Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-48924 (GCVE-0-2025-48924)
Vulnerability from cvelistv5
Published
2025-07-11 14:56
Modified
2025-07-14 16:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-674 - Uncontrolled Recursion
Summary
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
References
| ► | URL | Tags | |||||
|---|---|---|---|---|---|---|---|
|
|||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Apache Software Foundation | Apache Commons Lang |
Version: 2.0 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-48924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T16:36:59.432024Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T16:37:02.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unknown",
"packageName": "commons-lang:commons-lang",
"product": "Apache Commons Lang",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.6",
"status": "affected",
"version": "2.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.commons:commons-lang3",
"product": "Apache Commons Lang",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.18.0",
"status": "affected",
"version": "3.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "OSS-Fuzz Issue 42522972"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUncontrolled Recursion vulnerability in Apache Commons Lang.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Commons Lang: Starting with\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecommons-lang:commons-lang\u0026nbsp;\u003c/span\u003e2.0 to 2.6, and, from org.apache.\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecommons:commons-lang3 3.0 before\u0026nbsp;\u003c/span\u003e3.18.0.\u003c/p\u003e\u003cp\u003eThe methods ClassUtils.getClass(...) can throw\u0026nbsp;StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could\u0026nbsp;cause an application to stop.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with\u00a0commons-lang:commons-lang\u00a02.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before\u00a03.18.0.\n\nThe methods ClassUtils.getClass(...) can throw\u00a0StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could\u00a0cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T14:56:58.049Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Commons Lang, Apache Commons Lang: ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-48924",
"datePublished": "2025-07-11T14:56:58.049Z",
"dateReserved": "2025-05-28T15:06:51.476Z",
"dateUpdated": "2025-07-14T16:37:02.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-48924\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-07-11T15:15:24.347\",\"lastModified\":\"2025-07-28T13:45:38.647\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Uncontrolled Recursion vulnerability in Apache Commons Lang.\\n\\nThis issue affects Apache Commons Lang: Starting with\u00a0commons-lang:commons-lang\u00a02.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before\u00a03.18.0.\\n\\nThe methods ClassUtils.getClass(...) can throw\u00a0StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \\nStackOverflowError could\u00a0cause an application to stop.\\n\\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de recursi\u00f3n incontrolada en Apache Commons Lang. Este problema afecta a Apache Commons Lang: a partir de commons-lang:commons-lang 2.0 a 2.6, y desde org.apache.commons:commons-lang3 3.0 hasta 3.18.0. El m\u00e9todo ClassUtils.getClass(...) puede generar un error de StackOverflowError en entradas muy largas. Dado que las aplicaciones y librer\u00edas no suelen gestionar un error, un error de StackOverflowError podr\u00eda provocar la detenci\u00f3n de una aplicaci\u00f3n. Se recomienda actualizar a la versi\u00f3n 3.18.0, que soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-674\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_lang:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0\",\"versionEndExcluding\":\"2.6\",\"matchCriteriaId\":\"88B2D4D0-4FA9-443F-8195-E1C35122DC0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_lang:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0\",\"versionEndExcluding\":\"3.18.0\",\"matchCriteriaId\":\"71219CE6-DF6F-469F-A603-C28B43865D7A\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48924\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-14T16:36:59.432024Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-11T20:10:08.183Z\"}}], \"cna\": {\"title\": \"Apache Commons Lang, Apache Commons Lang: ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"OSS-Fuzz Issue 42522972\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"low\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Commons Lang\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"2.6\"}], \"packageName\": \"commons-lang:commons-lang\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Commons Lang\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0\", \"lessThan\": \"3.18.0\", \"versionType\": \"maven\"}], \"packageName\": \"org.apache.commons:commons-lang3\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Uncontrolled Recursion vulnerability in Apache Commons Lang.\\n\\nThis issue affects Apache Commons Lang: Starting with\\u00a0commons-lang:commons-lang\\u00a02.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before\\u00a03.18.0.\\n\\nThe methods ClassUtils.getClass(...) can throw\\u00a0StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \\nStackOverflowError could\\u00a0cause an application to stop.\\n\\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUncontrolled Recursion vulnerability in Apache Commons Lang.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Commons Lang: Starting with\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003ecommons-lang:commons-lang\u0026nbsp;\u003c/span\u003e2.0 to 2.6, and, from org.apache.\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003ecommons:commons-lang3 3.0 before\u0026nbsp;\u003c/span\u003e3.18.0.\u003c/p\u003e\u003cp\u003eThe methods ClassUtils.getClass(...) can throw\u0026nbsp;StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \\nStackOverflowError could\u0026nbsp;cause an application to stop.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-674\", \"description\": \"CWE-674 Uncontrolled Recursion\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-07-11T14:56:58.049Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-48924\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-14T16:37:02.057Z\", \"dateReserved\": \"2025-05-28T15:06:51.476Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-07-11T14:56:58.049Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
suse-su-2025:02785-1
Vulnerability from csaf_suse
Published
2025-08-13 11:50
Modified
2025-08-13 11:50
Summary
Security update for apache-commons-lang3
Notes
Title of the patch
Security update for apache-commons-lang3
Description of the patch
This update for apache-commons-lang3 fixes the following issues:
- CVE-2025-48924: Fixed an uncontrolled recursion vulnerability that may lead to a DoS. (bsc#1246397)
Patchnames
SUSE-2025-2785,SUSE-SLE-Module-Basesystem-15-SP6-2025-2785,SUSE-SLE-Module-Basesystem-15-SP7-2025-2785,openSUSE-SLE-15.6-2025-2785
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for apache-commons-lang3",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for apache-commons-lang3 fixes the following issues:\n\n- CVE-2025-48924: Fixed an uncontrolled recursion vulnerability that may lead to a DoS. (bsc#1246397)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-2785,SUSE-SLE-Module-Basesystem-15-SP6-2025-2785,SUSE-SLE-Module-Basesystem-15-SP7-2025-2785,openSUSE-SLE-15.6-2025-2785",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_02785-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:02785-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202502785-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:02785-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-August/041196.html"
},
{
"category": "self",
"summary": "SUSE Bug 1246397",
"url": "https://bugzilla.suse.com/1246397"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-48924 page",
"url": "https://www.suse.com/security/cve/CVE-2025-48924/"
}
],
"title": "Security update for apache-commons-lang3",
"tracking": {
"current_release_date": "2025-08-13T11:50:54Z",
"generator": {
"date": "2025-08-13T11:50:54Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:02785-1",
"initial_release_date": "2025-08-13T11:50:54Z",
"revision_history": [
{
"date": "2025-08-13T11:50:54Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-lang-2.6-150200.14.3.1.noarch",
"product": {
"name": "apache-commons-lang-2.6-150200.14.3.1.noarch",
"product_id": "apache-commons-lang-2.6-150200.14.3.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch",
"product": {
"name": "apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch",
"product_id": "apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp7"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang-2.6-150200.14.3.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang-2.6-150200.14.3.1.noarch"
},
"product_reference": "apache-commons-lang-2.6-150200.14.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang-2.6-150200.14.3.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang-2.6-150200.14.3.1.noarch"
},
"product_reference": "apache-commons-lang-2.6-150200.14.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang-2.6-150200.14.3.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:apache-commons-lang-2.6-150200.14.3.1.noarch"
},
"product_reference": "apache-commons-lang-2.6-150200.14.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch"
},
"product_reference": "apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48924",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-48924"
}
],
"notes": [
{
"category": "general",
"text": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang-2.6-150200.14.3.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang-2.6-150200.14.3.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang-2.6-150200.14.3.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-48924",
"url": "https://www.suse.com/security/cve/CVE-2025-48924"
},
{
"category": "external",
"summary": "SUSE Bug 1246397 for CVE-2025-48924",
"url": "https://bugzilla.suse.com/1246397"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang-2.6-150200.14.3.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang-2.6-150200.14.3.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang-2.6-150200.14.3.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang-2.6-150200.14.3.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang-2.6-150200.14.3.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang-2.6-150200.14.3.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang-javadoc-2.6-150200.14.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-08-13T11:50:54Z",
"details": "moderate"
}
],
"title": "CVE-2025-48924"
}
]
}
suse-su-2025:02786-1
Vulnerability from csaf_suse
Published
2025-08-13 11:51
Modified
2025-08-13 11:51
Summary
Security update for apache-commons-lang3
Notes
Title of the patch
Security update for apache-commons-lang3
Description of the patch
This update for apache-commons-lang3 fixes the following issues:
- CVE-2025-48924: Fixed an uncontrolled recursion vulnerability that may lead to a DoS. (bsc#1246397)
Patchnames
SUSE-2025-2786,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-2786
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for apache-commons-lang3",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for apache-commons-lang3 fixes the following issues:\n\n- CVE-2025-48924: Fixed an uncontrolled recursion vulnerability that may lead to a DoS. (bsc#1246397)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-2786,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-2786",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_02786-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:02786-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202502786-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:02786-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-August/041195.html"
},
{
"category": "self",
"summary": "SUSE Bug 1085999",
"url": "https://bugzilla.suse.com/1085999"
},
{
"category": "self",
"summary": "SUSE Bug 1246397",
"url": "https://bugzilla.suse.com/1246397"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-48924 page",
"url": "https://www.suse.com/security/cve/CVE-2025-48924/"
}
],
"title": "Security update for apache-commons-lang3",
"tracking": {
"current_release_date": "2025-08-13T11:51:16Z",
"generator": {
"date": "2025-08-13T11:51:16Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:02786-1",
"initial_release_date": "2025-08-13T11:51:16Z",
"revision_history": [
{
"date": "2025-08-13T11:51:16Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-lang-2.6-5.3.1.noarch",
"product": {
"name": "apache-commons-lang-2.6-5.3.1.noarch",
"product_id": "apache-commons-lang-2.6-5.3.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-lang-javadoc-2.6-5.3.1.noarch",
"product": {
"name": "apache-commons-lang-javadoc-2.6-5.3.1.noarch",
"product_id": "apache-commons-lang-javadoc-2.6-5.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_id": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss-extended-security:12:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang-2.6-5.3.1.noarch as component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_id": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache-commons-lang-2.6-5.3.1.noarch"
},
"product_reference": "apache-commons-lang-2.6-5.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48924",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-48924"
}
],
"notes": [
{
"category": "general",
"text": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache-commons-lang-2.6-5.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-48924",
"url": "https://www.suse.com/security/cve/CVE-2025-48924"
},
{
"category": "external",
"summary": "SUSE Bug 1246397 for CVE-2025-48924",
"url": "https://bugzilla.suse.com/1246397"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache-commons-lang-2.6-5.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache-commons-lang-2.6-5.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-08-13T11:51:16Z",
"details": "moderate"
}
],
"title": "CVE-2025-48924"
}
]
}
suse-su-2025:02818-1
Vulnerability from csaf_suse
Published
2025-08-15 12:56
Modified
2025-08-15 12:56
Summary
Security update for apache-commons-lang3
Notes
Title of the patch
Security update for apache-commons-lang3
Description of the patch
This update for apache-commons-lang3 fixes the following issues:
- Update to version 3.18.0
- CVE-2025-48924: Fixed an uncontrolled recursion vulnerability that may lead to a DoS. (bsc#1246397)
Patchnames
SUSE-2025-2818,SUSE-SLE-Module-Basesystem-15-SP6-2025-2818,SUSE-SLE-Module-Basesystem-15-SP7-2025-2818,SUSE-SLE-Module-SUSE-Manager-Server-4.3-2025-2818,openSUSE-SLE-15.6-2025-2818
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for apache-commons-lang3",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for apache-commons-lang3 fixes the following issues:\n\n- Update to version 3.18.0 \n- CVE-2025-48924: Fixed an uncontrolled recursion vulnerability that may lead to a DoS. (bsc#1246397)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-2818,SUSE-SLE-Module-Basesystem-15-SP6-2025-2818,SUSE-SLE-Module-Basesystem-15-SP7-2025-2818,SUSE-SLE-Module-SUSE-Manager-Server-4.3-2025-2818,openSUSE-SLE-15.6-2025-2818",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_02818-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:02818-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202502818-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:02818-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-August/041221.html"
},
{
"category": "self",
"summary": "SUSE Bug 1246397",
"url": "https://bugzilla.suse.com/1246397"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-48924 page",
"url": "https://www.suse.com/security/cve/CVE-2025-48924/"
}
],
"title": "Security update for apache-commons-lang3",
"tracking": {
"current_release_date": "2025-08-15T12:56:26Z",
"generator": {
"date": "2025-08-15T12:56:26Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:02818-1",
"initial_release_date": "2025-08-15T12:56:26Z",
"revision_history": [
{
"date": "2025-08-15T12:56:26Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"product": {
"name": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"product_id": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch",
"product": {
"name": "apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch",
"product_id": "apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp7"
}
}
},
{
"category": "product_name",
"name": "SUSE Manager Server Module 4.3",
"product": {
"name": "SUSE Manager Server Module 4.3",
"product_id": "SUSE Manager Server Module 4.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-suse-manager-server:4.3"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang3-3.18.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch as component of SUSE Manager Server Module 4.3",
"product_id": "SUSE Manager Server Module 4.3:apache-commons-lang3-3.18.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Manager Server Module 4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48924",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-48924"
}
],
"notes": [
{
"category": "general",
"text": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"SUSE Manager Server Module 4.3:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-48924",
"url": "https://www.suse.com/security/cve/CVE-2025-48924"
},
{
"category": "external",
"summary": "SUSE Bug 1246397 for CVE-2025-48924",
"url": "https://bugzilla.suse.com/1246397"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"SUSE Manager Server Module 4.3:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Basesystem 15 SP6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP7:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"SUSE Manager Server Module 4.3:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang3-3.18.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-lang3-javadoc-3.18.0-150200.3.12.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-08-15T12:56:26Z",
"details": "moderate"
}
],
"title": "CVE-2025-48924"
}
]
}
wid-sec-w-2025-1540
Vulnerability from csaf_certbund
Published
2025-07-13 22:00
Modified
2025-07-29 22:00
Summary
Apache Commons Lang: Schwachstelle ermöglicht Denial of Service
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Apache Commons ist ein Apache-Projekt, das alle Aspekte der wiederverwendbaren Java-Komponenten behandelt.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Commons Lang ausnutzen, um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
- UNIX
{
"document": {
"aggregate_severity": {
"text": "niedrig"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Apache Commons ist ein Apache-Projekt, das alle Aspekte der wiederverwendbaren Java-Komponenten behandelt.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Commons Lang ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-1540 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1540.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-1540 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1540"
},
{
"category": "external",
"summary": "Mailing list OSS Security vom 2025-07-13",
"url": "https://seclists.org/oss-sec/2025/q3/32"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-j288-q9x7-2f5v vom 2025-07-13",
"url": "https://github.com/advisories/GHSA-j288-q9x7-2f5v"
},
{
"category": "external",
"summary": "Red Hat Bugtracker #2379554 vom 2025-07-13",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379554"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15347-1 vom 2025-07-17",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LGR6UBT67EURFPFBQYCGTOHPDNATFA6B/"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7240960 vom 2025-07-29",
"url": "https://www.ibm.com/support/pages/node/7240960"
}
],
"source_lang": "en-US",
"title": "Apache Commons Lang: Schwachstelle erm\u00f6glicht Denial of Service",
"tracking": {
"current_release_date": "2025-07-29T22:00:00.000+00:00",
"generator": {
"date": "2025-07-30T08:44:44.974+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-1540",
"initial_release_date": "2025-07-13T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-07-13T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-07-17T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2025-07-29T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Lang \u003c=2.6",
"product": {
"name": "Apache Commons Lang \u003c=2.6",
"product_id": "T045327"
}
},
{
"category": "product_version_range",
"name": "Lang \u003c=2.6",
"product": {
"name": "Apache Commons Lang \u003c=2.6",
"product_id": "T045327-fixed"
}
},
{
"category": "product_version_range",
"name": "Lang \u003c3.18.0",
"product": {
"name": "Apache Commons Lang \u003c3.18.0",
"product_id": "T045328"
}
},
{
"category": "product_version",
"name": "Lang 3.18.0",
"product": {
"name": "Apache Commons Lang 3.18.0",
"product_id": "T045328-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:commons:lang__3.18.0"
}
}
}
],
"category": "product_name",
"name": "Commons"
}
],
"category": "vendor",
"name": "Apache"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "6.3",
"product": {
"name": "IBM Sterling Connect:Direct 6.3",
"product_id": "T045739",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:sterling_connect%3adirect:6.3"
}
}
}
],
"category": "product_name",
"name": "Sterling Connect:Direct"
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48924",
"product_status": {
"known_affected": [
"T045328",
"T027843",
"T045739"
],
"last_affected": [
"T045327"
]
},
"release_date": "2025-07-13T22:00:00.000+00:00",
"title": "CVE-2025-48924"
}
]
}
ghsa-j288-q9x7-2f5v
Vulnerability from github
Published
2025-07-11 15:31
Modified
2025-07-12 00:48
Severity ?
VLAI Severity ?
Summary
Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs
Details
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.commons:commons-lang3"
},
"ranges": [
{
"events": [
{
"introduced": "3.0"
},
{
"fixed": "3.18.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "commons-lang:commons-lang"
},
"ranges": [
{
"events": [
{
"introduced": "2.0"
},
{
"last_affected": "2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48924"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-12T00:48:03Z",
"nvd_published_at": "2025-07-11T15:15:24Z",
"severity": "MODERATE"
},
"details": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with\u00a0commons-lang:commons-lang\u00a02.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before\u00a03.18.0.\n\nThe methods ClassUtils.getClass(...) can throw\u00a0StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could\u00a0cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.",
"id": "GHSA-j288-q9x7-2f5v",
"modified": "2025-07-12T00:48:03Z",
"published": "2025-07-11T15:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924"
},
{
"type": "WEB",
"url": "https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/commons-lang"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs"
}
opensuse-su-2025:15347-1
Vulnerability from csaf_opensuse
Published
2025-07-16 00:00
Modified
2025-07-16 00:00
Summary
apache-commons-lang3-3.18.0-1.1 on GA media
Notes
Title of the patch
apache-commons-lang3-3.18.0-1.1 on GA media
Description of the patch
These are all security issues fixed in the apache-commons-lang3-3.18.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-15347
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "apache-commons-lang3-3.18.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the apache-commons-lang3-3.18.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15347",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15347-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-48924 page",
"url": "https://www.suse.com/security/cve/CVE-2025-48924/"
}
],
"title": "apache-commons-lang3-3.18.0-1.1 on GA media",
"tracking": {
"current_release_date": "2025-07-16T00:00:00Z",
"generator": {
"date": "2025-07-16T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15347-1",
"initial_release_date": "2025-07-16T00:00:00Z",
"revision_history": [
{
"date": "2025-07-16T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-lang3-3.18.0-1.1.aarch64",
"product": {
"name": "apache-commons-lang3-3.18.0-1.1.aarch64",
"product_id": "apache-commons-lang3-3.18.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "apache-commons-lang3-javadoc-3.18.0-1.1.aarch64",
"product": {
"name": "apache-commons-lang3-javadoc-3.18.0-1.1.aarch64",
"product_id": "apache-commons-lang3-javadoc-3.18.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-lang3-3.18.0-1.1.ppc64le",
"product": {
"name": "apache-commons-lang3-3.18.0-1.1.ppc64le",
"product_id": "apache-commons-lang3-3.18.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apache-commons-lang3-javadoc-3.18.0-1.1.ppc64le",
"product": {
"name": "apache-commons-lang3-javadoc-3.18.0-1.1.ppc64le",
"product_id": "apache-commons-lang3-javadoc-3.18.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-lang3-3.18.0-1.1.s390x",
"product": {
"name": "apache-commons-lang3-3.18.0-1.1.s390x",
"product_id": "apache-commons-lang3-3.18.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "apache-commons-lang3-javadoc-3.18.0-1.1.s390x",
"product": {
"name": "apache-commons-lang3-javadoc-3.18.0-1.1.s390x",
"product_id": "apache-commons-lang3-javadoc-3.18.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-lang3-3.18.0-1.1.x86_64",
"product": {
"name": "apache-commons-lang3-3.18.0-1.1.x86_64",
"product_id": "apache-commons-lang3-3.18.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "apache-commons-lang3-javadoc-3.18.0-1.1.x86_64",
"product": {
"name": "apache-commons-lang3-javadoc-3.18.0-1.1.x86_64",
"product_id": "apache-commons-lang3-javadoc-3.18.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-3.18.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-commons-lang3-3.18.0-1.1.aarch64"
},
"product_reference": "apache-commons-lang3-3.18.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-3.18.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-commons-lang3-3.18.0-1.1.ppc64le"
},
"product_reference": "apache-commons-lang3-3.18.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-3.18.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-commons-lang3-3.18.0-1.1.s390x"
},
"product_reference": "apache-commons-lang3-3.18.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-3.18.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-commons-lang3-3.18.0-1.1.x86_64"
},
"product_reference": "apache-commons-lang3-3.18.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-javadoc-3.18.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-commons-lang3-javadoc-3.18.0-1.1.aarch64"
},
"product_reference": "apache-commons-lang3-javadoc-3.18.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-javadoc-3.18.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-commons-lang3-javadoc-3.18.0-1.1.ppc64le"
},
"product_reference": "apache-commons-lang3-javadoc-3.18.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-javadoc-3.18.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-commons-lang3-javadoc-3.18.0-1.1.s390x"
},
"product_reference": "apache-commons-lang3-javadoc-3.18.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-javadoc-3.18.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-commons-lang3-javadoc-3.18.0-1.1.x86_64"
},
"product_reference": "apache-commons-lang3-javadoc-3.18.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48924",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-48924"
}
],
"notes": [
{
"category": "general",
"text": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:apache-commons-lang3-3.18.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-lang3-3.18.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-lang3-3.18.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-lang3-3.18.0-1.1.x86_64",
"openSUSE Tumbleweed:apache-commons-lang3-javadoc-3.18.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-lang3-javadoc-3.18.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-lang3-javadoc-3.18.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-lang3-javadoc-3.18.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-48924",
"url": "https://www.suse.com/security/cve/CVE-2025-48924"
},
{
"category": "external",
"summary": "SUSE Bug 1246397 for CVE-2025-48924",
"url": "https://bugzilla.suse.com/1246397"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:apache-commons-lang3-3.18.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-lang3-3.18.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-lang3-3.18.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-lang3-3.18.0-1.1.x86_64",
"openSUSE Tumbleweed:apache-commons-lang3-javadoc-3.18.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-lang3-javadoc-3.18.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-lang3-javadoc-3.18.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-lang3-javadoc-3.18.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:apache-commons-lang3-3.18.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-lang3-3.18.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-lang3-3.18.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-lang3-3.18.0-1.1.x86_64",
"openSUSE Tumbleweed:apache-commons-lang3-javadoc-3.18.0-1.1.aarch64",
"openSUSE Tumbleweed:apache-commons-lang3-javadoc-3.18.0-1.1.ppc64le",
"openSUSE Tumbleweed:apache-commons-lang3-javadoc-3.18.0-1.1.s390x",
"openSUSE Tumbleweed:apache-commons-lang3-javadoc-3.18.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-16T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-48924"
}
]
}
fkie_cve-2025-48924
Vulnerability from fkie_nvd
Published
2025-07-11 15:15
Modified
2025-07-28 13:45
Severity ?
Summary
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1 | Mailing List, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | commons_lang | * | |
| apache | commons_lang | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:commons_lang:*:*:*:*:*:*:*:*",
"matchCriteriaId": "88B2D4D0-4FA9-443F-8195-E1C35122DC0B",
"versionEndExcluding": "2.6",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:commons_lang:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71219CE6-DF6F-469F-A603-C28B43865D7A",
"versionEndExcluding": "3.18.0",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with\u00a0commons-lang:commons-lang\u00a02.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before\u00a03.18.0.\n\nThe methods ClassUtils.getClass(...) can throw\u00a0StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could\u00a0cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de recursi\u00f3n incontrolada en Apache Commons Lang. Este problema afecta a Apache Commons Lang: a partir de commons-lang:commons-lang 2.0 a 2.6, y desde org.apache.commons:commons-lang3 3.0 hasta 3.18.0. El m\u00e9todo ClassUtils.getClass(...) puede generar un error de StackOverflowError en entradas muy largas. Dado que las aplicaciones y librer\u00edas no suelen gestionar un error, un error de StackOverflowError podr\u00eda provocar la detenci\u00f3n de una aplicaci\u00f3n. Se recomienda actualizar a la versi\u00f3n 3.18.0, que soluciona el problema."
}
],
"id": "CVE-2025-48924",
"lastModified": "2025-07-28T13:45:38.647",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-07-11T15:15:24.347",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-674"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
rhsa-2025:12511
Vulnerability from csaf_redhat
Published
2025-08-01 17:42
Modified
2025-08-14 19:32
Summary
Red Hat Security Advisory: Streams for Apache Kafka 3.0.0 release and security update
Notes
Topic
Streams for Apache Kafka 3.0.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed
backbone that allows microservices and other applications to share data with
extremely high throughput and extremely low latency.
This release of Red Hat Streams for Apache Kafka 3.0.0 serves as a replacement for Red Hat Streams for Apache Kafka 2.9.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* Cruise Control: json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) Security [amq-st-2] "(CVE-2023-1370)"
* Cruise Control, Drain Cleaner: io.netty:netty-handler: SslHandler doesn't
correctly validate packets which can lead to native crash when using native
SSLEngine Security[amq-st-2] "(CVE-2025-24970)"
* Cruise Control, Drain Cleaner: netty: Denial of Service attack on windows app using Netty Security [amq-st-2] "(CVE-2025-25193)"
Cruise Control: kafka: Apache Kafka: SCRAM authentication vulnerable to replay
attacks when used without encryption Security [amq-st-2] "(CVE-2024-56128)"
* Cruise Control: kafka-clients: privilege escalation to filesystem read-access via automatic ConfigProvider Security [amq-st-2] "(CVE-2024-31141)"
* Cruise Control, Operator: Jetty: Gzip Request Body Buffer Corruption
Security[amq-st-2]"(CVE-2024-13009)"
* Cruise Control: org.eclipse.jetty:jetty-http: jetty: Jetty URI parsing of invalid authority Security [amq-st-2] "(CVE-2024-6763)"
* Cruise Control: commons-beanutils: Apache Commons BeanUtils:
PropertyUtilsBean does not suppresses an enum's declaredClass property by
default Security [amq-st-2] "(CVE-2025-48734)"
* Cruise Control, Kafka, Drain Cleaner, Console: commons-lang-library:
Uncontrolled recursion flaw in Apache Commons Lang library [amq-st-2] "(CVE-2025-48924)"
* Opetator, Bridge: io.quarkus:quarkus-vertx package: data leak vulnerability has been discovered in the io.quarkus: quarkus-vertx package[amq-st-2] "(CVE-2025-49574)"
* Kafka, Operator, Bridge, Cruise Control, Bridge: Connect2id Nimbus JOSE + JWT: Denial of service flaw [amq-st-2] "(CVE-2025-53864)"
* Drain Cleaner: io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout [amq-st-2] "(CVE-2025-1634)"
* Drain Cleaner: netty: Denial of Service attack on windows app using Netty[amq-st-2] "(CVE-2024-47535)"
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Streams for Apache Kafka 3.0.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat Streams for Apache Kafka 3.0.0 serves as a replacement for Red Hat Streams for Apache Kafka 2.9.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Cruise Control: json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) Security [amq-st-2] \"(CVE-2023-1370)\"\n* Cruise Control, Drain Cleaner: io.netty:netty-handler: SslHandler doesn\u0027t\ncorrectly validate packets which can lead to native crash when using native\nSSLEngine Security[amq-st-2] \"(CVE-2025-24970)\"\n* Cruise Control, Drain Cleaner: netty: Denial of Service attack on windows app using Netty Security [amq-st-2] \"(CVE-2025-25193)\"\nCruise Control: kafka: Apache Kafka: SCRAM authentication vulnerable to replay\nattacks when used without encryption Security [amq-st-2] \"(CVE-2024-56128)\"\n* Cruise Control: kafka-clients: privilege escalation to filesystem read-access via automatic ConfigProvider Security [amq-st-2] \"(CVE-2024-31141)\"\n* Cruise Control, Operator: Jetty: Gzip Request Body Buffer Corruption\nSecurity[amq-st-2]\"(CVE-2024-13009)\"\n* Cruise Control: org.eclipse.jetty:jetty-http: jetty: Jetty URI parsing of invalid authority Security [amq-st-2] \"(CVE-2024-6763)\"\n* Cruise Control: commons-beanutils: Apache Commons BeanUtils:\nPropertyUtilsBean does not suppresses an enum\u0027s declaredClass property by\ndefault Security [amq-st-2] \"(CVE-2025-48734)\"\n* Cruise Control, Kafka, Drain Cleaner, Console: commons-lang-library: \nUncontrolled recursion flaw in Apache Commons Lang library [amq-st-2] \"(CVE-2025-48924)\"\n* Opetator, Bridge: io.quarkus:quarkus-vertx package: data leak vulnerability has been discovered in the io.quarkus: quarkus-vertx package[amq-st-2] \"(CVE-2025-49574)\"\n* Kafka, Operator, Bridge, Cruise Control, Bridge: Connect2id Nimbus JOSE + JWT: Denial of service flaw [amq-st-2] \"(CVE-2025-53864)\"\n* Drain Cleaner: io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout [amq-st-2] \"(CVE-2025-1634)\"\n* Drain Cleaner: netty: Denial of Service attack on windows app using Netty[amq-st-2] \"(CVE-2024-47535)\"",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:12511",
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2188542",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188542"
},
{
"category": "external",
"summary": "2318563",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318563"
},
{
"category": "external",
"summary": "2325538",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2325538"
},
{
"category": "external",
"summary": "2327264",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2327264"
},
{
"category": "external",
"summary": "2333013",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333013"
},
{
"category": "external",
"summary": "2344787",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344787"
},
{
"category": "external",
"summary": "2344788",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344788"
},
{
"category": "external",
"summary": "2347319",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347319"
},
{
"category": "external",
"summary": "2365135",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365135"
},
{
"category": "external",
"summary": "2368956",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2368956"
},
{
"category": "external",
"summary": "2374376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374376"
},
{
"category": "external",
"summary": "2379485",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379485"
},
{
"category": "external",
"summary": "2379554",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379554"
},
{
"category": "external",
"summary": "ENTMQST-6772",
"url": "https://issues.redhat.com/browse/ENTMQST-6772"
},
{
"category": "external",
"summary": "ENTMQST-6773",
"url": "https://issues.redhat.com/browse/ENTMQST-6773"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_12511.json"
}
],
"title": "Red Hat Security Advisory: Streams for Apache Kafka 3.0.0 release and security update",
"tracking": {
"current_release_date": "2025-08-14T19:32:11+00:00",
"generator": {
"date": "2025-08-14T19:32:11+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2025:12511",
"initial_release_date": "2025-08-01T17:42:40+00:00",
"revision_history": [
{
"date": "2025-08-01T17:42:40+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-08-01T17:42:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-14T19:32:11+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Streams for Apache Kafka 3.0.0",
"product": {
"name": "Streams for Apache Kafka 3.0.0",
"product_id": "Streams for Apache Kafka 3.0.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:amq_streams:3.0::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-1370",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2023-04-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2188542"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json-smart package. This security flaw occurs when reaching a \u2018[\u2018 or \u2018{\u2018 character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-1370"
},
{
"category": "external",
"summary": "RHBZ#2188542",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188542"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-1370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-493p-pfq6-5258",
"url": "https://github.com/advisories/GHSA-493p-pfq6-5258"
},
{
"category": "external",
"summary": "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/",
"url": "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/"
}
],
"release_date": "2023-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-01T17:42:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)"
},
{
"cve": "CVE-2024-6763",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2024-10-14T16:00:54.963689+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2318563"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jetty. The HttpURI class performs insufficient validation on the authority segment of a URI. The HttpURI and the browser may differ on the value of the host extracted from an invalid URI. This combination of Jetty and a vulnerable browser may be vulnerable to an open redirect attack or an SSRF attack if the URI is used after passing validation checks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.eclipse.jetty:jetty-http: jetty: Jetty URI parsing of invalid authority",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For this attack to work, you would require the victim to have a vulnerable browser on top of that the URI being used after insufficient validation, all of which makes this a low-severity flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-6763"
},
{
"category": "external",
"summary": "RHBZ#2318563",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318563"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-6763",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6763"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-6763",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6763"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/pull/12012",
"url": "https://github.com/jetty/jetty.project/pull/12012"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/25",
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/25"
}
],
"release_date": "2024-10-14T15:06:07.298000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-01T17:42:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "org.eclipse.jetty:jetty-http: jetty: Jetty URI parsing of invalid authority"
},
{
"cve": "CVE-2024-13009",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"discovery_date": "2025-05-08T18:00:47.047186+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2365135"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Eclipse Jetty. This vulnerability allows corrupted and inadvertent data sharing between requests via a gzip error when inflating a request body. If the request body is malformed, the gzip decompression process can fail, resulting in the application inadvertently using data from a previous request when processing the current one.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty-server: Jetty: Gzip Request Body Buffer Corruption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as an IMPORTANT severity because a buffer management vulnerability exists within the GzipHandler\u0027s buffer release mechanism when encountering gzip errors during request body inflation, this flaw can lead to the incorrect release and subsequent inadvertent sharing and corruption of request body data between concurrent uncompressed requests, results in data exposure and incorrect processing of requests due to corrupted input.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-13009"
},
{
"category": "external",
"summary": "RHBZ#2365135",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365135"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-13009",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-13009"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-13009",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13009"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/48",
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/48"
}
],
"release_date": "2025-05-08T17:29:31.380000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-01T17:42:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jetty-server: Jetty: Gzip Request Body Buffer Corruption"
},
{
"cve": "CVE-2024-31141",
"cwe": {
"id": "CWE-552",
"name": "Files or Directories Accessible to External Parties"
},
"discovery_date": "2024-11-19T09:00:35.857468+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2327264"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Kafka Clients. Apache Kafka Clients accepts configuration data for customizing behavior and includes ConfigProvider plugins to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations, which include the ability to read from disk or environment variables. In applications where an untrusted party can specify Apache Kafka Clients configurations, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kafka-clients: privilege escalation to filesystem read-access via automatic ConfigProvider",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-269: Improper Privilege Management or CWE-552: Files or Directories Accessible to External Parties vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nThe platform enforces strict Role-Based Access Control (RBAC), network segmentation, and pod security policies that significantly limit external access pathways. Access to the platform is granted only after successful hard token, multi-factor authentication (MFA), which is coupled with least privilege principles to ensure that only authorized roles and users can execute or manipulate code. Additionally, process isolation ensures that processes running in one container or namespace cannot access files or directories belonging to another, even if file permissions are misconfigured.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-31141"
},
{
"category": "external",
"summary": "RHBZ#2327264",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2327264"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-31141",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-31141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-31141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31141"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/9whdzfr0zwdhr364604w5ssnzmg4v2lv",
"url": "https://lists.apache.org/thread/9whdzfr0zwdhr364604w5ssnzmg4v2lv"
}
],
"release_date": "2024-11-19T08:40:50.695000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-01T17:42:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "kafka-clients: privilege escalation to filesystem read-access via automatic ConfigProvider"
},
{
"cve": "CVE-2024-47535",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-11-12T16:01:18.772613+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2325538"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. An unsafe reading of the environment file could potentially cause a denial of service. When loaded on a Windows application, Netty attempts to load a file that does not exist. If an attacker creates a large file, the Netty application crashes.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Denial of Service attack on windows app using Netty",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-47535"
},
{
"category": "external",
"summary": "RHBZ#2325538",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2325538"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-47535",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47535"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47535",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47535"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3",
"url": "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv",
"url": "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv"
}
],
"release_date": "2024-11-12T15:50:08.334000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-01T17:42:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: Denial of Service attack on windows app using Netty"
},
{
"cve": "CVE-2024-56128",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2024-12-18T14:00:43.732728+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2333013"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Kafka\u0027s implementation of the Salted Challenge Response Authentication Mechanism (SCRAM), which did not fully adhere to the requirements of RFC 5802. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. However, Kafka\u0027s SCRAM implementation did not perform this validation. In environments where SCRAM is operated over plaintext communication channels, an attacker with access to the exchange can intercept and potentially reuse authentication messages, leveraging the weak nonce validation to gain unauthorized access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kafka: Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is marked with an Important severity because it compromises a fundamental security requirement of the SCRAM protocol as specified in RFC 5802 \u2014the validation of nonces for ensuring message integrity and preventing replay attacks. Without proper nonce validation, an attacker with plaintext access to the SCRAM authentication exchange could manipulate or replay parts of the authentication process, potentially gaining unauthorized access or disrupting the integrity of authentication. While the use of plaintext communication for SCRAM is discouraged, many legacy systems or misconfigured deployments may still rely on it, making them directly susceptible.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-56128"
},
{
"category": "external",
"summary": "RHBZ#2333013",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333013"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-56128",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56128"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-56128",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56128"
},
{
"category": "external",
"summary": "https://datatracker.ietf.org/doc/html/rfc5802",
"url": "https://datatracker.ietf.org/doc/html/rfc5802"
},
{
"category": "external",
"summary": "https://datatracker.ietf.org/doc/html/rfc5802#section-9",
"url": "https://datatracker.ietf.org/doc/html/rfc5802#section-9"
},
{
"category": "external",
"summary": "https://kafka.apache.org/documentation/#security_sasl_scram_security",
"url": "https://kafka.apache.org/documentation/#security_sasl_scram_security"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/84dh4so32lwn7wr6c5s9mwh381vx9wkw",
"url": "https://lists.apache.org/thread/84dh4so32lwn7wr6c5s9mwh381vx9wkw"
}
],
"release_date": "2024-12-18T13:38:03.068000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-01T17:42:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "kafka: Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption"
},
{
"cve": "CVE-2025-1634",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"discovery_date": "2025-02-24T14:17:31.237000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2347319"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is marked as and Important severity rather than Moderate because it allows an unauthenticated attacker to trigger a denial of service condition by repeatedly sending crafted HTTP requests with low timeouts. The issue leads to a memory leak that cannot be recovered without restarting the application, ultimately resulting in an OutOfMemoryError and complete service failure.\n\nIn a production environment, this vulnerability poses a significant risk to availability, especially for applications handling multiple concurrent requests. Since no mitigation exists, all applications using quarkus-resteasy are affected until patched. The ease of exploitation, lack of required privileges, and high impact on service uptime justify the high severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-1634"
},
{
"category": "external",
"summary": "RHBZ#2347319",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347319"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-1634",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1634"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-1634",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1634"
}
],
"release_date": "2025-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-01T17:42:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout"
},
{
"cve": "CVE-2025-24970",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2025-02-10T23:00:52.785132+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2344787"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty\u0027s SslHandler. This vulnerability allows a native crash via a specially crafted packet that bypasses proper validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.netty:netty-handler: SslHandler doesn\u0027t correctly validate packets which can lead to native crash when using native SSLEngine",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Netty\u0027s SslHandler is of important severity rather than moderate because it directly impacts the stability and reliability of applications using native SSLEngine. By sending a specially crafted packet, an attacker can trigger a native crash, leading to a complete process termination. Unlike typical moderate vulnerabilities that might cause limited disruptions or require specific conditions, this flaw can be exploited remotely to induce a Denial of Service (DoS), affecting high-availability systems and mission-critical services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-24970"
},
{
"category": "external",
"summary": "RHBZ#2344787",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344787"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-24970",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24970"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-24970",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24970"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4",
"url": "https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw",
"url": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw"
}
],
"release_date": "2025-02-10T21:57:28.730000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-01T17:42:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "io.netty:netty-handler: SslHandler doesn\u0027t correctly validate packets which can lead to native crash when using native SSLEngine"
},
{
"cve": "CVE-2025-25193",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2025-02-10T23:00:54.794769+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2344788"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. An unsafe reading of the environment file could cause a denial of service. When loaded on a Windows application, Netty attempts to load a file that does not exist. If an attacker creates a large file, the Netty application crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Denial of Service attack on windows app using Netty",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue only affects Windows environments, therefore, this would affect an environment when running a supported Red Hat JBoss EAP 7 or 8, for example, if running on Windows.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-25193"
},
{
"category": "external",
"summary": "RHBZ#2344788",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344788"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-25193",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25193"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-25193",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25193"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386",
"url": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx",
"url": "https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx"
}
],
"release_date": "2025-02-10T22:02:17.197000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-01T17:42:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
},
{
"category": "workaround",
"details": "Currently, no mitigation is available for this vulnerability.",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: Denial of Service attack on windows app using Netty"
},
{
"cve": "CVE-2025-48734",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2025-05-28T14:00:56.619771+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2368956"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons BeanUtils. This vulnerability allows remote attackers to execute arbitrary code via uncontrolled access to the declaredClass property on Java enum objects, which can expose the class loader when property paths are passed from external sources to methods like getProperty() or getNestedProperty().",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum\u0027s declaredClass property by default",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as important severity because a flaw exists in Apache Commons BeanUtils, where PropertyUtilsBean and BeanUtilsBean allow uncontrolled access to the declaredClass property of Java enum objects. Applications that pass untrusted property paths directly to getProperty() or getNestedProperty() methods are at risk, as attackers can exploit this behavior to retrieve the ClassLoader instance and execute arbitrary code in the context of the affected application. This issue leads to compromise of confidentiality, integrity, and availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48734"
},
{
"category": "external",
"summary": "RHBZ#2368956",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2368956"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48734"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48734",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48734"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-wxr5-93ph-8wr9",
"url": "https://github.com/advisories/GHSA-wxr5-93ph-8wr9"
},
{
"category": "external",
"summary": "https://github.com/apache/commons-beanutils/commit/28ad955a1613ed5885870cc7da52093c1ce739dc",
"url": "https://github.com/apache/commons-beanutils/commit/28ad955a1613ed5885870cc7da52093c1ce739dc"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9",
"url": "https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2025/05/28/6",
"url": "https://www.openwall.com/lists/oss-security/2025/05/28/6"
}
],
"release_date": "2025-05-28T13:32:08.300000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-01T17:42:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum\u0027s declaredClass property by default"
},
{
"cve": "CVE-2025-48924",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2025-07-11T15:01:08.754489+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379554"
}
],
"notes": [
{
"category": "description",
"text": "An uncontrolled recursion flaw was found in the Apache Commons Lang library. The ClassUtils.getClass(...) method can throw a StackOverflowError on very long inputs. Since this error is typically not handled by applications and libraries, a StackOverflowError may lead to the termination of an application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48924"
},
{
"category": "external",
"summary": "RHBZ#2379554",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379554"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48924",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48924"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1",
"url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1"
}
],
"release_date": "2025-07-11T14:56:58.049000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-01T17:42:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang"
},
{
"cve": "CVE-2025-49574",
"cwe": {
"id": "CWE-668",
"name": "Exposure of Resource to Wrong Sphere"
},
"discovery_date": "2025-06-23T20:00:57.216622+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2374376"
}
],
"notes": [
{
"category": "description",
"text": "A data leak vulnerability has been discovered in the io.quarkus:quarkus-vertx package. This flaw can lead to information disclosure if a Vert.x context that has already been duplicated is subsequently duplicated again. In such a scenario, sensitive data residing within that context may be unintentionally exposed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.quarkus/quarkus-vertx: Quarkus potential data leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49574"
},
{
"category": "external",
"summary": "RHBZ#2374376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49574",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49574"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49574",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49574"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/commit/2b58f59f4bf0bae7d35b1abb585b65f2a66787d1",
"url": "https://github.com/quarkusio/quarkus/commit/2b58f59f4bf0bae7d35b1abb585b65f2a66787d1"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/issues/48227",
"url": "https://github.com/quarkusio/quarkus/issues/48227"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-9623-mj7j-p9v4",
"url": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-9623-mj7j-p9v4"
}
],
"release_date": "2025-06-23T19:47:05.454000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-01T17:42:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.quarkus/quarkus-vertx: Quarkus potential data leak"
},
{
"cve": "CVE-2025-53864",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2025-07-11T03:00:49.299379+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379485"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw has been discovered in Connect2id Nimbus JOSE + JWT. This issue can allow a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "com.nimbusds/nimbus-jose-jwt: Uncontrolled recursion in Connect2id Nimbus JOSE + JWT",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.0.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-53864"
},
{
"category": "external",
"summary": "RHBZ#2379485",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379485"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-53864",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53864"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-53864",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53864"
},
{
"category": "external",
"summary": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested",
"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested"
},
{
"category": "external",
"summary": "https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b",
"url": "https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b"
},
{
"category": "external",
"summary": "https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0",
"url": "https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0"
}
],
"release_date": "2025-07-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-01T17:42:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.0.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "com.nimbusds/nimbus-jose-jwt: Uncontrolled recursion in Connect2id Nimbus JOSE + JWT"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…