csaf_certbund - wid-sec-w-2025-0460

wid-sec-w-2025-0460

Vulnerability from csaf_certbund

Published

2025-02-27 23:00

Modified

2025-06-30 22:00

Summary

Red Hat Enterprise Linux (Quarkus): Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.

Angriff

Ein entfernter Angreifer kann mehrere Schwachstellen in Quarkus auf Red Hat Enterprise Linux ausnutzen, um Informationen offenzulegen, oder einen Denial of Service auszulösen.

Betroffene Betriebssysteme

- Linux - UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter Angreifer kann mehrere Schwachstellen in Quarkus auf Red Hat Enterprise Linux ausnutzen, um Informationen offenzulegen, oder einen Denial of Service auszul\u00f6sen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0460 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0460.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0460 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0460"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:1884 vom 2025-02-27",
        "url": "https://access.redhat.com/errata/RHSA-2025:1884"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:1885 vom 2025-02-27",
        "url": "https://access.redhat.com/errata/RHSA-2025:1885"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:2067 vom 2025-03-03",
        "url": "https://access.redhat.com/errata/RHSA-2025:2067"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:2663 vom 2025-03-11",
        "url": "https://access.redhat.com/errata/RHSA-2025:2663"
      },
      {
        "category": "external",
        "summary": "Bamboo Data Center Advisory",
        "url": "https://jira.atlassian.com/browse/BAM-26046"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3358 vom 2025-03-27",
        "url": "https://access.redhat.com/errata/RHSA-2025:3358"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3357 vom 2025-03-27",
        "url": "https://access.redhat.com/errata/RHSA-2025:3357"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7229750 vom 2025-04-01",
        "url": "https://www.ibm.com/support/pages/node/7229750"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3467 vom 2025-04-01",
        "url": "https://access.redhat.com/errata/RHSA-2025:3467"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3465 vom 2025-04-01",
        "url": "https://access.redhat.com/errata/RHSA-2025:3465"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3540 vom 2025-04-02",
        "url": "https://access.redhat.com/errata/RHSA-2025:3540"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7229901 vom 2025-04-02",
        "url": "https://www.ibm.com/support/pages/node/7229901"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3543 vom 2025-04-02",
        "url": "https://access.redhat.com/errata/RHSA-2025:3543"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7232032 vom 2025-04-29",
        "url": "https://www.ibm.com/support/pages/node/7232032"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:4550 vom 2025-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2025:4550"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:4549 vom 2025-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2025:4549"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:4552 vom 2025-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2025:4552"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:4548 vom 2025-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2025:4548"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin",
        "url": "https://www.ibm.com/support/pages/node/7234827"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:8258 vom 2025-06-03",
        "url": "https://access.redhat.com/errata/RHSA-2025:8258"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:8761 vom 2025-06-10",
        "url": "https://access.redhat.com/errata/RHSA-2025:8761"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7235497 vom 2025-06-21",
        "url": "https://www.ibm.com/support/pages/node/7235497"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7237155 vom 2025-06-26",
        "url": "https://www.ibm.com/support/pages/node/7237155"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:9922 vom 2025-06-30",
        "url": "https://access.redhat.com/errata/RHSA-2025:9922"
      }
    ],
    "source_lang": "en-US",
    "title": "Red Hat Enterprise Linux (Quarkus): Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-06-30T22:00:00.000+00:00",
      "generator": {
        "date": "2025-07-01T08:34:16.373+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-0460",
      "initial_release_date": "2025-02-27T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-02-27T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-03-03T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-03-11T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-03-18T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Atlassian aufgenommen"
        },
        {
          "date": "2025-03-27T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-03-31T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-04-01T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-04-02T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Red Hat und IBM aufgenommen"
        },
        {
          "date": "2025-04-28T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-05-06T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-05-27T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-06-02T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-06-09T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-06-22T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-06-26T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-06-30T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "16"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c10.2.2",
                "product": {
                  "name": "Atlassian Bamboo \u003c10.2.2",
                  "product_id": "T041966"
                }
              },
              {
                "category": "product_version",
                "name": "10.2.2",
                "product": {
                  "name": "Atlassian Bamboo 10.2.2",
                  "product_id": "T041966-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:bamboo:10.2.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.6.11",
                "product": {
                  "name": "Atlassian Bamboo \u003c9.6.11",
                  "product_id": "T041967"
                }
              },
              {
                "category": "product_version",
                "name": "9.6.11",
                "product": {
                  "name": "Atlassian Bamboo 9.6.11",
                  "product_id": "T041967-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:bamboo:9.6.11"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Bamboo"
          }
        ],
        "category": "vendor",
        "name": "Atlassian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM FlashSystem",
            "product": {
              "name": "IBM FlashSystem",
              "product_id": "T025159",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:flashsystem:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "11.7",
                "product": {
                  "name": "IBM InfoSphere Information Server 11.7",
                  "product_id": "444803",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:infosphere_information_server:11.7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "InfoSphere Information Server"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.6.1",
                "product": {
                  "name": "IBM Maximo Asset Management 7.6.1",
                  "product_id": "389168",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:maximo_asset_management:7.6.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Maximo Asset Management"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV8.11.0.1 Interim fix 042",
                "product": {
                  "name": "IBM Operational Decision Manager \u003cV8.11.0.1 Interim fix 042",
                  "product_id": "T043174"
                }
              },
              {
                "category": "product_version",
                "name": "V8.11.0.1 Interim fix 042",
                "product": {
                  "name": "IBM Operational Decision Manager V8.11.0.1 Interim fix 042",
                  "product_id": "T043174-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:v8.11.0.1_interim_fix_042"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cV8.11.1.0: Interim fix 039",
                "product": {
                  "name": "IBM Operational Decision Manager \u003cV8.11.1.0: Interim fix 039",
                  "product_id": "T043175"
                }
              },
              {
                "category": "product_version",
                "name": "V8.11.1.0: Interim fix 039",
                "product": {
                  "name": "IBM Operational Decision Manager V8.11.1.0: Interim fix 039",
                  "product_id": "T043175-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:v8.11.1.0_interim_fix_039"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cV8.12.0.1: Interim fix 024",
                "product": {
                  "name": "IBM Operational Decision Manager \u003cV8.12.0.1: Interim fix 024",
                  "product_id": "T043176"
                }
              },
              {
                "category": "product_version",
                "name": "V8.12.0.1: Interim fix 024",
                "product": {
                  "name": "IBM Operational Decision Manager V8.12.0.1: Interim fix 024",
                  "product_id": "T043176-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:v8.12.0.1_interim_fix_024"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cV9.0.0.1: Interim fix 007",
                "product": {
                  "name": "IBM Operational Decision Manager \u003cV9.0.0.1: Interim fix 007",
                  "product_id": "T043177"
                }
              },
              {
                "category": "product_version",
                "name": "V9.0.0.1: Interim fix 007",
                "product": {
                  "name": "IBM Operational Decision Manager V9.0.0.1: Interim fix 007",
                  "product_id": "T043177-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:v9.0.0.1_interim_fix_007"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Operational Decision Manager"
          },
          {
            "category": "product_name",
            "name": "IBM SAN Volume Controller",
            "product": {
              "name": "IBM SAN Volume Controller",
              "product_id": "T020642",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:san_volume_controller:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Analytic Server",
                "product": {
                  "name": "IBM SPSS Analytic Server",
                  "product_id": "T011789",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:spss:analytic_server"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "SPSS"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "12",
                "product": {
                  "name": "IBM Security Guardium 12",
                  "product_id": "T043916",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:security_guardium:sqlguard_12.0p35_bundle_jan-28-2025"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Security Guardium"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux",
                "product": {
                  "name": "Red Hat Enterprise Linux",
                  "product_id": "67646",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:-"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Quarkus \u003c3.8.6.SP3",
                "product": {
                  "name": "Red Hat Enterprise Linux Quarkus \u003c3.8.6.SP3",
                  "product_id": "T041477"
                }
              },
              {
                "category": "product_version",
                "name": "Quarkus 3.8.6.SP3",
                "product": {
                  "name": "Red Hat Enterprise Linux Quarkus 3.8.6.SP3",
                  "product_id": "T041477-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:quarkus__3.8.6.sp3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Quarkus \u003c3.15.3.SP1",
                "product": {
                  "name": "Red Hat Enterprise Linux Quarkus \u003c3.15.3.SP1",
                  "product_id": "T041478"
                }
              },
              {
                "category": "product_version",
                "name": "Quarkus 3.15.3.SP1",
                "product": {
                  "name": "Red Hat Enterprise Linux Quarkus 3.15.3.SP1",
                  "product_id": "T041478-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:quarkus__3.15.3.sp1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Quarkus \u003c3.20.1",
                "product": {
                  "name": "Red Hat Enterprise Linux Quarkus \u003c3.20.1",
                  "product_id": "T044254"
                }
              },
              {
                "category": "product_version",
                "name": "Quarkus 3.20.1",
                "product": {
                  "name": "Red Hat Enterprise Linux Quarkus 3.20.1",
                  "product_id": "T044254-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:quarkus__3.20.1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Apache Camel 1",
                "product": {
                  "name": "Red Hat Enterprise Linux Apache Camel 1",
                  "product_id": "T044468",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:apache_camel_1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Enterprise Linux"
          },
          {
            "category": "product_name",
            "name": "Red Hat Integration",
            "product": {
              "name": "Red Hat Integration",
              "product_id": "T033960",
              "product_identification_helper": {
                "cpe": "cpe:/a:redhat:integration:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c8.5.3",
                "product": {
                  "name": "Red Hat JBoss Data Grid \u003c8.5.3",
                  "product_id": "T041746"
                }
              },
              {
                "category": "product_version",
                "name": "8.5.3",
                "product": {
                  "name": "Red Hat JBoss Data Grid 8.5.3",
                  "product_id": "T041746-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_data_grid:8.5.3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "JBoss Data Grid"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c7.4.21",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform \u003c7.4.21",
                  "product_id": "T042265"
                }
              },
              {
                "category": "product_version",
                "name": "7.4.21",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 7.4.21",
                  "product_id": "T042265-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4.21"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "JBoss Enterprise Application Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-1247",
      "product_status": {
        "known_affected": [
          "T011789",
          "67646",
          "T041967",
          "T041746",
          "T041966",
          "389168",
          "T043916",
          "T033960",
          "T020642",
          "T044468",
          "444803",
          "T025159",
          "T041478",
          "T043174",
          "T041477",
          "T043175",
          "T044254",
          "T043176",
          "T043177",
          "T042265"
        ]
      },
      "release_date": "2025-02-27T23:00:00.000+00:00",
      "title": "CVE-2025-1247"
    },
    {
      "cve": "CVE-2025-1634",
      "product_status": {
        "known_affected": [
          "T011789",
          "67646",
          "T041967",
          "T041746",
          "T041966",
          "389168",
          "T043916",
          "T033960",
          "T020642",
          "T044468",
          "444803",
          "T025159",
          "T041478",
          "T043174",
          "T041477",
          "T043175",
          "T044254",
          "T043176",
          "T043177",
          "T042265"
        ]
      },
      "release_date": "2025-02-27T23:00:00.000+00:00",
      "title": "CVE-2025-1634"
    },
    {
      "cve": "CVE-2025-24970",
      "product_status": {
        "known_affected": [
          "T011789",
          "67646",
          "T041967",
          "T041746",
          "T041966",
          "389168",
          "T043916",
          "T033960",
          "T020642",
          "T044468",
          "444803",
          "T025159",
          "T041478",
          "T043174",
          "T041477",
          "T043175",
          "T044254",
          "T043176",
          "T043177",
          "T042265"
        ]
      },
      "release_date": "2025-02-27T23:00:00.000+00:00",
      "title": "CVE-2025-24970"
    }
  ]
}

CVE-2025-24970 (GCVE-0-2025-24970)

Vulnerability from cvelistv5

Published

2025-02-10 21:57

Modified

2025-04-16 15:37

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-20 - Improper Input Validation

Summary

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.

References

►

URL

Tags

	https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw	x_refsource_CONFIRM
	https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	netty	netty	Version: >= 4.1.91.Final, <= 4.1.117.Final

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24970",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-11T15:30:54.865019Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-11T15:31:38.061Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-16T15:37:17.191Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250221-0005/"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-detection"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-mitigation"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.1.91.Final, \u003c= 4.1.117.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn\u0027t correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-10T21:57:28.730Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw"
        },
        {
          "name": "https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4"
        }
      ],
      "source": {
        "advisory": "GHSA-4g8c-wm8x-jfhw",
        "discovery": "UNKNOWN"
      },
      "title": "SslHandler doesn\u0027t correctly validate packets which can lead to native crash when using native SSLEngine"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-24970",
    "datePublished": "2025-02-10T21:57:28.730Z",
    "dateReserved": "2025-01-29T15:18:03.210Z",
    "dateUpdated": "2025-04-16T15:37:17.191Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-1247 (GCVE-0-2025-1247)

Vulnerability from cvelistv5

Published

2025-02-13 13:26

Modified

2025-03-15 09:18

Severity ?

8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE

CWE-488 - Exposure of Data Element to Wrong Session

Summary

A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.

References

►

URL

Tags

	https://access.redhat.com/errata/RHSA-2025:1884	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:1885	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:2067	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2025-1247	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2345172	issue-tracking, x_refsource_REDHAT

Impacted products

Vendor

Product

Version

►

Version: 0 ≤

Red Hat	Red Hat Build of Apache Camel 4.8 for Quarkus 3.15	cpe:/a:redhat:camel_quarkus:3.15
Red Hat	Red Hat build of Quarkus 3.15.3.SP1	cpe:/a:redhat:quarkus:3.15::el8
Red Hat	Red Hat build of Quarkus 3.8.6.SP3	cpe:/a:redhat:quarkus:3.8::el8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1247",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-13T14:11:32.786242Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-13T14:11:38.780Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/quarkusio/quarkus/",
          "defaultStatus": "unaffected",
          "packageName": "quarkus-rest",
          "versions": [
            {
              "lessThan": "3.18.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:camel_quarkus:3.15"
          ],
          "defaultStatus": "unaffected",
          "packageName": "io.quarkus/quarkus-rest",
          "product": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:3.15::el8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "io.quarkus/quarkus-rest",
          "product": "Red Hat build of Quarkus 3.15.3.SP1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:3.8::el8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "io.quarkus/quarkus-rest",
          "product": "Red Hat build of Quarkus 3.8.6.SP3",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2025-02-12T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-488",
              "description": "Exposure of Data Element to Wrong Session",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-15T09:18:44.686Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2025:1884",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:1884"
        },
        {
          "name": "RHSA-2025:1885",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:1885"
        },
        {
          "name": "RHSA-2025:2067",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:2067"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-1247"
        },
        {
          "name": "RHBZ#2345172",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345172"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-02-12T09:30:25.106000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-02-12T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Io.quarkus:quarkus-rest: quarkus rest endpoint request parameter leakage due to shared instance",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_redhatCweChain": "CWE-488: Exposure of Data Element to Wrong Session"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-1247",
    "datePublished": "2025-02-13T13:26:26.992Z",
    "dateReserved": "2025-02-12T09:43:11.716Z",
    "dateUpdated": "2025-03-15T09:18:44.686Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-1634 (GCVE-0-2025-1634)

Vulnerability from cvelistv5

Published

2025-02-26 16:56

Modified

2025-08-01 19:06

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Summary

A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.

References

►

URL

Tags

	https://access.redhat.com/errata/RHSA-2025:12511	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:1884	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:1885	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:2067	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:9922	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2025-1634	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2347319	issue-tracking, x_refsource_REDHAT

Impacted products

Vendor

Product

Version

►

Version: 0 ≤
Version: 0 ≤

Red Hat	Red Hat Build of Apache Camel 4.8 for Quarkus 3.15	cpe:/a:redhat:camel_quarkus:3.15
Red Hat	Red Hat build of Quarkus 3.15.3.SP1	cpe:/a:redhat:quarkus:3.15::el8
Red Hat	Red Hat build of Quarkus 3.8.6.SP3	cpe:/a:redhat:quarkus:3.8::el8
Red Hat	Streams for Apache Kafka 2.9.1	cpe:/a:redhat:amq_streams:2.9::el9
Red Hat	Streams for Apache Kafka 3.0.0	cpe:/a:redhat:amq_streams:3.0::el9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1634",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-26T17:22:33.342704Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-26T17:25:47.506Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/quarkusio/quarkus",
          "defaultStatus": "unaffected",
          "packageName": "quarkus-resteasy",
          "versions": [
            {
              "lessThan": "3.8.6",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.15.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:camel_quarkus:3.15"
          ],
          "defaultStatus": "unaffected",
          "packageName": "quarkus-resteasy",
          "product": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:3.15::el8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "quarkus-resteasy",
          "product": "Red Hat build of Quarkus 3.15.3.SP1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:3.8::el8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "quarkus-resteasy",
          "product": "Red Hat build of Quarkus 3.8.6.SP3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:amq_streams:2.9::el9"
          ],
          "defaultStatus": "unaffected",
          "product": "Streams for Apache Kafka 2.9.1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:amq_streams:3.0::el9"
          ],
          "defaultStatus": "unaffected",
          "product": "Streams for Apache Kafka 3.0.0",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2025-02-24T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "Missing Release of Memory after Effective Lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-01T19:06:18.429Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2025:12511",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:12511"
        },
        {
          "name": "RHSA-2025:1884",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:1884"
        },
        {
          "name": "RHSA-2025:1885",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:1885"
        },
        {
          "name": "RHSA-2025:2067",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:2067"
        },
        {
          "name": "RHSA-2025:9922",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:9922"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-1634"
        },
        {
          "name": "RHBZ#2347319",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347319"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-02-24T14:17:31.237000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-02-24T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_redhatCweChain": "CWE-401: Missing Release of Memory after Effective Lifetime"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-1634",
    "datePublished": "2025-02-26T16:56:23.869Z",
    "dateReserved": "2025-02-24T14:23:22.369Z",
    "dateUpdated": "2025-08-01T19:06:18.429Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

wid-sec-w-2025-0460

Vulnerability from csaf_certbund

CVE-2025-24970 (GCVE-0-2025-24970)

Vulnerability from cvelistv5

CVE-2025-1247 (GCVE-0-2025-1247)

Vulnerability from cvelistv5

CVE-2025-1634 (GCVE-0-2025-1634)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature