cvelistv5 - cve-2025-5417

CVE-2025-5417 (GCVE-0-2025-5417)

Vulnerability from cvelistv5

Published

2025-08-19 04:28

Modified

2025-08-20 16:29

Severity ?

6.1 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-266 - Incorrect Privilege Assignment

Summary

An insufficient access control vulnerability was found in the Red Hat Developer Hub rhdh/rhdh-hub-rhel9 container image. The Red Hat Developer Hub cluster admin/user, who has standard user access to the cluster, and the Red Hat Developer Hub namespace, can access the rhdh/rhdh-hub-rhel9 container image and modify the image's content. This issue affects the confidentiality and integrity of the data, and any changes made are not permanent, as they reset after the pod restarts.

References

►

URL

	Vendor	Product	Version
	Red Hat	Red Hat Developer Hub 1.7	Unaffected: sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c < * cpe:/a:redhat:rhdh:1.7::el9

ghsa-qxg3-p56f-vx54

Vulnerability from github

Published

2025-08-19 06:30

Modified

2025-08-19 18:31

Severity ?

6.1 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-5417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-19T05:15:29Z",
    "severity": "MODERATE"
  },
  "details": "An insufficient access control vulnerability was found in the Red Hat\nDeveloper Hub rhdh/rhdh-hub-rhel9 container image. The Red Hat Developer Hub cluster admin/user, who has standard user access to the cluster, and the Red Hat Developer Hub namespace, can access the\nrhdh/rhdh-hub-rhel9 container image and modify the image\u0027s content. This issue affects the confidentiality and integrity of the data, and any changes made are not permanent, as they reset after the pod restarts.",
  "id": "GHSA-qxg3-p56f-vx54",
  "modified": "2025-08-19T18:31:30Z",
  "published": "2025-08-19T06:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5417"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:14090"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-5417"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369602"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

rhsa-2025:14090

Vulnerability from csaf_redhat

Published

2025-08-19 11:33

Modified

2025-08-22 03:20

Summary

Red Hat Security Advisory: Red Hat Developer Hub 1.7.0 release.

Notes

Topic

Red Hat Developer Hub 1.7.0 has been released.

Details

Red Hat Developer Hub (RHDH) is Red Hat's enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat Developer Hub 1.7.0 has been released.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Developer Hub (RHDH) is Red Hat\u0027s enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:14090",
        "url": "https://access.redhat.com/errata/RHSA-2025:14090"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-22870",
        "url": "https://access.redhat.com/security/cve/CVE-2025-22870"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-32996",
        "url": "https://access.redhat.com/security/cve/CVE-2025-32996"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-32997",
        "url": "https://access.redhat.com/security/cve/CVE-2025-32997"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-48387",
        "url": "https://access.redhat.com/security/cve/CVE-2025-48387"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-48997",
        "url": "https://access.redhat.com/security/cve/CVE-2025-48997"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-5417",
        "url": "https://access.redhat.com/security/cve/CVE-2025-5417"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-54419",
        "url": "https://access.redhat.com/security/cve/CVE-2025-54419"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-6545",
        "url": "https://access.redhat.com/security/cve/CVE-2025-6545"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-7338",
        "url": "https://access.redhat.com/security/cve/CVE-2025-7338"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh",
        "url": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh"
      },
      {
        "category": "external",
        "summary": "https://developers.redhat.com/rhdh/overview",
        "url": "https://developers.redhat.com/rhdh/overview"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_developer_hub",
        "url": "https://docs.redhat.com/en/documentation/red_hat_developer_hub"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-6469",
        "url": "https://issues.redhat.com/browse/RHIDP-6469"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-6470",
        "url": "https://issues.redhat.com/browse/RHIDP-6470"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-6937",
        "url": "https://issues.redhat.com/browse/RHIDP-6937"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_14090.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Developer Hub 1.7.0 release.",
    "tracking": {
      "current_release_date": "2025-08-22T03:20:59+00:00",
      "generator": {
        "date": "2025-08-22T03:20:59+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.6"
        }
      },
      "id": "RHSA-2025:14090",
      "initial_release_date": "2025-08-19T11:33:06+00:00",
      "revision_history": [
        {
          "date": "2025-08-19T11:33:06+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-08-19T11:33:10+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-08-22T03:20:59+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Developer Hub 1.7",
                "product": {
                  "name": "Red Hat Developer Hub 1.7",
                  "product_id": "Red Hat Developer Hub 1.7",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhdh:1.7::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Developer Hub"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
                "product": {
                  "name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
                  "product_id": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhdh-hub-rhel9@sha256%3Aaa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.7.0-1754936470"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64",
                "product": {
                  "name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64",
                  "product_id": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhdh-rhel9-operator@sha256%3A72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.7.0-1754935808"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
                "product": {
                  "name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
                  "product_id": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhdh-operator-bundle@sha256%3A7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.7.0-1754942441"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64 as a component of Red Hat Developer Hub 1.7",
          "product_id": "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
        },
        "product_reference": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
        "relates_to_product_reference": "Red Hat Developer Hub 1.7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64 as a component of Red Hat Developer Hub 1.7",
          "product_id": "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64"
        },
        "product_reference": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
        "relates_to_product_reference": "Red Hat Developer Hub 1.7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64 as a component of Red Hat Developer Hub 1.7",
          "product_id": "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
        },
        "product_reference": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64",
        "relates_to_product_reference": "Red Hat Developer Hub 1.7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-5417",
      "cwe": {
        "id": "CWE-266",
        "name": "Incorrect Privilege Assignment"
      },
      "discovery_date": "2025-05-31T22:35:41+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2369602"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An insufficient access control vulnerability was found in the Red Hat\nDeveloper Hub rhdh/rhdh-hub-rhel9 container image. The Red Hat Developer Hub cluster admin/user, who has standard user access to the cluster, and the Red Hat Developer Hub namespace, can access the\nrhdh/rhdh-hub-rhel9 container image and modify the image\u0027s content. This issue affects the confidentiality and integrity of the data, and any changes made are not permanent, as they reset after the pod restarts.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "rhdh: Red Hat Developer Hub user permissions",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Developer Hub 1.6 is not affected by this vulnerability.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-5417"
        },
        {
          "category": "external",
          "summary": "RHBZ#2369602",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369602"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-5417",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-5417"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-5417",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5417"
        }
      ],
      "release_date": "2025-08-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-08-19T11:33:06+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:14090"
        },
        {
          "category": "workaround",
          "details": "Red Hat Developer Hub 1.5 contains mitigation guidelines present at https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.5/html/configuring_red_hat_developer_hub/readonlyrootfilesystem",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "rhdh: Red Hat Developer Hub user permissions"
    },
    {
      "cve": "CVE-2025-6545",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2025-06-23T19:00:51.575615+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2374370"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the npm pbkdf2 library, allowing signature spoofing. When executing in javascript engines other than Nodejs or Nodejs when importing pbkdf2/browser, certain algorithms will silently fail and return invalid data. The return values are predictable, which undermines the security guarantees of the package.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "pbkdf2: pbkdf2 silently returns predictable key material",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw is rated important because it causes the pbkdf2 module to quietly return weak or zero-filled keys when certain algorithm names are used incorrectly in browsers or bundled code, this causes the function to silently return a predictable value (such as a zero-filled buffer or uninitialized memory) instead of a securely derived key, completely undermining the confidentiality and integrity of any cryptographic operation where attackers could guess or reuse these keys to access or change protected data.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-6545"
        },
        {
          "category": "external",
          "summary": "RHBZ#2374370",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374370"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-6545",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-6545"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-6545",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6545"
        },
        {
          "category": "external",
          "summary": "https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078",
          "url": "https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078"
        },
        {
          "category": "external",
          "summary": "https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb",
          "url": "https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb"
        },
        {
          "category": "external",
          "summary": "https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6",
          "url": "https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6"
        }
      ],
      "release_date": "2025-06-23T18:41:18.771000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-08-19T11:33:06+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:14090"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "pbkdf2: pbkdf2 silently returns predictable key material"
    },
    {
      "cve": "CVE-2025-7338",
      "cwe": {
        "id": "CWE-248",
        "name": "Uncaught Exception"
      },
      "discovery_date": "2025-07-17T16:00:55.704118+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2381726"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service vulnerability was found in the Multer NPM library. This vulnerability allows an attacker to trigger a denial of service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, resulting in a process crash.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "multer: Multer Denial of Service",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-7338"
        },
        {
          "category": "external",
          "summary": "RHBZ#2381726",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2381726"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-7338",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-7338"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-7338",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7338"
        },
        {
          "category": "external",
          "summary": "https://cna.openjsf.org/security-advisories.html",
          "url": "https://cna.openjsf.org/security-advisories.html"
        },
        {
          "category": "external",
          "summary": "https://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b",
          "url": "https://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b"
        },
        {
          "category": "external",
          "summary": "https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p",
          "url": "https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p"
        }
      ],
      "release_date": "2025-07-17T15:26:45.427000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-08-19T11:33:06+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:14090"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "multer: Multer Denial of Service"
    },
    {
      "cve": "CVE-2025-22870",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2025-03-12T19:00:59.178193+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2351766"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in proxy host matching. This vulnerability allows improper bypassing of proxy settings via manipulating an IPv6 zone ID, causing unintended matches against the NO_PROXY environment variable.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-20: Improper Input Validation vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat enforces the principle of least functionality, ensuring that only essential features, services, and ports are enabled. This minimizes the number of components that could be affected by input validation vulnerabilities. Security testing and evaluation standards are implemented within the environment to rigorously test input validation mechanisms during the development lifecycle, while static code analysis identifies potential input validation vulnerabilities by default. Process isolation ensures that processes handling potentially malicious or unvalidated inputs run in isolated environments by separating execution domains for each process. Malicious code protections such as IPS/IDS and antimalware solutions help detect and mitigate malicious payloads stemming from input validation vulnerabilities. Finally, robust input validation and error-handling mechanisms ensure all user inputs are thoroughly validated, preventing improperly validated inputs from causing system instability, exposing sensitive data, or escalating risks further.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-22870"
        },
        {
          "category": "external",
          "summary": "RHBZ#2351766",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351766"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-22870",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-22870"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22870",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22870"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/654697",
          "url": "https://go.dev/cl/654697"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/71984",
          "url": "https://go.dev/issue/71984"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2025-3503",
          "url": "https://pkg.go.dev/vuln/GO-2025-3503"
        }
      ],
      "release_date": "2025-03-12T18:27:59.376000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-08-19T11:33:06+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:14090"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net"
    },
    {
      "cve": "CVE-2025-32996",
      "cwe": {
        "id": "CWE-670",
        "name": "Always-Incorrect Control Flow Implementation"
      },
      "discovery_date": "2025-04-15T03:00:44.384011+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2359627"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because \"else if\" is not used.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "http-proxy-middleware: Always-Incorrect Control Flow Implementation in http-proxy-middleware",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-32996"
        },
        {
          "category": "external",
          "summary": "RHBZ#2359627",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359627"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-32996",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-32996"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-32996",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32996"
        },
        {
          "category": "external",
          "summary": "https://github.com/chimurai/http-proxy-middleware/commit/020976044d113fc0bcbbaf995e91d05e2829a145",
          "url": "https://github.com/chimurai/http-proxy-middleware/commit/020976044d113fc0bcbbaf995e91d05e2829a145"
        },
        {
          "category": "external",
          "summary": "https://github.com/chimurai/http-proxy-middleware/pull/1089",
          "url": "https://github.com/chimurai/http-proxy-middleware/pull/1089"
        },
        {
          "category": "external",
          "summary": "https://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.8",
          "url": "https://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.8"
        },
        {
          "category": "external",
          "summary": "https://github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.4",
          "url": "https://github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.4"
        }
      ],
      "release_date": "2025-04-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-08-19T11:33:06+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:14090"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.0,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "http-proxy-middleware: Always-Incorrect Control Flow Implementation in http-proxy-middleware"
    },
    {
      "cve": "CVE-2025-32997",
      "cwe": {
        "id": "CWE-754",
        "name": "Improper Check for Unusual or Exceptional Conditions"
      },
      "discovery_date": "2025-04-15T03:00:47.160071+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2359628"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in http-proxy-middleware. The issue occurs because the fixRequestBody function proceeds even when bodyParser has failed, which could lead to unintended behavior.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "http-proxy-middleware: Improper Check for Unusual or Exceptional Conditions in http-proxy-middleware",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-32997"
        },
        {
          "category": "external",
          "summary": "RHBZ#2359628",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359628"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-32997",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-32997"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-32997",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32997"
        },
        {
          "category": "external",
          "summary": "https://github.com/chimurai/http-proxy-middleware/commit/1bdccbeec243850f1d2bb50ea0ff2151e725d67e",
          "url": "https://github.com/chimurai/http-proxy-middleware/commit/1bdccbeec243850f1d2bb50ea0ff2151e725d67e"
        },
        {
          "category": "external",
          "summary": "https://github.com/chimurai/http-proxy-middleware/pull/1096",
          "url": "https://github.com/chimurai/http-proxy-middleware/pull/1096"
        },
        {
          "category": "external",
          "summary": "https://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.9",
          "url": "https://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.9"
        },
        {
          "category": "external",
          "summary": "https://github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.5",
          "url": "https://github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.5"
        }
      ],
      "release_date": "2025-04-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-08-19T11:33:06+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:14090"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "http-proxy-middleware: Improper Check for Unusual or Exceptional Conditions in http-proxy-middleware"
    },
    {
      "cve": "CVE-2025-48387",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2025-06-02T20:00:45.526571+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2369875"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in tar-fs. This vulnerability allows files to be written outside the intended extraction directory via specially crafted tar archives. The issue arises from insufficient path validation during tarball extraction, potentially enabling path traversal attacks that can overwrite arbitrary files on the system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability in tar-fs is Important not a moderate flaw, primarily due to its ability to bypass directory confinement during tarball extraction. The core issue\u2014path traversal via crafted archive entries\u2014allows attackers to write files outside the intended extraction directory, potentially overwriting system files, configuration files, or injecting malicious scripts into sensitive locations. Unlike moderate flaws that may require specific conditions or user interaction to exploit, this vulnerability can be triggered automatically in server-side environments that extract user-supplied tar files (e.g., CI/CD systems, deployment tools, or file upload handlers). Its exploitation could lead to remote code execution, privilege escalation, or denial of service, depending on the context.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-48387"
        },
        {
          "category": "external",
          "summary": "RHBZ#2369875",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369875"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-48387",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-48387"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48387",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48387"
        },
        {
          "category": "external",
          "summary": "https://github.com/mafintosh/tar-fs/commit/647447b572bc135c41035e82ca7b894f02b17f0f",
          "url": "https://github.com/mafintosh/tar-fs/commit/647447b572bc135c41035e82ca7b894f02b17f0f"
        },
        {
          "category": "external",
          "summary": "https://github.com/mafintosh/tar-fs/security/advisories/GHSA-8cj5-5rvv-wf4v",
          "url": "https://github.com/mafintosh/tar-fs/security/advisories/GHSA-8cj5-5rvv-wf4v"
        }
      ],
      "release_date": "2025-06-02T19:20:18.220000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-08-19T11:33:06+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:14090"
        },
        {
          "category": "workaround",
          "details": "Mitigation is either unavailable or does not meet Red Hat Product Security standards for usability, deployment, applicability, or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball"
    },
    {
      "cve": "CVE-2025-48997",
      "cwe": {
        "id": "CWE-248",
        "name": "Uncaught Exception"
      },
      "discovery_date": "2025-06-03T19:01:06.246004+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2370084"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An unhandled exception flaw was found in multer. This issue allows an attacker to trigger an application level denial of service by sending an upload file request with an empty string field name, which triggers an exception in processing that is not properly handled. This issue will lead to a program crash.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "multer: Multer vulnerable to Denial of Service via unhandled exception",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The denial of service impact is limited to the program that integrates multer. The host operating system is not affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-48997"
        },
        {
          "category": "external",
          "summary": "RHBZ#2370084",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370084"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-48997",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-48997"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48997",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48997"
        },
        {
          "category": "external",
          "summary": "https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9",
          "url": "https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9"
        },
        {
          "category": "external",
          "summary": "https://github.com/expressjs/multer/issues/1233",
          "url": "https://github.com/expressjs/multer/issues/1233"
        },
        {
          "category": "external",
          "summary": "https://github.com/expressjs/multer/pull/1256",
          "url": "https://github.com/expressjs/multer/pull/1256"
        },
        {
          "category": "external",
          "summary": "https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg",
          "url": "https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg"
        }
      ],
      "release_date": "2025-06-03T18:21:59.527000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-08-19T11:33:06+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:14090"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "multer: Multer vulnerable to Denial of Service via unhandled exception"
    },
    {
      "cve": "CVE-2025-54419",
      "cwe": {
        "id": "CWE-347",
        "name": "Improper Verification of Cryptographic Signature"
      },
      "discovery_date": "2025-07-28T20:02:41.635540+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2384049"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A signature verification flaw was found in the npm @node-saml/node-saml library. This flaw allows an attacker who has access to a validly signed document from the identity provider (IdP) to alter the content of the document, modify the details within the document, and have the modifications be accepted.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "@node-saml/node-saml: Node-SAML Signature Verification Vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is a Important impact authn-bypass, not a Moderate bug, because it breaks the core trust boundary of SAML: the service provider (SP) makes authorization decisions based on an assertion it believes is protected by the IdP\u2019s XML signature. In @node-saml/node-saml \u22645.0.1, the library verifies the signature over one part of the response but then parses/uses fields from the original, unsigned document, a classic signature-wrapping/mismatch flaw. An attacker who possesses any validly signed SAML response (e.g., their own login, a captured response, or one from a lower-privileged account) can alter critical elements\u2014such as the Subject/NameID (e.g., drop a character to map to a different user), group/role attributes, AuthnContext, or Conditions\u2014without invalidating the signature, and the SP will accept the modified values. That enables account takeover, privilege escalation, MFA/step-up bypass (via AuthnContext changes), and policy circumvention across every SP relying on this library. The only prerequisite is access to a single signed response; no IdP compromise is required.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
          "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-54419"
        },
        {
          "category": "external",
          "summary": "RHBZ#2384049",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2384049"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-54419",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-54419"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-54419",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54419"
        },
        {
          "category": "external",
          "summary": "https://github.com/node-saml/node-saml/commit/31ead9411ebc3e2385086fa9149b6c17732bca10",
          "url": "https://github.com/node-saml/node-saml/commit/31ead9411ebc3e2385086fa9149b6c17732bca10"
        },
        {
          "category": "external",
          "summary": "https://github.com/node-saml/node-saml/releases/tag/v5.1.0",
          "url": "https://github.com/node-saml/node-saml/releases/tag/v5.1.0"
        },
        {
          "category": "external",
          "summary": "https://github.com/node-saml/node-saml/security/advisories/GHSA-4mxg-3p6v-xgq3",
          "url": "https://github.com/node-saml/node-saml/security/advisories/GHSA-4mxg-3p6v-xgq3"
        }
      ],
      "release_date": "2025-07-28T19:47:46.584000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-08-19T11:33:06+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:14090"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:7dad33bce18ec8417e9345ce8cdd39f3c9bfd637cecc8ce6750fa3e5279dc06b_amd64",
            "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:72beabd2760976369736af8c22388b030603f9d503020aa581f4b8ec1c50c740_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "@node-saml/node-saml: Node-SAML Signature Verification Vulnerability"
    }
  ]
}

fkie_cve-2025-5417

Vulnerability from fkie_nvd

Published

2025-08-19 05:15

Modified

2025-08-19 16:15

Severity ?

6.1 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Summary

References

▶	URL	Tags
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2025:14090
	secalert@redhat.com	https://access.redhat.com/security/cve/CVE-2025-5417
	secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=2369602

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An insufficient access control vulnerability was found in the Red Hat\nDeveloper Hub rhdh/rhdh-hub-rhel9 container image. The Red Hat Developer Hub cluster admin/user, who has standard user access to the cluster, and the Red Hat Developer Hub namespace, can access the\nrhdh/rhdh-hub-rhel9 container image and modify the image\u0027s content. This issue affects the confidentiality and integrity of the data, and any changes made are not permanent, as they reset after the pod restarts."
    },
    {
      "lang": "es",
      "value": "Se detect\u00f3 una vulnerabilidad de control de acceso insuficiente en la imagen del contenedor rhdh/rhdh-hub-rhel9 de Red Hat Developer Hub. El administrador o usuario del cl\u00faster de Red Hat Developer Hub, con acceso est\u00e1ndar al cl\u00faster y al espacio de nombres de Red Hat Developer Hub, puede acceder a la imagen del contenedor rhdh/rhdh-hub-rhel9 y modificar su contenido. Este problema afecta la confidencialidad e integridad de los datos, y los cambios realizados no son permanentes, ya que se restablecen tras el reinicio del pod."
    }
  ],
  "id": "CVE-2025-5417",
  "lastModified": "2025-08-19T16:15:29.083",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 5.2,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-08-19T05:15:29.733",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:14090"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/security/cve/CVE-2025-5417"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369602"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-266"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-5417 (GCVE-0-2025-5417)

Vulnerability from cvelistv5

ghsa-qxg3-p56f-vx54

Vulnerability from github

rhsa-2025:14090

Vulnerability from csaf_redhat

fkie_cve-2025-5417

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature