      "cve": "CVE-2022-45047",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        },
        {
          "category": "description",
          "text": "Recent updates and vulnerabilities in Apache MINA SSHD, Oracle products, and Red Hat JBoss Data Grid highlight significant security risks, including unsafe Java deserialization and unauthenticated access leading to potential system compromises.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-45047 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-2022-45047.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2022-45047"
    },
    {
      "cve": "CVE-2024-57699",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle Business Intelligence, Primavera Gateway, Oracle GoldenGate, and HPE Telco Service Orchestrator allow for denial of service, with CVSS scores ranging from 2.7 to 7.5.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-57699 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-57699.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2024-57699"
    },
    {
      "cve": "CVE-2025-9230",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "other",
          "text": "Out-of-bounds Read",
          "title": "CWE-125"
        },
        {
          "category": "other",
          "text": "Out-of-bounds Write",
          "title": "CWE-787"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities related to out-of-bounds read and write issues in OpenSSL affect various products, with moderate severity assessments and low likelihood of successful exploitation.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-9230 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-9230.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2025-9230"
    },
    {
      "cve": "CVE-2025-31672",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified across various Oracle and Apache POI products, including improper input validation and unauthorized data access, affecting versions 5.4.0 and earlier, with CVSS scores of 5.3.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-31672 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-31672.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2025-31672"
    },
    {
      "cve": "CVE-2025-48924",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified in Oracle WebLogic Server and Oracle Communications ASAP, both allowing unauthenticated partial denial of service, alongside an uncontrolled recursion issue in Apache Commons Lang leading to potential application crashes.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48924 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48924.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2025-48924"
    },
    {
      "cve": "CVE-2025-52999",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "notes": [
        {
          "category": "other",
          "text": "Stack-based Buffer Overflow",
          "title": "CWE-121"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities affect Oracle Communications Unified Assurance and Oracle Business Intelligence Enterprise Edition, allowing denial of service attacks, while older jackson-core versions are prone to StackoverflowErrors when parsing nested data.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-52999 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-52999.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2025-52999"
    },
    {
      "cve": "CVE-2026-21976",
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability in Oracle Business Intelligence Enterprise Edition (versions 7.6.0.0.0 and 8.2.0.0.0) allows low-privileged attackers to compromise the system, with a CVSS score of 7.1 indicating significant impacts on confidentiality and integrity.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-21976 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21976.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2026-21976"
    }
  ]
}

NCSC-2026-0034

Vulnerability from csaf_ncscnl - Published: 2026-01-22 09:03 - Updated: 2026-01-22 09:03

Summary

Kwetsbaarheden verholpen in Atlassian producten

Notes

Feiten: Atlassian heeft kwetsbaarheden verholpen in verschillende producten, welke gebruik maken van Oracle middle-ware producten zoals de Oracle Utilities Application Framework, WebLogic Server, Data Integrator en Business Intelligence Enterprise Edition.

Interpretaties: Deze kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om een denial of service (DoS) of om zich toegang te verschaffen tot gevoelige gegevens. Een reeks kwetsbaarheden is afkomstig van diverse Oracle-middleware software, welke in Atlassian-producten is verwerkt. Deze kwetsbaarheden zijn verholpen in de Critical Patch Update van januari 2026 van Oracle en verwerkt in de getroffen Atlassian producten.

Oplossingen: Atlassian heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans: medium

Schade: high

CWE-20: Improper Input Validation

CWE-23: Relative Path Traversal

CWE-121: Stack-based Buffer Overflow

CWE-285: Improper Authorization

CWE-287: Improper Authentication

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-400: Uncontrolled Resource Consumption

CWE-404: Improper Resource Shutdown or Release

CWE-459: Incomplete Cleanup

CWE-611: Improper Restriction of XML External Entity Reference

CWE-697: Incorrect Comparison

CWE-770: Allocation of Resources Without Limits or Throttling

CWE-787: Out-of-bounds Write

CWE-863: Incorrect Authorization

CWE-918: Server-Side Request Forgery (SSRF)

CWE-937: CWE-937

CWE-1035: CWE-1035

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1333: Inefficient Regular Expression Complexity

CVE-2021-3807

Recent updates address critical security vulnerabilities across various software, including Ansible, Node.js, and Golang packages, with significant fixes for ReDoS and sensitive data exposure issues.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2022-25883

Multiple versions of the semver package are vulnerable to Regular Expression Denial of Service (ReDoS) through the new Range function, prompting updates in various products to mitigate this risk.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1333 - Inefficient Regular Expression Complexity

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2022-45693

Multiple Oracle products, including Utilities Application Framework, WebLogic Server, Data Integrator, and Business Intelligence Enterprise Edition, have vulnerabilities allowing unauthenticated denial of service attacks, all with a CVSS score of 7.5.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-787 - Out-of-bounds Write

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2024-21538

Recent updates across various AWS packages, Node.js versions, and Python libraries address security vulnerabilities, enhance functionality, and improve performance, while several vulnerability reports highlight critical issues in Oracle Communications, HPE Unified OSS Console, and the cross-spawn package.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P

CWE-1333 - Inefficient Regular Expression Complexity

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2024-38286

Apache Tomcat versions 11.0.0-M1 to 11.0.0-M20, 10.1.0-M1 to 10.1.24, and 9.0.13 to 9.0.89 are vulnerable to OutOfMemoryError and Denial of Service due to improper TLS handshake handling.

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2024-45296

Multiple vulnerabilities in the path-to-regexp library and related components can lead to Denial of Service (DoS) attacks, particularly affecting Node.js applications and IBM App Connect Enterprise due to backtracking regex issues.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1333 - Inefficient Regular Expression Complexity

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2024-45801

Multiple vulnerabilities across Oracle products and DOMPurify allow for data compromise, denial of service, and XSS attacks, with CVSS scores ranging from 6.3 to 7.3.

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-1333 - Inefficient Regular Expression Complexity

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-12383

Oracle Database Server versions 23.4.0-23.26.0 have a vulnerability in the Fleet Patching and Provisioning component, while Eclipse Jersey versions 2.45, 3.0.16, and 3.1.9 may ignore critical SSL configurations due to a race condition.

8.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-15284

The `qs` module's `arrayLimit` option is vulnerable to denial-of-service attacks due to its failure to enforce limits for bracket notation, allowing attackers to exploit memory exhaustion.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-20 - Improper Input Validation

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-27152

Recent vulnerabilities in axios, pgadmin4, and HPE software expose systems to SSRF and credential leakage, particularly through the use of absolute URLs, necessitating updates to mitigate these risks.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-918 - Server-Side Request Forgery (SSRF)

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-41249

Multiple vulnerabilities have been identified in Oracle Financial Services and Retail products, as well as the Spring Framework, allowing unauthorized access to sensitive data and potentially leading to information disclosure.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-285 - Improper Authorization

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-48976

Multiple denial-of-service vulnerabilities have been identified in Oracle Application Testing Suite, Oracle Agile PLM, Apache Commons FileUpload, and HPE IceWall Identity Manager, with CVSS scores of 7.5 for some products.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-48989

Recent updates for Apache Tomcat versions 9, 10, and 11 address the 'MadeYouReset' DoS vulnerability and other issues, with specific versions being susceptible to Denial of Service attacks from malformed client requests.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-404 - Improper Resource Shutdown or Release

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-49146

Multiple vulnerabilities in the Oracle Enterprise Data Quality product and PostgreSQL JDBC Driver allow unauthorized access and insecure authentication, with CVSS scores indicating significant risk.

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE-287 - Improper Authentication

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-52434

Apache Tomcat versions 9.0.0.M1 to 9.0.106 have multiple vulnerabilities, including a race condition affecting HTTP/2 connections and denial of service flaws, alongside issues in Oracle Graph Server and HPE Unified OSS Console.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-52999

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-121 - Stack-based Buffer Overflow

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-53689

Apache Jackrabbit versions prior to 2.23.2 are vulnerable to blind XXE attacks due to an unsecured document build for loading privileges.

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-54988

Apache Tika versions 1.13 to 3.2.1 have a critical XXE vulnerability, while Oracle PeopleSoft's OpenSearch component in versions 8.60 to 8.62 is also affected by an easily exploitable vulnerability.

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-55163

Recent updates to Netty and Oracle Communications products address critical vulnerabilities, including the 'MadeYouReset' attack in HTTP/2, which can lead to denial of service and resource exhaustion.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-55752

Apache Tomcat versions 1.0.0-M1 to 11.0.10 are vulnerable to a directory traversal issue that may allow remote code execution if HTTP PUT requests are enabled, alongside other security vulnerabilities in HPE UOCAM.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-23 - Relative Path Traversal

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-64775

Apache Struts versions 2.0.0 to 6.7.0 and 7.0.0 to 7.0.3 have a Denial of Service vulnerability due to file leak in multipart request processing, affecting NetApp products.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-459 - Incomplete Cleanup

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-66516

Apache Tika has multiple critical XML External Entity (XXE) injection vulnerabilities, particularly affecting PDF parsing, allowing remote attackers to exploit crafted documents for sensitive data disclosure and remote code execution.

10.0 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-9287

The document outlines a vulnerability in the `create-hash` package due to inadequate input type checks, leading to potential hash state manipulation and security risks, particularly in the `cipher-base` npm package versions up to 1.0.4.

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE-20 - Improper Input Validation

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2025-9288

The document outlines a vulnerability in `sha.js` versions up to 2.4.11 due to insufficient input type checks, leading to potential denial of service and private key extraction risks.

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE-20 - Improper Input Validation

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

CVE-2026-21569

A high severity XXE vulnerability in Crowd Data Center and Server version 7.1.0 has a CVSS score of 7.9, allowing authenticated attackers to access sensitive content without user interaction.

Affected products

Known affected 7 products

Product	Identifier	Version	Remediation
vers:unknown/* Atlassian / Bamboo		vers:unknown/*
vers:unknown/* Atlassian / Bitbucket		vers:unknown/*
vers:unknown/* Atlassian / Confluence		vers:unknown/*
vers:unknown/* Atlassian / Crowd Server		vers:unknown/*
vers:unknown/* Atlassian / Crucible		vers:unknown/*
vers:unknown/* Atlassian / Fisheye		vers:unknown/*
vers:unknown/* Atlassian / Jira		vers:unknown/*

References

26 references

URL	Category
https://confluence.atlassian.com/security/securit…	external
https://vulnerabilities.ncsc.nl/csaf/v2/2021/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Atlassian heeft kwetsbaarheden verholpen in verschillende producten, welke gebruik maken van Oracle middle-ware producten zoals de Oracle Utilities Application Framework, WebLogic Server, Data Integrator en Business Intelligence Enterprise Edition.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "Deze kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om een denial of service (DoS) of om zich toegang te verschaffen tot gevoelige gegevens.\nEen reeks kwetsbaarheden is afkomstig van diverse Oracle-middleware software, welke in Atlassian-producten is verwerkt. Deze kwetsbaarheden zijn verholpen in de Critical Patch Update van januari 2026 van Oracle en verwerkt in de getroffen Atlassian producten.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Atlassian heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Input Validation",
        "title": "CWE-20"
      },
      {
        "category": "general",
        "text": "Relative Path Traversal",
        "title": "CWE-23"
      },
      {
        "category": "general",
        "text": "Stack-based Buffer Overflow",
        "title": "CWE-121"
      },
      {
        "category": "general",
        "text": "Improper Authorization",
        "title": "CWE-285"
      },
      {
        "category": "general",
        "text": "Improper Authentication",
        "title": "CWE-287"
      },
      {
        "category": "general",
        "text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
        "title": "CWE-362"
      },
      {
        "category": "general",
        "text": "Uncontrolled Resource Consumption",
        "title": "CWE-400"
      },
      {
        "category": "general",
        "text": "Improper Resource Shutdown or Release",
        "title": "CWE-404"
      },
      {
        "category": "general",
        "text": "Incomplete Cleanup",
        "title": "CWE-459"
      },
      {
        "category": "general",
        "text": "Improper Restriction of XML External Entity Reference",
        "title": "CWE-611"
      },
      {
        "category": "general",
        "text": "Incorrect Comparison",
        "title": "CWE-697"
      },
      {
        "category": "general",
        "text": "Allocation of Resources Without Limits or Throttling",
        "title": "CWE-770"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Write",
        "title": "CWE-787"
      },
      {
        "category": "general",
        "text": "Incorrect Authorization",
        "title": "CWE-863"
      },
      {
        "category": "general",
        "text": "Server-Side Request Forgery (SSRF)",
        "title": "CWE-918"
      },
      {
        "category": "general",
        "text": "CWE-937",
        "title": "CWE-937"
      },
      {
        "category": "general",
        "text": "CWE-1035",
        "title": "CWE-1035"
      },
      {
        "category": "general",
        "text": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
        "title": "CWE-1321"
      },
      {
        "category": "general",
        "text": "Inefficient Regular Expression Complexity",
        "title": "CWE-1333"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://confluence.atlassian.com/security/security-bulletin-january-20-2026-1712324819.html"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Atlassian producten",
    "tracking": {
      "current_release_date": "2026-01-22T09:03:42.667958Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2026-0034",
      "initial_release_date": "2026-01-22T09:03:42.667958Z",
      "revision_history": [
        {
          "date": "2026-01-22T09:03:42.667958Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "Bamboo"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-2"
                }
              }
            ],
            "category": "product_name",
            "name": "Bitbucket"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-3"
                }
              }
            ],
            "category": "product_name",
            "name": "Confluence"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-4"
                }
              }
            ],
            "category": "product_name",
            "name": "Crowd Server"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-5"
                }
              }
            ],
            "category": "product_name",
            "name": "Crucible"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-6"
                }
              }
            ],
            "category": "product_name",
            "name": "Fisheye"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-7"
                }
              }
            ],
            "category": "product_name",
            "name": "Jira"
          }
        ],
        "category": "vendor",
        "name": "Atlassian"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-3807",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "other",
          "text": "Inefficient Regular Expression Complexity",
          "title": "CWE-1333"
        },
        {
          "category": "other",
          "text": "Incorrect Comparison",
          "title": "CWE-697"
        },
        {
          "category": "description",
          "text": "Recent updates address critical security vulnerabilities across various software, including Ansible, Node.js, and Golang packages, with significant fixes for ReDoS and sensitive data exposure issues.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2021-3807 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2021/cve-2021-3807.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2021-3807"
    },
    {
      "cve": "CVE-2022-25883",
      "cwe": {
        "id": "CWE-1333",
        "name": "Inefficient Regular Expression Complexity"
      },
      "notes": [
        {
          "category": "other",
          "text": "Inefficient Regular Expression Complexity",
          "title": "CWE-1333"
        },
        {
          "category": "description",
          "text": "Multiple versions of the semver package are vulnerable to Regular Expression Denial of Service (ReDoS) through the new Range function, prompting updates in various products to mitigate this risk.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-25883 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-2022-25883.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2022-25883"
    },
    {
      "cve": "CVE-2022-45693",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "notes": [
        {
          "category": "other",
          "text": "Out-of-bounds Write",
          "title": "CWE-787"
        },
        {
          "category": "description",
          "text": "Multiple Oracle products, including Utilities Application Framework, WebLogic Server, Data Integrator, and Business Intelligence Enterprise Edition, have vulnerabilities allowing unauthenticated denial of service attacks, all with a CVSS score of 7.5.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-45693 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-2022-45693.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2022-45693"
    },
    {
      "cve": "CVE-2024-21538",
      "cwe": {
        "id": "CWE-1333",
        "name": "Inefficient Regular Expression Complexity"
      },
      "notes": [
        {
          "category": "other",
          "text": "Inefficient Regular Expression Complexity",
          "title": "CWE-1333"
        },
        {
          "category": "description",
          "text": "Recent updates across various AWS packages, Node.js versions, and Python libraries address security vulnerabilities, enhance functionality, and improve performance, while several vulnerability reports highlight critical issues in Oracle Communications, HPE Unified OSS Console, and the cross-spawn package.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-21538 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-21538.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2024-21538"
    },
    {
      "cve": "CVE-2024-38286",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Apache Tomcat versions 11.0.0-M1 to 11.0.0-M20, 10.1.0-M1 to 10.1.24, and 9.0.13 to 9.0.89 are vulnerable to OutOfMemoryError and Denial of Service due to improper TLS handshake handling.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-38286 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-38286.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2024-38286"
    },
    {
      "cve": "CVE-2024-45296",
      "cwe": {
        "id": "CWE-1333",
        "name": "Inefficient Regular Expression Complexity"
      },
      "notes": [
        {
          "category": "other",
          "text": "Inefficient Regular Expression Complexity",
          "title": "CWE-1333"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in the path-to-regexp library and related components can lead to Denial of Service (DoS) attacks, particularly affecting Node.js applications and IBM App Connect Enterprise due to backtracking regex issues.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-45296 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-45296.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2024-45296"
    },
    {
      "cve": "CVE-2024-45801",
      "cwe": {
        "id": "CWE-1333",
        "name": "Inefficient Regular Expression Complexity"
      },
      "notes": [
        {
          "category": "other",
          "text": "Inefficient Regular Expression Complexity",
          "title": "CWE-1333"
        },
        {
          "category": "other",
          "text": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
          "title": "CWE-1321"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle products and DOMPurify allow for data compromise, denial of service, and XSS attacks, with CVSS scores ranging from 6.3 to 7.3.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-45801 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-45801.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2024-45801"
    },
    {
      "cve": "CVE-2025-12383",
      "cwe": {
        "id": "CWE-362",
        "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
          "title": "CWE-362"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Oracle Database Server versions 23.4.0-23.26.0 have a vulnerability in the Fleet Patching and Provisioning component, while Eclipse Jersey versions 2.45, 3.0.16, and 3.1.9 may ignore critical SSL configurations due to a race condition.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-12383 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-12383.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-12383"
    },
    {
      "cve": "CVE-2025-15284",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "The `qs` module\u0027s `arrayLimit` option is vulnerable to denial-of-service attacks due to its failure to enforce limits for bracket notation, allowing attackers to exploit memory exhaustion.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-15284 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-15284.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-15284"
    },
    {
      "cve": "CVE-2025-27152",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Server-Side Request Forgery (SSRF)",
          "title": "CWE-918"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in axios, pgadmin4, and HPE software expose systems to SSRF and credential leakage, particularly through the use of absolute URLs, necessitating updates to mitigate these risks.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-27152 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-27152.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-27152"
    },
    {
      "cve": "CVE-2025-41249",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Authorization",
          "title": "CWE-285"
        },
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified in Oracle Financial Services and Retail products, as well as the Spring Framework, allowing unauthorized access to sensitive data and potentially leading to information disclosure.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-41249 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-41249.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-41249"
    },
    {
      "cve": "CVE-2025-48976",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple denial-of-service vulnerabilities have been identified in Oracle Application Testing Suite, Oracle Agile PLM, Apache Commons FileUpload, and HPE IceWall Identity Manager, with CVSS scores of 7.5 for some products.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48976 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-48976"
    },
    {
      "cve": "CVE-2025-48989",
      "cwe": {
        "id": "CWE-404",
        "name": "Improper Resource Shutdown or Release"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Resource Shutdown or Release",
          "title": "CWE-404"
        },
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "description",
          "text": "Recent updates for Apache Tomcat versions 9, 10, and 11 address the \u0027MadeYouReset\u0027 DoS vulnerability and other issues, with specific versions being susceptible to Denial of Service attacks from malformed client requests.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48989 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48989.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-48989"
    },
    {
      "cve": "CVE-2025-49146",
      "cwe": {
        "id": "CWE-287",
        "name": "Improper Authentication"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Authentication",
          "title": "CWE-287"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in the Oracle Enterprise Data Quality product and PostgreSQL JDBC Driver allow unauthorized access and insecure authentication, with CVSS scores indicating significant risk.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49146 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49146.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-49146"
    },
    {
      "cve": "CVE-2025-52434",
      "cwe": {
        "id": "CWE-362",
        "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
          "title": "CWE-362"
        },
        {
          "category": "description",
          "text": "Apache Tomcat versions 9.0.0.M1 to 9.0.106 have multiple vulnerabilities, including a race condition affecting HTTP/2 connections and denial of service flaws, alongside issues in Oracle Graph Server and HPE Unified OSS Console.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-52434 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-52434.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-52434"
    },
    {
      "cve": "CVE-2025-52999",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "notes": [
        {
          "category": "other",
          "text": "Stack-based Buffer Overflow",
          "title": "CWE-121"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities affect Oracle Communications Unified Assurance and Oracle Business Intelligence Enterprise Edition, allowing denial of service attacks, while older jackson-core versions are prone to StackoverflowErrors when parsing nested data.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-52999 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-52999.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-52999"
    },
    {
      "cve": "CVE-2025-53689",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        },
        {
          "category": "description",
          "text": "Apache Jackrabbit versions prior to 2.23.2 are vulnerable to blind XXE attacks due to an unsecured document build for loading privileges.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-53689 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53689.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-53689"
    },
    {
      "cve": "CVE-2025-54988",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Apache Tika versions 1.13 to 3.2.1 have a critical XXE vulnerability, while Oracle PeopleSoft\u0027s OpenSearch component in versions 8.60 to 8.62 is also affected by an easily exploitable vulnerability.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-54988 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-54988.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-54988"
    },
    {
      "cve": "CVE-2025-55163",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Recent updates to Netty and Oracle Communications products address critical vulnerabilities, including the \u0027MadeYouReset\u0027 attack in HTTP/2, which can lead to denial of service and resource exhaustion.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-55163 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55163.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-55163"
    },
    {
      "cve": "CVE-2025-55752",
      "cwe": {
        "id": "CWE-23",
        "name": "Relative Path Traversal"
      },
      "notes": [
        {
          "category": "other",
          "text": "Relative Path Traversal",
          "title": "CWE-23"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Apache Tomcat versions 1.0.0-M1 to 11.0.10 are vulnerable to a directory traversal issue that may allow remote code execution if HTTP PUT requests are enabled, alongside other security vulnerabilities in HPE UOCAM.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-55752 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55752.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-55752"
    },
    {
      "cve": "CVE-2025-64775",
      "cwe": {
        "id": "CWE-459",
        "name": "Incomplete Cleanup"
      },
      "notes": [
        {
          "category": "other",
          "text": "Incomplete Cleanup",
          "title": "CWE-459"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Apache Struts versions 2.0.0 to 6.7.0 and 7.0.0 to 7.0.3 have a Denial of Service vulnerability due to file leak in multipart request processing, affecting NetApp products.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-64775 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-64775.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-64775"
    },
    {
      "cve": "CVE-2025-66516",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Apache Tika has multiple critical XML External Entity (XXE) injection vulnerabilities, particularly affecting PDF parsing, allowing remote attackers to exploit crafted documents for sensitive data disclosure and remote code execution.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-66516 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-66516.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-66516"
    },
    {
      "cve": "CVE-2025-9287",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "description",
          "text": "The document outlines a vulnerability in the `create-hash` package due to inadequate input type checks, leading to potential hash state manipulation and security risks, particularly in the `cipher-base` npm package versions up to 1.0.4.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-9287 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-9287.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-9287"
    },
    {
      "cve": "CVE-2025-9288",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "description",
          "text": "The document outlines a vulnerability in `sha.js` versions up to 2.4.11 due to insufficient input type checks, leading to potential denial of service and private key extraction risks.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-9288 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-9288.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7"
          ]
        }
      ],
      "title": "CVE-2025-9288"
    },
    {
      "cve": "CVE-2026-21569",
      "notes": [
        {
          "category": "description",
          "text": "A high severity XXE vulnerability in Crowd Data Center and Server version 7.1.0 has a CVSS score of 7.9, allowing authenticated attackers to access sensitive content without user interaction.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-21569 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21569.json"
        }
      ],
      "title": "CVE-2026-21569"
    }
  ]
}

RHSA-2025:10092

Vulnerability from csaf_redhat - Published: 2025-07-01 13:48 - Updated: 2026-05-10 14:26

Summary

Red Hat Security Advisory: Red Hat Product OCP Tools 4.18 OpenShift Jenkins security update

Severity

Important

Notes

Topic: An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.18. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): * jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370) (CVE-2024-57699) * jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length (CVE-2025-22228) * jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948) * jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999) * jenkins-2-plugins: jackson-core Potential StackoverflowError (CVE-2025-52999) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2024-57699

A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-674 - Uncontrolled Recursion

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-1948

A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-22228

A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-863 - Incorrect Authorization

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-52999

A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-121 - Stack-based Buffer Overflow

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src	—	Vendor Fix fix Workaround

Threats

Impact Important

References

30 references

URL	Category
https://access.redhat.com/errata/RHSA-2025:10092	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2344073	external
https://bugzilla.redhat.com/show_bug.cgi?id=2353507	external
https://bugzilla.redhat.com/show_bug.cgi?id=2365137	external
https://bugzilla.redhat.com/show_bug.cgi?id=2374804	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2024-57699	self
https://bugzilla.redhat.com/show_bug.cgi?id=2344073	external
https://www.cve.org/CVERecord?id=CVE-2024-57699	external
https://nvd.nist.gov/vuln/detail/CVE-2024-57699	external
https://github.com/TurtleLiu/Vul_PoC/tree/main/CV…	external
https://nvd.nist.gov/vuln/detail/cve-2023-1370	external
https://access.redhat.com/security/cve/CVE-2025-1948	self
https://bugzilla.redhat.com/show_bug.cgi?id=2365137	external
https://www.cve.org/CVERecord?id=CVE-2025-1948	external
https://nvd.nist.gov/vuln/detail/CVE-2025-1948	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assigneme…	external
https://access.redhat.com/security/cve/CVE-2025-22228	self
https://bugzilla.redhat.com/show_bug.cgi?id=2353507	external
https://www.cve.org/CVERecord?id=CVE-2025-22228	external
https://nvd.nist.gov/vuln/detail/CVE-2025-22228	external
https://spring.io/security/cve-2025-22228	external
https://access.redhat.com/security/cve/CVE-2025-52999	self
https://bugzilla.redhat.com/show_bug.cgi?id=2374804	external
https://www.cve.org/CVERecord?id=CVE-2025-52999	external
https://nvd.nist.gov/vuln/detail/CVE-2025-52999	external
https://github.com/FasterXML/jackson-core/pull/943	external
https://github.com/FasterXML/jackson-core/securit…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Openshift Jenkins is now available for Red Hat Product OCP \nTools 4.18. Red Hat Product Security has rated this update as having a \nsecurity impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a \ndetailed severity rating, is available for each vulnerability from the CVE \nlink(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Jenkins is a continuous integration server that monitors executions of \nrepeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for\nCVE-2023-1370) (CVE-2024-57699)\n* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not\nenforce maximum password length (CVE-2025-22228)\n* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)\n* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)\n* jenkins-2-plugins: jackson-core Potential StackoverflowError\n(CVE-2025-52999)\n\nFor more details about the security issue(s), including the impact, a CVSS \nscore, acknowledgments, and other related information, refer to the CVE \npage listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:10092",
        "url": "https://access.redhat.com/errata/RHSA-2025:10092"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2344073",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
      },
      {
        "category": "external",
        "summary": "2353507",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
      },
      {
        "category": "external",
        "summary": "2365137",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
      },
      {
        "category": "external",
        "summary": "2374804",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10092.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Product OCP Tools 4.18 OpenShift Jenkins security update",
    "tracking": {
      "current_release_date": "2026-05-10T14:26:59+00:00",
      "generator": {
        "date": "2026-05-10T14:26:59+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.9"
        }
      },
      "id": "RHSA-2025:10092",
      "initial_release_date": "2025-07-01T13:48:03+00:00",
      "revision_history": [
        {
          "date": "2025-07-01T13:48:03+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-07-01T13:48:03+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-10T14:26:59+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Developer Tools and Services for OCP 4.18",
                "product": {
                  "name": "OpenShift Developer Tools and Services for OCP 4.18",
                  "product_id": "9Base-OCP-Tools-4.18",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ocp_tools:4.18::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "OpenShift Jenkins"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:2.504.2.1750846524-3.el9.src",
                "product": {
                  "name": "jenkins-0:2.504.2.1750846524-3.el9.src",
                  "product_id": "jenkins-0:2.504.2.1750846524-3.el9.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@2.504.2.1750846524-3.el9?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.18.1750846854-1.el9.src",
                "product": {
                  "name": "jenkins-2-plugins-0:4.18.1750846854-1.el9.src",
                  "product_id": "jenkins-2-plugins-0:4.18.1750846854-1.el9.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.18.1750846854-1.el9?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:2.504.2.1750846524-3.el9.noarch",
                "product": {
                  "name": "jenkins-0:2.504.2.1750846524-3.el9.noarch",
                  "product_id": "jenkins-0:2.504.2.1750846524-3.el9.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@2.504.2.1750846524-3.el9?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
                "product": {
                  "name": "jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
                  "product_id": "jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.18.1750846854-1.el9?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:2.504.2.1750846524-3.el9.noarch as a component of OpenShift Developer Tools and Services for OCP 4.18",
          "product_id": "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch"
        },
        "product_reference": "jenkins-0:2.504.2.1750846524-3.el9.noarch",
        "relates_to_product_reference": "9Base-OCP-Tools-4.18"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:2.504.2.1750846524-3.el9.src as a component of OpenShift Developer Tools and Services for OCP 4.18",
          "product_id": "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src"
        },
        "product_reference": "jenkins-0:2.504.2.1750846524-3.el9.src",
        "relates_to_product_reference": "9Base-OCP-Tools-4.18"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch as a component of OpenShift Developer Tools and Services for OCP 4.18",
          "product_id": "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch"
        },
        "product_reference": "jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
        "relates_to_product_reference": "9Base-OCP-Tools-4.18"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.18.1750846854-1.el9.src as a component of OpenShift Developer Tools and Services for OCP 4.18",
          "product_id": "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
        },
        "product_reference": "jenkins-2-plugins-0:4.18.1750846854-1.el9.src",
        "relates_to_product_reference": "9Base-OCP-Tools-4.18"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-57699",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2025-02-05T22:01:26.352808+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2344073"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue exists because of an incomplete fix for CVE-2023-1370, therefore it only affects json-smart v2.5.0 through v2.5.1 (inclusive).",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
          "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
          "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
          "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "RHBZ#2344073",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-57699",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699",
          "url": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/cve-2023-1370",
          "url": "https://nvd.nist.gov/vuln/detail/cve-2023-1370"
        }
      ],
      "release_date": "2025-02-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T13:48:03+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10092"
        },
        {
          "category": "workaround",
          "details": "Red Hat Product Security does not have a recommended mitigation at this time.",
          "product_ids": [
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)"
    },
    {
      "cve": "CVE-2025-1948",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2025-05-08T18:00:52.156301+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2365137"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
          "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
          "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
          "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "RHBZ#2365137",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-1948",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56"
        }
      ],
      "release_date": "2025-05-08T17:48:40.831000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T13:48:03+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10092"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability"
    },
    {
      "cve": "CVE-2025-22228",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "discovery_date": "2025-03-20T06:00:45.196050+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2353507"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
          "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
          "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
          "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "RHBZ#2353507",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-22228",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "https://spring.io/security/cve-2025-22228",
          "url": "https://spring.io/security/cve-2025-22228"
        }
      ],
      "release_date": "2025-03-20T05:49:19.275000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T13:48:03+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10092"
        },
        {
          "category": "workaround",
          "details": "Red Hat Product Security does not have a recommended mitigation at this time.",
          "product_ids": [
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length"
    },
    {
      "cve": "CVE-2025-52999",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "discovery_date": "2025-06-25T18:00:54.693716+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2374804"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
          "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
          "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
          "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "RHBZ#2374804",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-52999",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/pull/943",
          "url": "https://github.com/FasterXML/jackson-core/pull/943"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3",
          "url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"
        }
      ],
      "release_date": "2025-06-25T17:02:57.428000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T13:48:03+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10092"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, the recommendation is to avoid parsing input files from untrusted sources that may have excessively deep nested data structures; anything with a depth over 1000.",
          "product_ids": [
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-0:2.504.2.1750846524-3.el9.src",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.noarch",
            "9Base-OCP-Tools-4.18:jenkins-2-plugins-0:4.18.1750846854-1.el9.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError"
    }
  ]
}

RHSA-2025:10097

Vulnerability from csaf_redhat - Published: 2025-07-01 14:30 - Updated: 2026-05-10 14:26

Summary

Red Hat Security Advisory: Red Hat Product OCP Tools 4.17 OpenShift Jenkins security update

Severity

Important

Notes

Topic: An update for OpenShift Jenkins is now available for Red Hat Product OCP Tools 4.17. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

CVE-2024-57699

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-674 - Uncontrolled Recursion

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-1948

A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-22228

A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-863 - Incorrect Authorization

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-52999

A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-121 - Stack-based Buffer Overflow

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src	—	Vendor Fix fix Workaround

Threats

Impact Important

References

30 references

URL	Category
https://access.redhat.com/errata/RHSA-2025:10097	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2344073	external
https://bugzilla.redhat.com/show_bug.cgi?id=2353507	external
https://bugzilla.redhat.com/show_bug.cgi?id=2365137	external
https://bugzilla.redhat.com/show_bug.cgi?id=2374804	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2024-57699	self
https://bugzilla.redhat.com/show_bug.cgi?id=2344073	external
https://www.cve.org/CVERecord?id=CVE-2024-57699	external
https://nvd.nist.gov/vuln/detail/CVE-2024-57699	external
https://github.com/TurtleLiu/Vul_PoC/tree/main/CV…	external
https://nvd.nist.gov/vuln/detail/cve-2023-1370	external
https://access.redhat.com/security/cve/CVE-2025-1948	self
https://bugzilla.redhat.com/show_bug.cgi?id=2365137	external
https://www.cve.org/CVERecord?id=CVE-2025-1948	external
https://nvd.nist.gov/vuln/detail/CVE-2025-1948	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assigneme…	external
https://access.redhat.com/security/cve/CVE-2025-22228	self
https://bugzilla.redhat.com/show_bug.cgi?id=2353507	external
https://www.cve.org/CVERecord?id=CVE-2025-22228	external
https://nvd.nist.gov/vuln/detail/CVE-2025-22228	external
https://spring.io/security/cve-2025-22228	external
https://access.redhat.com/security/cve/CVE-2025-52999	self
https://bugzilla.redhat.com/show_bug.cgi?id=2374804	external
https://www.cve.org/CVERecord?id=CVE-2025-52999	external
https://nvd.nist.gov/vuln/detail/CVE-2025-52999	external
https://github.com/FasterXML/jackson-core/pull/943	external
https://github.com/FasterXML/jackson-core/securit…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for OpenShift Jenkins is now available for Red Hat Product OCP \nTools 4.17. Red Hat Product Security has rated this update as having a \nsecurity impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a \ndetailed severity rating, is available for each vulnerability from the CVE \nlink(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Jenkins is a continuous integration server that monitors executions of \nrepeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for\nCVE-2023-1370) (CVE-2024-57699)\n* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not\nenforce maximum password length (CVE-2025-22228)\n* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)\n* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)\n* jenkins-2-plugins: jackson-core Potential StackoverflowError\n(CVE-2025-52999)\n\nFor more details about the security issue(s), including the impact, a CVSS \nscore, acknowledgments, and other related information, refer to the CVE \npage listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:10097",
        "url": "https://access.redhat.com/errata/RHSA-2025:10097"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2344073",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
      },
      {
        "category": "external",
        "summary": "2353507",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
      },
      {
        "category": "external",
        "summary": "2365137",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
      },
      {
        "category": "external",
        "summary": "2374804",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10097.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Product OCP Tools 4.17 OpenShift Jenkins security update",
    "tracking": {
      "current_release_date": "2026-05-10T14:26:53+00:00",
      "generator": {
        "date": "2026-05-10T14:26:53+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.9"
        }
      },
      "id": "RHSA-2025:10097",
      "initial_release_date": "2025-07-01T14:30:33+00:00",
      "revision_history": [
        {
          "date": "2025-07-01T14:30:33+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-07-01T14:30:33+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-10T14:26:53+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Developer Tools and Services for OCP 4.17",
                "product": {
                  "name": "OpenShift Developer Tools and Services for OCP 4.17",
                  "product_id": "9Base-OCP-Tools-4.17",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ocp_tools:4.17::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "OpenShift Jenkins"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:2.504.2.1750851690-3.el9.src",
                "product": {
                  "name": "jenkins-0:2.504.2.1750851690-3.el9.src",
                  "product_id": "jenkins-0:2.504.2.1750851690-3.el9.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@2.504.2.1750851690-3.el9?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.17.1750851950-1.el9.src",
                "product": {
                  "name": "jenkins-2-plugins-0:4.17.1750851950-1.el9.src",
                  "product_id": "jenkins-2-plugins-0:4.17.1750851950-1.el9.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.17.1750851950-1.el9?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:2.504.2.1750851690-3.el9.noarch",
                "product": {
                  "name": "jenkins-0:2.504.2.1750851690-3.el9.noarch",
                  "product_id": "jenkins-0:2.504.2.1750851690-3.el9.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@2.504.2.1750851690-3.el9?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
                "product": {
                  "name": "jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
                  "product_id": "jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.17.1750851950-1.el9?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:2.504.2.1750851690-3.el9.noarch as a component of OpenShift Developer Tools and Services for OCP 4.17",
          "product_id": "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch"
        },
        "product_reference": "jenkins-0:2.504.2.1750851690-3.el9.noarch",
        "relates_to_product_reference": "9Base-OCP-Tools-4.17"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:2.504.2.1750851690-3.el9.src as a component of OpenShift Developer Tools and Services for OCP 4.17",
          "product_id": "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src"
        },
        "product_reference": "jenkins-0:2.504.2.1750851690-3.el9.src",
        "relates_to_product_reference": "9Base-OCP-Tools-4.17"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch as a component of OpenShift Developer Tools and Services for OCP 4.17",
          "product_id": "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch"
        },
        "product_reference": "jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
        "relates_to_product_reference": "9Base-OCP-Tools-4.17"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.17.1750851950-1.el9.src as a component of OpenShift Developer Tools and Services for OCP 4.17",
          "product_id": "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
        },
        "product_reference": "jenkins-2-plugins-0:4.17.1750851950-1.el9.src",
        "relates_to_product_reference": "9Base-OCP-Tools-4.17"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-57699",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2025-02-05T22:01:26.352808+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2344073"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue exists because of an incomplete fix for CVE-2023-1370, therefore it only affects json-smart v2.5.0 through v2.5.1 (inclusive).",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
          "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
          "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
          "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "RHBZ#2344073",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-57699",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699",
          "url": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/cve-2023-1370",
          "url": "https://nvd.nist.gov/vuln/detail/cve-2023-1370"
        }
      ],
      "release_date": "2025-02-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T14:30:33+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10097"
        },
        {
          "category": "workaround",
          "details": "Red Hat Product Security does not have a recommended mitigation at this time.",
          "product_ids": [
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)"
    },
    {
      "cve": "CVE-2025-1948",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2025-05-08T18:00:52.156301+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2365137"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
          "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
          "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
          "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "RHBZ#2365137",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-1948",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56"
        }
      ],
      "release_date": "2025-05-08T17:48:40.831000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T14:30:33+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10097"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability"
    },
    {
      "cve": "CVE-2025-22228",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "discovery_date": "2025-03-20T06:00:45.196050+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2353507"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
          "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
          "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
          "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "RHBZ#2353507",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-22228",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "https://spring.io/security/cve-2025-22228",
          "url": "https://spring.io/security/cve-2025-22228"
        }
      ],
      "release_date": "2025-03-20T05:49:19.275000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T14:30:33+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10097"
        },
        {
          "category": "workaround",
          "details": "Red Hat Product Security does not have a recommended mitigation at this time.",
          "product_ids": [
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length"
    },
    {
      "cve": "CVE-2025-52999",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "discovery_date": "2025-06-25T18:00:54.693716+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2374804"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
          "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
          "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
          "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "RHBZ#2374804",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-52999",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/pull/943",
          "url": "https://github.com/FasterXML/jackson-core/pull/943"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3",
          "url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"
        }
      ],
      "release_date": "2025-06-25T17:02:57.428000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T14:30:33+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10097"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, the recommendation is to avoid parsing input files from untrusted sources that may have excessively deep nested data structures; anything with a depth over 1000.",
          "product_ids": [
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-0:2.504.2.1750851690-3.el9.src",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.noarch",
            "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1750851950-1.el9.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError"
    }
  ]
}

RHSA-2025:10098

Vulnerability from csaf_redhat - Published: 2025-07-01 14:34 - Updated: 2026-05-10 14:26

Summary

Red Hat Security Advisory: Red Hat Product OCP Tools 4.16 OpenShift Jenkins security update

Severity

Important

Notes

Topic: An update for OpenShift Jenkins is now available for Red Hat Product OCP Tools 4.16. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

CVE-2024-57699

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-674 - Uncontrolled Recursion

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-1948

A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-22228

A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-863 - Incorrect Authorization

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-52999

A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-121 - Stack-based Buffer Overflow

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src	—	Vendor Fix fix Workaround

Threats

Impact Important

References

30 references

URL	Category
https://access.redhat.com/errata/RHSA-2025:10098	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2344073	external
https://bugzilla.redhat.com/show_bug.cgi?id=2353507	external
https://bugzilla.redhat.com/show_bug.cgi?id=2365137	external
https://bugzilla.redhat.com/show_bug.cgi?id=2374804	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2024-57699	self
https://bugzilla.redhat.com/show_bug.cgi?id=2344073	external
https://www.cve.org/CVERecord?id=CVE-2024-57699	external
https://nvd.nist.gov/vuln/detail/CVE-2024-57699	external
https://github.com/TurtleLiu/Vul_PoC/tree/main/CV…	external
https://nvd.nist.gov/vuln/detail/cve-2023-1370	external
https://access.redhat.com/security/cve/CVE-2025-1948	self
https://bugzilla.redhat.com/show_bug.cgi?id=2365137	external
https://www.cve.org/CVERecord?id=CVE-2025-1948	external
https://nvd.nist.gov/vuln/detail/CVE-2025-1948	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assigneme…	external
https://access.redhat.com/security/cve/CVE-2025-22228	self
https://bugzilla.redhat.com/show_bug.cgi?id=2353507	external
https://www.cve.org/CVERecord?id=CVE-2025-22228	external
https://nvd.nist.gov/vuln/detail/CVE-2025-22228	external
https://spring.io/security/cve-2025-22228	external
https://access.redhat.com/security/cve/CVE-2025-52999	self
https://bugzilla.redhat.com/show_bug.cgi?id=2374804	external
https://www.cve.org/CVERecord?id=CVE-2025-52999	external
https://nvd.nist.gov/vuln/detail/CVE-2025-52999	external
https://github.com/FasterXML/jackson-core/pull/943	external
https://github.com/FasterXML/jackson-core/securit…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for OpenShift Jenkins is now available for Red Hat Product OCP \nTools 4.16. Red Hat Product Security has rated this update as having a \nsecurity impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a \ndetailed severity rating, is available for each vulnerability from the CVE \nlink(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Jenkins is a continuous integration server that monitors executions of \nrepeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370) (CVE-2024-57699)\n* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length (CVE-2025-22228)\n* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)\n* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)\n* jenkins-2-plugins: jackson-core Potential StackoverflowError (CVE-2025-52999)\n\nFor more details about the security issue(s), including the impact, a CVSS \nscore, acknowledgments, and other related information, refer to the CVE \npage listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:10098",
        "url": "https://access.redhat.com/errata/RHSA-2025:10098"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2344073",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
      },
      {
        "category": "external",
        "summary": "2353507",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
      },
      {
        "category": "external",
        "summary": "2365137",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
      },
      {
        "category": "external",
        "summary": "2374804",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10098.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Product OCP Tools 4.16 OpenShift Jenkins security update",
    "tracking": {
      "current_release_date": "2026-05-10T14:26:55+00:00",
      "generator": {
        "date": "2026-05-10T14:26:55+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.9"
        }
      },
      "id": "RHSA-2025:10098",
      "initial_release_date": "2025-07-01T14:34:48+00:00",
      "revision_history": [
        {
          "date": "2025-07-01T14:34:48+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-07-01T14:34:48+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-10T14:26:55+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Developer Tools and Services for OCP 4.16",
                "product": {
                  "name": "OpenShift Developer Tools and Services for OCP 4.16",
                  "product_id": "9Base-OCP-Tools-4.16",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ocp_tools:4.16::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "OpenShift Jenkins"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:2.504.2.1750857144-3.el9.src",
                "product": {
                  "name": "jenkins-0:2.504.2.1750857144-3.el9.src",
                  "product_id": "jenkins-0:2.504.2.1750857144-3.el9.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@2.504.2.1750857144-3.el9?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.16.1750857315-1.el9.src",
                "product": {
                  "name": "jenkins-2-plugins-0:4.16.1750857315-1.el9.src",
                  "product_id": "jenkins-2-plugins-0:4.16.1750857315-1.el9.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.16.1750857315-1.el9?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:2.504.2.1750857144-3.el9.noarch",
                "product": {
                  "name": "jenkins-0:2.504.2.1750857144-3.el9.noarch",
                  "product_id": "jenkins-0:2.504.2.1750857144-3.el9.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@2.504.2.1750857144-3.el9?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
                "product": {
                  "name": "jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
                  "product_id": "jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.16.1750857315-1.el9?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:2.504.2.1750857144-3.el9.noarch as a component of OpenShift Developer Tools and Services for OCP 4.16",
          "product_id": "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch"
        },
        "product_reference": "jenkins-0:2.504.2.1750857144-3.el9.noarch",
        "relates_to_product_reference": "9Base-OCP-Tools-4.16"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:2.504.2.1750857144-3.el9.src as a component of OpenShift Developer Tools and Services for OCP 4.16",
          "product_id": "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src"
        },
        "product_reference": "jenkins-0:2.504.2.1750857144-3.el9.src",
        "relates_to_product_reference": "9Base-OCP-Tools-4.16"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch as a component of OpenShift Developer Tools and Services for OCP 4.16",
          "product_id": "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch"
        },
        "product_reference": "jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
        "relates_to_product_reference": "9Base-OCP-Tools-4.16"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.16.1750857315-1.el9.src as a component of OpenShift Developer Tools and Services for OCP 4.16",
          "product_id": "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
        },
        "product_reference": "jenkins-2-plugins-0:4.16.1750857315-1.el9.src",
        "relates_to_product_reference": "9Base-OCP-Tools-4.16"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-57699",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2025-02-05T22:01:26.352808+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2344073"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue exists because of an incomplete fix for CVE-2023-1370, therefore it only affects json-smart v2.5.0 through v2.5.1 (inclusive).",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
          "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
          "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
          "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "RHBZ#2344073",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-57699",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699",
          "url": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/cve-2023-1370",
          "url": "https://nvd.nist.gov/vuln/detail/cve-2023-1370"
        }
      ],
      "release_date": "2025-02-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T14:34:48+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10098"
        },
        {
          "category": "workaround",
          "details": "Red Hat Product Security does not have a recommended mitigation at this time.",
          "product_ids": [
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)"
    },
    {
      "cve": "CVE-2025-1948",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2025-05-08T18:00:52.156301+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2365137"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
          "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
          "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
          "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "RHBZ#2365137",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-1948",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56"
        }
      ],
      "release_date": "2025-05-08T17:48:40.831000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T14:34:48+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10098"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability"
    },
    {
      "cve": "CVE-2025-22228",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "discovery_date": "2025-03-20T06:00:45.196050+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2353507"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
          "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
          "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
          "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "RHBZ#2353507",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-22228",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "https://spring.io/security/cve-2025-22228",
          "url": "https://spring.io/security/cve-2025-22228"
        }
      ],
      "release_date": "2025-03-20T05:49:19.275000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T14:34:48+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10098"
        },
        {
          "category": "workaround",
          "details": "Red Hat Product Security does not have a recommended mitigation at this time.",
          "product_ids": [
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length"
    },
    {
      "cve": "CVE-2025-52999",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "discovery_date": "2025-06-25T18:00:54.693716+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2374804"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
          "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
          "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
          "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "RHBZ#2374804",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-52999",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/pull/943",
          "url": "https://github.com/FasterXML/jackson-core/pull/943"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3",
          "url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"
        }
      ],
      "release_date": "2025-06-25T17:02:57.428000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T14:34:48+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10098"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, the recommendation is to avoid parsing input files from untrusted sources that may have excessively deep nested data structures; anything with a depth over 1000.",
          "product_ids": [
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-0:2.504.2.1750857144-3.el9.src",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.noarch",
            "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1750857315-1.el9.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError"
    }
  ]
}

RHSA-2025:10104

Vulnerability from csaf_redhat - Published: 2025-07-01 14:56 - Updated: 2026-05-10 14:26

Summary

Red Hat Security Advisory: Red Hat Product OCP Tools 4.15 OpenShift Jenkins security update

Severity

Important

Notes

Topic: An update for OpenShift Jenkins is now available for Red Hat Product OCP Tools 4.15. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

CVE-2024-57699

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-674 - Uncontrolled Recursion

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-1948

A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-22228

A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-863 - Incorrect Authorization

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-52999

A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-121 - Stack-based Buffer Overflow

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src	—	Vendor Fix fix Workaround

Threats

Impact Important

References

30 references

URL	Category
https://access.redhat.com/errata/RHSA-2025:10104	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2344073	external
https://bugzilla.redhat.com/show_bug.cgi?id=2353507	external
https://bugzilla.redhat.com/show_bug.cgi?id=2365137	external
https://bugzilla.redhat.com/show_bug.cgi?id=2374804	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2024-57699	self
https://bugzilla.redhat.com/show_bug.cgi?id=2344073	external
https://www.cve.org/CVERecord?id=CVE-2024-57699	external
https://nvd.nist.gov/vuln/detail/CVE-2024-57699	external
https://github.com/TurtleLiu/Vul_PoC/tree/main/CV…	external
https://nvd.nist.gov/vuln/detail/cve-2023-1370	external
https://access.redhat.com/security/cve/CVE-2025-1948	self
https://bugzilla.redhat.com/show_bug.cgi?id=2365137	external
https://www.cve.org/CVERecord?id=CVE-2025-1948	external
https://nvd.nist.gov/vuln/detail/CVE-2025-1948	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assigneme…	external
https://access.redhat.com/security/cve/CVE-2025-22228	self
https://bugzilla.redhat.com/show_bug.cgi?id=2353507	external
https://www.cve.org/CVERecord?id=CVE-2025-22228	external
https://nvd.nist.gov/vuln/detail/CVE-2025-22228	external
https://spring.io/security/cve-2025-22228	external
https://access.redhat.com/security/cve/CVE-2025-52999	self
https://bugzilla.redhat.com/show_bug.cgi?id=2374804	external
https://www.cve.org/CVERecord?id=CVE-2025-52999	external
https://nvd.nist.gov/vuln/detail/CVE-2025-52999	external
https://github.com/FasterXML/jackson-core/pull/943	external
https://github.com/FasterXML/jackson-core/securit…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for OpenShift Jenkins is now available for Red Hat Product OCP \nTools 4.15. Red Hat Product Security has rated this update as having a \nsecurity impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a \ndetailed severity rating, is available for each vulnerability from the CVE \nlink(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Jenkins is a continuous integration server that monitors executions of \nrepeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for\nCVE-2023-1370) (CVE-2024-57699)\n* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not\nenforce maximum password length (CVE-2025-22228)\n* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)\n* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)\n* jenkins-2-plugins: jackson-core Potential StackoverflowError\n(CVE-2025-52999)\n\nFor more details about the security issue(s), including the impact, a CVSS \nscore, acknowledgments, and other related information, refer to the CVE \npage listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:10104",
        "url": "https://access.redhat.com/errata/RHSA-2025:10104"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2344073",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
      },
      {
        "category": "external",
        "summary": "2353507",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
      },
      {
        "category": "external",
        "summary": "2365137",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
      },
      {
        "category": "external",
        "summary": "2374804",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10104.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Product OCP Tools 4.15 OpenShift Jenkins security update",
    "tracking": {
      "current_release_date": "2026-05-10T14:26:58+00:00",
      "generator": {
        "date": "2026-05-10T14:26:58+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.9"
        }
      },
      "id": "RHSA-2025:10104",
      "initial_release_date": "2025-07-01T14:56:03+00:00",
      "revision_history": [
        {
          "date": "2025-07-01T14:56:03+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-07-01T14:56:03+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-10T14:26:58+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Developer Tools and Services for OCP 4.15",
                "product": {
                  "name": "OpenShift Developer Tools and Services for OCP 4.15",
                  "product_id": "8Base-OCP-Tools-4.15",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ocp_tools:4.15::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "OpenShift Jenkins"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:2.504.2.1750856366-3.el8.src",
                "product": {
                  "name": "jenkins-0:2.504.2.1750856366-3.el8.src",
                  "product_id": "jenkins-0:2.504.2.1750856366-3.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@2.504.2.1750856366-3.el8?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.15.1750856638-1.el8.src",
                "product": {
                  "name": "jenkins-2-plugins-0:4.15.1750856638-1.el8.src",
                  "product_id": "jenkins-2-plugins-0:4.15.1750856638-1.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.15.1750856638-1.el8?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:2.504.2.1750856366-3.el8.noarch",
                "product": {
                  "name": "jenkins-0:2.504.2.1750856366-3.el8.noarch",
                  "product_id": "jenkins-0:2.504.2.1750856366-3.el8.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@2.504.2.1750856366-3.el8?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
                "product": {
                  "name": "jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
                  "product_id": "jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.15.1750856638-1.el8?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:2.504.2.1750856366-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.15",
          "product_id": "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch"
        },
        "product_reference": "jenkins-0:2.504.2.1750856366-3.el8.noarch",
        "relates_to_product_reference": "8Base-OCP-Tools-4.15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:2.504.2.1750856366-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.15",
          "product_id": "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src"
        },
        "product_reference": "jenkins-0:2.504.2.1750856366-3.el8.src",
        "relates_to_product_reference": "8Base-OCP-Tools-4.15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.15",
          "product_id": "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch"
        },
        "product_reference": "jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
        "relates_to_product_reference": "8Base-OCP-Tools-4.15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.15.1750856638-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.15",
          "product_id": "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
        },
        "product_reference": "jenkins-2-plugins-0:4.15.1750856638-1.el8.src",
        "relates_to_product_reference": "8Base-OCP-Tools-4.15"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-57699",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2025-02-05T22:01:26.352808+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2344073"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue exists because of an incomplete fix for CVE-2023-1370, therefore it only affects json-smart v2.5.0 through v2.5.1 (inclusive).",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
          "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
          "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
          "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "RHBZ#2344073",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-57699",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699",
          "url": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/cve-2023-1370",
          "url": "https://nvd.nist.gov/vuln/detail/cve-2023-1370"
        }
      ],
      "release_date": "2025-02-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T14:56:03+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10104"
        },
        {
          "category": "workaround",
          "details": "Red Hat Product Security does not have a recommended mitigation at this time.",
          "product_ids": [
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)"
    },
    {
      "cve": "CVE-2025-1948",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2025-05-08T18:00:52.156301+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2365137"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
          "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
          "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
          "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "RHBZ#2365137",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-1948",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56"
        }
      ],
      "release_date": "2025-05-08T17:48:40.831000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T14:56:03+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10104"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability"
    },
    {
      "cve": "CVE-2025-22228",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "discovery_date": "2025-03-20T06:00:45.196050+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2353507"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
          "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
          "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
          "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "RHBZ#2353507",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-22228",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "https://spring.io/security/cve-2025-22228",
          "url": "https://spring.io/security/cve-2025-22228"
        }
      ],
      "release_date": "2025-03-20T05:49:19.275000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T14:56:03+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10104"
        },
        {
          "category": "workaround",
          "details": "Red Hat Product Security does not have a recommended mitigation at this time.",
          "product_ids": [
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length"
    },
    {
      "cve": "CVE-2025-52999",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "discovery_date": "2025-06-25T18:00:54.693716+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2374804"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
          "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
          "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
          "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "RHBZ#2374804",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-52999",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/pull/943",
          "url": "https://github.com/FasterXML/jackson-core/pull/943"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3",
          "url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"
        }
      ],
      "release_date": "2025-06-25T17:02:57.428000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T14:56:03+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10104"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, the recommendation is to avoid parsing input files from untrusted sources that may have excessively deep nested data structures; anything with a depth over 1000.",
          "product_ids": [
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-0:2.504.2.1750856366-3.el8.src",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.noarch",
            "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1750856638-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError"
    }
  ]
}

RHSA-2025:10118

Vulnerability from csaf_redhat - Published: 2025-07-01 16:36 - Updated: 2026-05-10 14:27

Summary

Red Hat Security Advisory: Red Hat Product OCP Tools 4.12 OpenShift Jenkins security update

Severity

Important

Notes

Topic: An update for OpenShift Jenkins is now available for Red Hat Product OCP Tools 4.12. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

CVE-2024-57699

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-674 - Uncontrolled Recursion

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-1948

A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-22228

A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-863 - Incorrect Authorization

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-52999

A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-121 - Stack-based Buffer Overflow

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src	—	Vendor Fix fix Workaround

Threats

Impact Important

References

30 references

URL	Category
https://access.redhat.com/errata/RHSA-2025:10118	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2344073	external
https://bugzilla.redhat.com/show_bug.cgi?id=2353507	external
https://bugzilla.redhat.com/show_bug.cgi?id=2365137	external
https://bugzilla.redhat.com/show_bug.cgi?id=2374804	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2024-57699	self
https://bugzilla.redhat.com/show_bug.cgi?id=2344073	external
https://www.cve.org/CVERecord?id=CVE-2024-57699	external
https://nvd.nist.gov/vuln/detail/CVE-2024-57699	external
https://github.com/TurtleLiu/Vul_PoC/tree/main/CV…	external
https://nvd.nist.gov/vuln/detail/cve-2023-1370	external
https://access.redhat.com/security/cve/CVE-2025-1948	self
https://bugzilla.redhat.com/show_bug.cgi?id=2365137	external
https://www.cve.org/CVERecord?id=CVE-2025-1948	external
https://nvd.nist.gov/vuln/detail/CVE-2025-1948	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assigneme…	external
https://access.redhat.com/security/cve/CVE-2025-22228	self
https://bugzilla.redhat.com/show_bug.cgi?id=2353507	external
https://www.cve.org/CVERecord?id=CVE-2025-22228	external
https://nvd.nist.gov/vuln/detail/CVE-2025-22228	external
https://spring.io/security/cve-2025-22228	external
https://access.redhat.com/security/cve/CVE-2025-52999	self
https://bugzilla.redhat.com/show_bug.cgi?id=2374804	external
https://www.cve.org/CVERecord?id=CVE-2025-52999	external
https://nvd.nist.gov/vuln/detail/CVE-2025-52999	external
https://github.com/FasterXML/jackson-core/pull/943	external
https://github.com/FasterXML/jackson-core/securit…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for OpenShift Jenkins is now available for Red Hat Product OCP\nTools 4.12. Red Hat Product Security has rated this update as having a\nsecurity impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a \ndetailed severity rating, is available for each vulnerability from the CVE\nlink(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Jenkins is a continuous integration server that monitors executions of \nrepeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for\nCVE-2023-1370) (CVE-2024-57699)\n* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not\nenforce maximum password length (CVE-2025-22228)\n* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)\n* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)\n* jenkins-2-plugins: jackson-core Potential StackoverflowError\n(CVE-2025-52999)\n\nFor more details about the security issue(s), including the impact, a CVSS \nscore, acknowledgments, and other related information, refer to the CVE \npage listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:10118",
        "url": "https://access.redhat.com/errata/RHSA-2025:10118"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2344073",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
      },
      {
        "category": "external",
        "summary": "2353507",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
      },
      {
        "category": "external",
        "summary": "2365137",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
      },
      {
        "category": "external",
        "summary": "2374804",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10118.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Product OCP Tools 4.12 OpenShift Jenkins security update",
    "tracking": {
      "current_release_date": "2026-05-10T14:27:00+00:00",
      "generator": {
        "date": "2026-05-10T14:27:00+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.9"
        }
      },
      "id": "RHSA-2025:10118",
      "initial_release_date": "2025-07-01T16:36:58+00:00",
      "revision_history": [
        {
          "date": "2025-07-01T16:36:58+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-07-01T16:36:58+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-10T14:27:00+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Developer Tools and Services for OCP 4.12",
                "product": {
                  "name": "OpenShift Developer Tools and Services for OCP 4.12",
                  "product_id": "8Base-OCP-Tools-4.12",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "OpenShift Jenkins"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:2.504.2.1750932984-3.el8.src",
                "product": {
                  "name": "jenkins-0:2.504.2.1750932984-3.el8.src",
                  "product_id": "jenkins-0:2.504.2.1750932984-3.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@2.504.2.1750932984-3.el8?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.12.1750933270-1.el8.src",
                "product": {
                  "name": "jenkins-2-plugins-0:4.12.1750933270-1.el8.src",
                  "product_id": "jenkins-2-plugins-0:4.12.1750933270-1.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.12.1750933270-1.el8?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:2.504.2.1750932984-3.el8.noarch",
                "product": {
                  "name": "jenkins-0:2.504.2.1750932984-3.el8.noarch",
                  "product_id": "jenkins-0:2.504.2.1750932984-3.el8.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@2.504.2.1750932984-3.el8?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
                "product": {
                  "name": "jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
                  "product_id": "jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.12.1750933270-1.el8?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:2.504.2.1750932984-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12",
          "product_id": "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch"
        },
        "product_reference": "jenkins-0:2.504.2.1750932984-3.el8.noarch",
        "relates_to_product_reference": "8Base-OCP-Tools-4.12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:2.504.2.1750932984-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12",
          "product_id": "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src"
        },
        "product_reference": "jenkins-0:2.504.2.1750932984-3.el8.src",
        "relates_to_product_reference": "8Base-OCP-Tools-4.12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12",
          "product_id": "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch"
        },
        "product_reference": "jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
        "relates_to_product_reference": "8Base-OCP-Tools-4.12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.12.1750933270-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12",
          "product_id": "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
        },
        "product_reference": "jenkins-2-plugins-0:4.12.1750933270-1.el8.src",
        "relates_to_product_reference": "8Base-OCP-Tools-4.12"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-57699",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2025-02-05T22:01:26.352808+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2344073"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue exists because of an incomplete fix for CVE-2023-1370, therefore it only affects json-smart v2.5.0 through v2.5.1 (inclusive).",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
          "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
          "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
          "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "RHBZ#2344073",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-57699",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699",
          "url": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/cve-2023-1370",
          "url": "https://nvd.nist.gov/vuln/detail/cve-2023-1370"
        }
      ],
      "release_date": "2025-02-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T16:36:58+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10118"
        },
        {
          "category": "workaround",
          "details": "Red Hat Product Security does not have a recommended mitigation at this time.",
          "product_ids": [
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)"
    },
    {
      "cve": "CVE-2025-1948",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2025-05-08T18:00:52.156301+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2365137"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
          "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
          "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
          "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "RHBZ#2365137",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-1948",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56"
        }
      ],
      "release_date": "2025-05-08T17:48:40.831000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T16:36:58+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10118"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability"
    },
    {
      "cve": "CVE-2025-22228",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "discovery_date": "2025-03-20T06:00:45.196050+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2353507"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
          "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
          "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
          "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "RHBZ#2353507",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-22228",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "https://spring.io/security/cve-2025-22228",
          "url": "https://spring.io/security/cve-2025-22228"
        }
      ],
      "release_date": "2025-03-20T05:49:19.275000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T16:36:58+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10118"
        },
        {
          "category": "workaround",
          "details": "Red Hat Product Security does not have a recommended mitigation at this time.",
          "product_ids": [
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length"
    },
    {
      "cve": "CVE-2025-52999",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "discovery_date": "2025-06-25T18:00:54.693716+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2374804"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
          "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
          "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
          "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "RHBZ#2374804",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-52999",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/pull/943",
          "url": "https://github.com/FasterXML/jackson-core/pull/943"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3",
          "url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"
        }
      ],
      "release_date": "2025-06-25T17:02:57.428000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T16:36:58+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10118"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, the recommendation is to avoid parsing input files from untrusted sources that may have excessively deep nested data structures; anything with a depth over 1000.",
          "product_ids": [
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-0:2.504.2.1750932984-3.el8.src",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.noarch",
            "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1750933270-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError"
    }
  ]
}

RHSA-2025:10119

Vulnerability from csaf_redhat - Published: 2025-07-01 16:31 - Updated: 2026-05-10 14:27

Summary

Red Hat Security Advisory: Red Hat Product OCP Tools 4.13 OpenShift Jenkins security update

Severity

Important

Notes

Topic: An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.13. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

CVE-2024-57699

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-674 - Uncontrolled Recursion

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-1948

A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-22228

A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-863 - Incorrect Authorization

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-52999

A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-121 - Stack-based Buffer Overflow

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src	—	Vendor Fix fix Workaround

Threats

Impact Important

References

30 references

URL	Category
https://access.redhat.com/errata/RHSA-2025:10119	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2344073	external
https://bugzilla.redhat.com/show_bug.cgi?id=2353507	external
https://bugzilla.redhat.com/show_bug.cgi?id=2365137	external
https://bugzilla.redhat.com/show_bug.cgi?id=2374804	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2024-57699	self
https://bugzilla.redhat.com/show_bug.cgi?id=2344073	external
https://www.cve.org/CVERecord?id=CVE-2024-57699	external
https://nvd.nist.gov/vuln/detail/CVE-2024-57699	external
https://github.com/TurtleLiu/Vul_PoC/tree/main/CV…	external
https://nvd.nist.gov/vuln/detail/cve-2023-1370	external
https://access.redhat.com/security/cve/CVE-2025-1948	self
https://bugzilla.redhat.com/show_bug.cgi?id=2365137	external
https://www.cve.org/CVERecord?id=CVE-2025-1948	external
https://nvd.nist.gov/vuln/detail/CVE-2025-1948	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assigneme…	external
https://access.redhat.com/security/cve/CVE-2025-22228	self
https://bugzilla.redhat.com/show_bug.cgi?id=2353507	external
https://www.cve.org/CVERecord?id=CVE-2025-22228	external
https://nvd.nist.gov/vuln/detail/CVE-2025-22228	external
https://spring.io/security/cve-2025-22228	external
https://access.redhat.com/security/cve/CVE-2025-52999	self
https://bugzilla.redhat.com/show_bug.cgi?id=2374804	external
https://www.cve.org/CVERecord?id=CVE-2025-52999	external
https://nvd.nist.gov/vuln/detail/CVE-2025-52999	external
https://github.com/FasterXML/jackson-core/pull/943	external
https://github.com/FasterXML/jackson-core/securit…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Openshift Jenkins is now available for Red Hat Product OCP \nTools 4.13. Red Hat Product Security has rated this update as having a \nsecurity impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a \ndetailed severity rating, is available for each vulnerability from the CVE \nlink(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Jenkins is a continuous integration server that monitors executions of \nrepeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for\nCVE-2023-1370) (CVE-2024-57699)\n* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not\nenforce maximum password length (CVE-2025-22228)\n* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)\n* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)\n* jenkins-2-plugins: jackson-core Potential StackoverflowError\n(CVE-2025-52999)\n\nFor more details about the security issue(s), including the impact, a CVSS \nscore, acknowledgments, and other related information, refer to the CVE \npage listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:10119",
        "url": "https://access.redhat.com/errata/RHSA-2025:10119"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2344073",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
      },
      {
        "category": "external",
        "summary": "2353507",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
      },
      {
        "category": "external",
        "summary": "2365137",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
      },
      {
        "category": "external",
        "summary": "2374804",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10119.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Product OCP Tools 4.13 OpenShift Jenkins security update",
    "tracking": {
      "current_release_date": "2026-05-10T14:27:00+00:00",
      "generator": {
        "date": "2026-05-10T14:27:00+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.9"
        }
      },
      "id": "RHSA-2025:10119",
      "initial_release_date": "2025-07-01T16:31:24+00:00",
      "revision_history": [
        {
          "date": "2025-07-01T16:31:24+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-07-01T16:31:24+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-10T14:27:00+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Developer Tools and Services for OCP 4.13",
                "product": {
                  "name": "OpenShift Developer Tools and Services for OCP 4.13",
                  "product_id": "8Base-OCP-Tools-4.13",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "OpenShift Jenkins"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:2.504.2.1750916374-3.el8.src",
                "product": {
                  "name": "jenkins-0:2.504.2.1750916374-3.el8.src",
                  "product_id": "jenkins-0:2.504.2.1750916374-3.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@2.504.2.1750916374-3.el8?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.13.1750916671-1.el8.src",
                "product": {
                  "name": "jenkins-2-plugins-0:4.13.1750916671-1.el8.src",
                  "product_id": "jenkins-2-plugins-0:4.13.1750916671-1.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.13.1750916671-1.el8?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:2.504.2.1750916374-3.el8.noarch",
                "product": {
                  "name": "jenkins-0:2.504.2.1750916374-3.el8.noarch",
                  "product_id": "jenkins-0:2.504.2.1750916374-3.el8.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@2.504.2.1750916374-3.el8?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
                "product": {
                  "name": "jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
                  "product_id": "jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.13.1750916671-1.el8?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:2.504.2.1750916374-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.13",
          "product_id": "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch"
        },
        "product_reference": "jenkins-0:2.504.2.1750916374-3.el8.noarch",
        "relates_to_product_reference": "8Base-OCP-Tools-4.13"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:2.504.2.1750916374-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.13",
          "product_id": "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src"
        },
        "product_reference": "jenkins-0:2.504.2.1750916374-3.el8.src",
        "relates_to_product_reference": "8Base-OCP-Tools-4.13"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.13",
          "product_id": "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch"
        },
        "product_reference": "jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
        "relates_to_product_reference": "8Base-OCP-Tools-4.13"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.13.1750916671-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.13",
          "product_id": "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
        },
        "product_reference": "jenkins-2-plugins-0:4.13.1750916671-1.el8.src",
        "relates_to_product_reference": "8Base-OCP-Tools-4.13"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-57699",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2025-02-05T22:01:26.352808+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2344073"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue exists because of an incomplete fix for CVE-2023-1370, therefore it only affects json-smart v2.5.0 through v2.5.1 (inclusive).",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "RHBZ#2344073",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-57699",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699",
          "url": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/cve-2023-1370",
          "url": "https://nvd.nist.gov/vuln/detail/cve-2023-1370"
        }
      ],
      "release_date": "2025-02-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T16:31:24+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10119"
        },
        {
          "category": "workaround",
          "details": "Red Hat Product Security does not have a recommended mitigation at this time.",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)"
    },
    {
      "cve": "CVE-2025-1948",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2025-05-08T18:00:52.156301+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2365137"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "RHBZ#2365137",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-1948",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56"
        }
      ],
      "release_date": "2025-05-08T17:48:40.831000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T16:31:24+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10119"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability"
    },
    {
      "cve": "CVE-2025-22228",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "discovery_date": "2025-03-20T06:00:45.196050+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2353507"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "RHBZ#2353507",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-22228",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "https://spring.io/security/cve-2025-22228",
          "url": "https://spring.io/security/cve-2025-22228"
        }
      ],
      "release_date": "2025-03-20T05:49:19.275000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T16:31:24+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10119"
        },
        {
          "category": "workaround",
          "details": "Red Hat Product Security does not have a recommended mitigation at this time.",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length"
    },
    {
      "cve": "CVE-2025-52999",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "discovery_date": "2025-06-25T18:00:54.693716+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2374804"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "RHBZ#2374804",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-52999",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/pull/943",
          "url": "https://github.com/FasterXML/jackson-core/pull/943"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3",
          "url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"
        }
      ],
      "release_date": "2025-06-25T17:02:57.428000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T16:31:24+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10119"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, the recommendation is to avoid parsing input files from untrusted sources that may have excessively deep nested data structures; anything with a depth over 1000.",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.504.2.1750916374-3.el8.src",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1750916671-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError"
    }
  ]
}

RHSA-2025:10120

Vulnerability from csaf_redhat - Published: 2025-07-01 16:53 - Updated: 2026-05-10 14:26

Summary

Red Hat Security Advisory: Red Hat Product OCP Tools 4.14 OpenShift Jenkins security update

Severity

Important

Notes

Topic: An update for OpenShift Jenkins is now available for Red Hat Product OCP Tools 4.14. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

CVE-2024-57699

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-674 - Uncontrolled Recursion

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-1948

A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-22228

A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-863 - Incorrect Authorization

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2025-52999

A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-121 - Stack-based Buffer Overflow

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src	—	Vendor Fix fix Workaround

Threats

Impact Important

References

30 references

URL	Category
https://access.redhat.com/errata/RHSA-2025:10120	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2344073	external
https://bugzilla.redhat.com/show_bug.cgi?id=2353507	external
https://bugzilla.redhat.com/show_bug.cgi?id=2365137	external
https://bugzilla.redhat.com/show_bug.cgi?id=2374804	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2024-57699	self
https://bugzilla.redhat.com/show_bug.cgi?id=2344073	external
https://www.cve.org/CVERecord?id=CVE-2024-57699	external
https://nvd.nist.gov/vuln/detail/CVE-2024-57699	external
https://github.com/TurtleLiu/Vul_PoC/tree/main/CV…	external
https://nvd.nist.gov/vuln/detail/cve-2023-1370	external
https://access.redhat.com/security/cve/CVE-2025-1948	self
https://bugzilla.redhat.com/show_bug.cgi?id=2365137	external
https://www.cve.org/CVERecord?id=CVE-2025-1948	external
https://nvd.nist.gov/vuln/detail/CVE-2025-1948	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assigneme…	external
https://access.redhat.com/security/cve/CVE-2025-22228	self
https://bugzilla.redhat.com/show_bug.cgi?id=2353507	external
https://www.cve.org/CVERecord?id=CVE-2025-22228	external
https://nvd.nist.gov/vuln/detail/CVE-2025-22228	external
https://spring.io/security/cve-2025-22228	external
https://access.redhat.com/security/cve/CVE-2025-52999	self
https://bugzilla.redhat.com/show_bug.cgi?id=2374804	external
https://www.cve.org/CVERecord?id=CVE-2025-52999	external
https://nvd.nist.gov/vuln/detail/CVE-2025-52999	external
https://github.com/FasterXML/jackson-core/pull/943	external
https://github.com/FasterXML/jackson-core/securit…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for OpenShift Jenkins is now available for Red Hat Product OCP \nTools 4.14. Red Hat Product Security has rated this update as having a \nsecurity impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a \ndetailed severity rating, is available for each vulnerability from the CVE \nlink(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Jenkins is a continuous integration server that monitors executions of \nrepeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for\nCVE-2023-1370) (CVE-2024-57699)\n* jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not\nenforce maximum password length (CVE-2025-22228)\n* jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)\n* jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)\n* jenkins-2-plugins: jackson-core Potential StackoverflowError\n(CVE-2025-52999)\n\nFor more details about the security issue(s), including the impact, a CVSS \nscore, acknowledgments, and other related information, refer to the CVE \npage listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:10120",
        "url": "https://access.redhat.com/errata/RHSA-2025:10120"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2344073",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
      },
      {
        "category": "external",
        "summary": "2353507",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
      },
      {
        "category": "external",
        "summary": "2365137",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
      },
      {
        "category": "external",
        "summary": "2374804",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10120.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Product OCP Tools 4.14 OpenShift Jenkins security update",
    "tracking": {
      "current_release_date": "2026-05-10T14:26:58+00:00",
      "generator": {
        "date": "2026-05-10T14:26:58+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.9"
        }
      },
      "id": "RHSA-2025:10120",
      "initial_release_date": "2025-07-01T16:53:09+00:00",
      "revision_history": [
        {
          "date": "2025-07-01T16:53:09+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-07-01T16:53:09+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-10T14:26:58+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Developer Tools and Services for OCP 4.14",
                "product": {
                  "name": "OpenShift Developer Tools and Services for OCP 4.14",
                  "product_id": "8Base-OCP-Tools-4.14",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ocp_tools:4.14::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "OpenShift Jenkins"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:2.504.2.1750903189-3.el8.src",
                "product": {
                  "name": "jenkins-0:2.504.2.1750903189-3.el8.src",
                  "product_id": "jenkins-0:2.504.2.1750903189-3.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@2.504.2.1750903189-3.el8?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.14.1750903529-1.el8.src",
                "product": {
                  "name": "jenkins-2-plugins-0:4.14.1750903529-1.el8.src",
                  "product_id": "jenkins-2-plugins-0:4.14.1750903529-1.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.14.1750903529-1.el8?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:2.504.2.1750903189-3.el8.noarch",
                "product": {
                  "name": "jenkins-0:2.504.2.1750903189-3.el8.noarch",
                  "product_id": "jenkins-0:2.504.2.1750903189-3.el8.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@2.504.2.1750903189-3.el8?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
                "product": {
                  "name": "jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
                  "product_id": "jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.14.1750903529-1.el8?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:2.504.2.1750903189-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.14",
          "product_id": "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch"
        },
        "product_reference": "jenkins-0:2.504.2.1750903189-3.el8.noarch",
        "relates_to_product_reference": "8Base-OCP-Tools-4.14"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:2.504.2.1750903189-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.14",
          "product_id": "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src"
        },
        "product_reference": "jenkins-0:2.504.2.1750903189-3.el8.src",
        "relates_to_product_reference": "8Base-OCP-Tools-4.14"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.14",
          "product_id": "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch"
        },
        "product_reference": "jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
        "relates_to_product_reference": "8Base-OCP-Tools-4.14"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.14.1750903529-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.14",
          "product_id": "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
        },
        "product_reference": "jenkins-2-plugins-0:4.14.1750903529-1.el8.src",
        "relates_to_product_reference": "8Base-OCP-Tools-4.14"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-57699",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2025-02-05T22:01:26.352808+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2344073"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue exists because of an incomplete fix for CVE-2023-1370, therefore it only affects json-smart v2.5.0 through v2.5.1 (inclusive).",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch",
          "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src",
          "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
          "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "RHBZ#2344073",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344073"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-57699",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699",
          "url": "https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/cve-2023-1370",
          "url": "https://nvd.nist.gov/vuln/detail/cve-2023-1370"
        }
      ],
      "release_date": "2025-02-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T16:53:09+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10120"
        },
        {
          "category": "workaround",
          "details": "Red Hat Product Security does not have a recommended mitigation at this time.",
          "product_ids": [
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)"
    },
    {
      "cve": "CVE-2025-1948",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2025-05-08T18:00:52.156301+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2365137"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 client specifying a very large value for the SETTINGS_MAX_HEADER_LIST_SIZE parameter.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch",
          "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src",
          "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
          "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "RHBZ#2365137",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365137"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-1948",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1948"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/56"
        }
      ],
      "release_date": "2025-05-08T17:48:40.831000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T16:53:09+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10120"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability"
    },
    {
      "cve": "CVE-2025-22228",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "discovery_date": "2025-03-20T06:00:45.196050+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2353507"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch",
          "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src",
          "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
          "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "RHBZ#2353507",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-22228",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22228"
        },
        {
          "category": "external",
          "summary": "https://spring.io/security/cve-2025-22228",
          "url": "https://spring.io/security/cve-2025-22228"
        }
      ],
      "release_date": "2025-03-20T05:49:19.275000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T16:53:09+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10120"
        },
        {
          "category": "workaround",
          "details": "Red Hat Product Security does not have a recommended mitigation at this time.",
          "product_ids": [
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length"
    },
    {
      "cve": "CVE-2025-52999",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "discovery_date": "2025-06-25T18:00:54.693716+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2374804"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch",
          "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src",
          "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
          "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "RHBZ#2374804",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-52999",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/pull/943",
          "url": "https://github.com/FasterXML/jackson-core/pull/943"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3",
          "url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"
        }
      ],
      "release_date": "2025-06-25T17:02:57.428000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-01T16:53:09+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:10120"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, the recommendation is to avoid parsing input files from untrusted sources that may have excessively deep nested data structures; anything with a depth over 1000.",
          "product_ids": [
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-0:2.504.2.1750903189-3.el8.src",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.noarch",
            "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1750903529-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError"
    }
  ]
}

RHSA-2025:11473

Vulnerability from csaf_redhat - Published: 2025-07-21 17:07 - Updated: 2026-05-10 14:27

Summary

Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update

Severity

Important

Notes

Topic: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4. Security Fix(es): * jackson-core: jackson-core Potential StackoverflowError (CVE-2025-52999) A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section. For more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-52999

A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-121 - Stack-based Buffer Overflow

Affected products

Fixed 68 products

Product	Version	Remediation
Unresolved product id: 7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el7eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el7eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el7eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el7eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el8eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el8eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el8eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el8eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el9eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el9eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el9eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el9eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.src	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch	—	Vendor Fix fix Workaround
Unresolved product id: 9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch	—	Vendor Fix fix Workaround

Threats

Impact Important

References

12 references

URL	Category
https://access.redhat.com/errata/RHSA-2025:11473	self
https://access.redhat.com/security/updates/classi…	external
https://docs.redhat.com/en/documentation/red_hat_…	external
https://docs.redhat.com/en/documentation/red_hat_…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2374804	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2025-52999	self
https://bugzilla.redhat.com/show_bug.cgi?id=2374804	external
https://www.cve.org/CVERecord?id=CVE-2025-52999	external
https://nvd.nist.gov/vuln/detail/CVE-2025-52999	external
https://github.com/FasterXML/jackson-core/pull/943	external
https://github.com/FasterXML/jackson-core/securit…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.\n\nSecurity Fix(es):\n\n* jackson-core: jackson-core Potential StackoverflowError (CVE-2025-52999)\n\nA Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:11473",
        "url": "https://access.redhat.com/errata/RHSA-2025:11473"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4",
        "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/index",
        "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/index"
      },
      {
        "category": "external",
        "summary": "2374804",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_11473.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update",
    "tracking": {
      "current_release_date": "2026-05-10T14:27:01+00:00",
      "generator": {
        "date": "2026-05-10T14:27:01+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.9"
        }
      },
      "id": "RHSA-2025:11473",
      "initial_release_date": "2025-07-21T17:07:33+00:00",
      "revision_history": [
        {
          "date": "2025-07-21T17:07:33+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-07-21T17:07:33+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-10T14:27:01+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server",
                "product": {
                  "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server",
                  "product_id": "7Server-JBEAP-7.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss EAP 7.4 for RHEL 8",
                "product": {
                  "name": "Red Hat JBoss EAP 7.4 for RHEL 8",
                  "product_id": "8Base-JBEAP-7.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss EAP 7.4 for RHEL 9",
                "product": {
                  "name": "Red Hat JBoss EAP 7.4 for RHEL 9",
                  "product_id": "9Base-JBEAP-7.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.src",
                "product": {
                  "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.src",
                  "product_id": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-2.redhat_00004.1.el7eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.src",
                "product": {
                  "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.src",
                  "product_id": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-2.SP1_redhat_00001.1.el7eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.src",
                "product": {
                  "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.src",
                  "product_id": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-2.redhat_00004.1.el7eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el7eap.src",
                "product": {
                  "name": "eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el7eap.src",
                  "product_id": "eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el7eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-providers@2.12.7-2.redhat_00004.1.el7eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.src",
                "product": {
                  "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.src",
                  "product_id": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-2.redhat_00004.1.el7eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.src",
                "product": {
                  "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.src",
                  "product_id": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-2.redhat_00004.1.el7eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.src",
                "product": {
                  "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.src",
                  "product_id": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.23-4.GA_redhat_00003.1.el7eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.src",
                "product": {
                  "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.src",
                  "product_id": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-2.redhat_00004.1.el8eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.src",
                "product": {
                  "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.src",
                  "product_id": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-2.SP1_redhat_00001.1.el8eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.src",
                "product": {
                  "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.src",
                  "product_id": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-2.redhat_00004.1.el8eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el8eap.src",
                "product": {
                  "name": "eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el8eap.src",
                  "product_id": "eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el8eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-providers@2.12.7-2.redhat_00004.1.el8eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.src",
                "product": {
                  "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.src",
                  "product_id": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-2.redhat_00004.1.el8eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.src",
                "product": {
                  "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.src",
                  "product_id": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-2.redhat_00004.1.el8eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.src",
                "product": {
                  "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.src",
                  "product_id": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.23-4.GA_redhat_00003.1.el8eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.src",
                "product": {
                  "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.src",
                  "product_id": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-2.redhat_00004.1.el9eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.src",
                "product": {
                  "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.src",
                  "product_id": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-2.SP1_redhat_00001.1.el9eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.src",
                "product": {
                  "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.src",
                  "product_id": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-2.redhat_00004.1.el9eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el9eap.src",
                "product": {
                  "name": "eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el9eap.src",
                  "product_id": "eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el9eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-providers@2.12.7-2.redhat_00004.1.el9eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.src",
                "product": {
                  "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.src",
                  "product_id": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-2.redhat_00004.1.el9eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.src",
                "product": {
                  "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.src",
                  "product_id": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-2.redhat_00004.1.el9eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.src",
                "product": {
                  "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.src",
                  "product_id": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.23-4.GA_redhat_00003.1.el9eap?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                "product": {
                  "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_id": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-2.redhat_00004.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.noarch",
                "product": {
                  "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.noarch",
                  "product_id": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-2.SP1_redhat_00001.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                "product": {
                  "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_id": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-2.redhat_00004.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                "product": {
                  "name": "eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_id": "eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-base@2.12.7-2.redhat_00004.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                "product": {
                  "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_id": "eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-json-provider@2.12.7-2.redhat_00004.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                "product": {
                  "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_id": "eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-module-jaxb-annotations@2.12.7-2.redhat_00004.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                "product": {
                  "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_id": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-2.redhat_00004.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                "product": {
                  "name": "eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_id": "eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-datatype-jdk8@2.12.7-2.redhat_00004.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                "product": {
                  "name": "eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_id": "eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-datatype-jsr310@2.12.7-2.redhat_00004.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                "product": {
                  "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_id": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-2.redhat_00004.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
                "product": {
                  "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
                  "product_id": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.23-4.GA_redhat_00003.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
                "product": {
                  "name": "eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
                  "product_id": "eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.4.23-4.GA_redhat_00003.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
                "product": {
                  "name": "eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
                  "product_id": "eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.4.23-4.GA_redhat_00003.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
                "product": {
                  "name": "eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
                  "product_id": "eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.23-4.GA_redhat_00003.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
                "product": {
                  "name": "eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
                  "product_id": "eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.23-4.GA_redhat_00003.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                "product": {
                  "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_id": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-2.redhat_00004.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.noarch",
                "product": {
                  "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.noarch",
                  "product_id": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-2.SP1_redhat_00001.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                "product": {
                  "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_id": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-2.redhat_00004.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                "product": {
                  "name": "eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_id": "eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-base@2.12.7-2.redhat_00004.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                "product": {
                  "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_id": "eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-json-provider@2.12.7-2.redhat_00004.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                "product": {
                  "name": "eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_id": "eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-datatype-jdk8@2.12.7-2.redhat_00004.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                "product": {
                  "name": "eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_id": "eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-datatype-jsr310@2.12.7-2.redhat_00004.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                "product": {
                  "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_id": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-2.redhat_00004.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                "product": {
                  "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_id": "eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-module-jaxb-annotations@2.12.7-2.redhat_00004.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                "product": {
                  "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_id": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-2.redhat_00004.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                "product": {
                  "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                  "product_id": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.23-4.GA_redhat_00003.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                "product": {
                  "name": "eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                  "product_id": "eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.4.23-4.GA_redhat_00003.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                "product": {
                  "name": "eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                  "product_id": "eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk17@7.4.23-4.GA_redhat_00003.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                "product": {
                  "name": "eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                  "product_id": "eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.4.23-4.GA_redhat_00003.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                "product": {
                  "name": "eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                  "product_id": "eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.23-4.GA_redhat_00003.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                "product": {
                  "name": "eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                  "product_id": "eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.23-4.GA_redhat_00003.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                "product": {
                  "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_id": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-2.redhat_00004.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.noarch",
                "product": {
                  "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.noarch",
                  "product_id": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-2.SP1_redhat_00001.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                "product": {
                  "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_id": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-2.redhat_00004.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                "product": {
                  "name": "eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_id": "eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-base@2.12.7-2.redhat_00004.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                "product": {
                  "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_id": "eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-json-provider@2.12.7-2.redhat_00004.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                "product": {
                  "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_id": "eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-module-jaxb-annotations@2.12.7-2.redhat_00004.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                "product": {
                  "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_id": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-2.redhat_00004.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                "product": {
                  "name": "eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_id": "eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-datatype-jdk8@2.12.7-2.redhat_00004.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                "product": {
                  "name": "eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_id": "eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-datatype-jsr310@2.12.7-2.redhat_00004.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                "product": {
                  "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_id": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-2.redhat_00004.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                "product": {
                  "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                  "product_id": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.23-4.GA_redhat_00003.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                "product": {
                  "name": "eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                  "product_id": "eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.4.23-4.GA_redhat_00003.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                "product": {
                  "name": "eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                  "product_id": "eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk17@7.4.23-4.GA_redhat_00003.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                "product": {
                  "name": "eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                  "product_id": "eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.4.23-4.GA_redhat_00003.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                "product": {
                  "name": "eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                  "product_id": "eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.23-4.GA_redhat_00003.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                "product": {
                  "name": "eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                  "product_id": "eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.23-4.GA_redhat_00003.1.el9eap?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch"
        },
        "product_reference": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.src"
        },
        "product_reference": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.src",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.noarch"
        },
        "product_reference": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.src"
        },
        "product_reference": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.src",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.noarch"
        },
        "product_reference": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.src"
        },
        "product_reference": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.src",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el7eap.noarch"
        },
        "product_reference": "eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el7eap.noarch"
        },
        "product_reference": "eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch"
        },
        "product_reference": "eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el7eap.noarch"
        },
        "product_reference": "eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el7eap.src"
        },
        "product_reference": "eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el7eap.src",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch"
        },
        "product_reference": "eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch"
        },
        "product_reference": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.src"
        },
        "product_reference": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.src",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.noarch"
        },
        "product_reference": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.src"
        },
        "product_reference": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.src",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch"
        },
        "product_reference": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.src"
        },
        "product_reference": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.src",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch"
        },
        "product_reference": "eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch"
        },
        "product_reference": "eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch"
        },
        "product_reference": "eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch"
        },
        "product_reference": "eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch"
        },
        "product_reference": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.src"
        },
        "product_reference": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.src",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.noarch"
        },
        "product_reference": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.src"
        },
        "product_reference": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.src",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.noarch"
        },
        "product_reference": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.src"
        },
        "product_reference": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.src",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el8eap.noarch"
        },
        "product_reference": "eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el8eap.noarch"
        },
        "product_reference": "eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch"
        },
        "product_reference": "eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el8eap.noarch"
        },
        "product_reference": "eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el8eap.src"
        },
        "product_reference": "eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el8eap.src",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch"
        },
        "product_reference": "eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch"
        },
        "product_reference": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.src"
        },
        "product_reference": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.src",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.noarch"
        },
        "product_reference": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.src"
        },
        "product_reference": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.src",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch"
        },
        "product_reference": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.src"
        },
        "product_reference": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.src",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch"
        },
        "product_reference": "eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch"
        },
        "product_reference": "eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch"
        },
        "product_reference": "eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch"
        },
        "product_reference": "eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch"
        },
        "product_reference": "eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch"
        },
        "product_reference": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.src"
        },
        "product_reference": "eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.src",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.noarch"
        },
        "product_reference": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.src"
        },
        "product_reference": "eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.src",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.noarch"
        },
        "product_reference": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.src"
        },
        "product_reference": "eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.src",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el9eap.noarch"
        },
        "product_reference": "eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el9eap.noarch"
        },
        "product_reference": "eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch"
        },
        "product_reference": "eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el9eap.noarch"
        },
        "product_reference": "eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el9eap.src"
        },
        "product_reference": "eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el9eap.src",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch"
        },
        "product_reference": "eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch"
        },
        "product_reference": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.src"
        },
        "product_reference": "eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.src",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.noarch"
        },
        "product_reference": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.src"
        },
        "product_reference": "eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.src",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch"
        },
        "product_reference": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.src"
        },
        "product_reference": "eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.src",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch"
        },
        "product_reference": "eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch"
        },
        "product_reference": "eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch"
        },
        "product_reference": "eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch"
        },
        "product_reference": "eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch"
        },
        "product_reference": "eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-52999",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "discovery_date": "2025-06-25T18:00:54.693716+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2374804"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.src",
          "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.src",
          "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.src",
          "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el7eap.src",
          "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.src",
          "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.src",
          "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.src",
          "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
          "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.src",
          "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.src",
          "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.src",
          "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el8eap.src",
          "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.src",
          "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.src",
          "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.src",
          "8Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
          "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.src",
          "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.src",
          "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.src",
          "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el9eap.src",
          "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.src",
          "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.src",
          "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.src",
          "9Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "RHBZ#2374804",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-52999",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/pull/943",
          "url": "https://github.com/FasterXML/jackson-core/pull/943"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3",
          "url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"
        }
      ],
      "release_date": "2025-06-25T17:02:57.428000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-21T17:07:33+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:11473"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, the recommendation is to avoid parsing input files from untrusted sources that may have excessively deep nested data structures; anything with a depth over 1000.",
          "product_ids": [
            "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el7eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el8eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-2.redhat_00004.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-2.SP1_redhat_00001.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-2.redhat_00004.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-2.redhat_00004.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-2.redhat_00004.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-2.redhat_00004.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.23-4.GA_redhat_00003.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.23-4.GA_redhat_00003.1.el9eap.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-52999 (GCVE-0-2025-52999)

Tags

Sightings

Nomenclature