Refine your search
3 vulnerabilities found for jmix by jmix-framework
CVE-2025-32952 (GCVE-0-2025-32952)
Vulnerability from nvd
Published
2025-04-22 17:32
Modified
2025-05-27 17:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files, potentially causing the server to run out of space and return HTTP 500 error, resulting in a denial of service. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jmix-framework | jmix |
Version: >= 1.0.0, < 1.6.2 Version: >= 2.0.0, < 2.4.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32952",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T19:56:32.907417Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T16:03:04.176Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jmix",
"vendor": "jmix-framework",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.6.2"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files, potentially causing the server to run out of space and return HTTP 500 error, resulting in a denial of service. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T17:00:25.356Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jmix-framework/jmix/security/advisories/GHSA-f3gv-cwwh-758m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jmix-framework/jmix/security/advisories/GHSA-f3gv-cwwh-758m"
},
{
"name": "https://github.com/jmix-framework/jmix/issues/3804",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/issues/3804"
},
{
"name": "https://github.com/jmix-framework/jmix/issues/3836",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/issues/3836"
},
{
"name": "https://github.com/jmix-framework/jmix/commit/6a66aa3adb967159a30d703e80403406f4c8f7a2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/commit/6a66aa3adb967159a30d703e80403406f4c8f7a2"
},
{
"name": "https://github.com/jmix-framework/jmix/commit/c589ef4e2b25620770b8036f4ad05f1a6250cb6a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/commit/c589ef4e2b25620770b8036f4ad05f1a6250cb6a"
},
{
"name": "https://github.com/jmix-framework/jmix/commit/cc97e6ff974b9e7af8160fab39cc5866169daa37",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/commit/cc97e6ff974b9e7af8160fab39cc5866169daa37"
},
{
"name": "https://github.com/jmix-framework/jmix/commit/f4e6fb05bd245cf36f3e9319aaa0fcd540d024aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/commit/f4e6fb05bd245cf36f3e9319aaa0fcd540d024aa"
},
{
"name": "https://docs.jmix.io/jmix/files-vulnerabilities.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.jmix.io/jmix/files-vulnerabilities.html"
},
{
"name": "https://docs.jmix.io/jmix/files-vulnerabilities.html#disable-files-endpoint-in-jmix-application",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.jmix.io/jmix/files-vulnerabilities.html#disable-files-endpoint-in-jmix-application"
}
],
"source": {
"advisory": "GHSA-f3gv-cwwh-758m",
"discovery": "UNKNOWN"
},
"title": "io.jmix.localfs:jmix-localfs affected by DoS in the Local File Storage"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32952",
"datePublished": "2025-04-22T17:32:11.966Z",
"dateReserved": "2025-04-14T21:47:11.450Z",
"dateUpdated": "2025-05-27T17:00:25.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32951 (GCVE-0-2025-32951)
Vulnerability from nvd
Published
2025-04-22 17:32
Modified
2025-05-27 17:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jmix-framework | jmix |
Version: >= 1.0.0, < 1.6.2 Version: >= 2.0.0, < 2.4.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32951",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T19:56:29.979241Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T16:02:55.977Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jmix",
"vendor": "jmix-framework",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.6.2"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T17:18:23.124Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jmix-framework/jmix/security/advisories/GHSA-x27v-f838-jh93",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jmix-framework/jmix/security/advisories/GHSA-x27v-f838-jh93"
},
{
"name": "https://github.com/jmix-framework/jmix/issues/3804",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/issues/3804"
},
{
"name": "https://github.com/jmix-framework/jmix/issues/3836",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/issues/3836"
},
{
"name": "https://github.com/jmix-framework/jmix/commit/6a66aa3adb967159a30d703e80403406f4c8f7a2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/commit/6a66aa3adb967159a30d703e80403406f4c8f7a2"
},
{
"name": "https://github.com/jmix-framework/jmix/commit/c589ef4e2b25620770b8036f4ad05f1a6250cb6a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/commit/c589ef4e2b25620770b8036f4ad05f1a6250cb6a"
},
{
"name": "https://github.com/jmix-framework/jmix/commit/cc97e6ff974b9e7af8160fab39cc5866169daa37",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/commit/cc97e6ff974b9e7af8160fab39cc5866169daa37"
},
{
"name": "https://github.com/jmix-framework/jmix/commit/f4e6fb05bd245cf36f3e9319aaa0fcd540d024aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/commit/f4e6fb05bd245cf36f3e9319aaa0fcd540d024aa"
},
{
"name": "https://docs.jmix.io/jmix/files-vulnerabilities.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.jmix.io/jmix/files-vulnerabilities.html"
},
{
"name": "https://docs.jmix.io/jmix/files-vulnerabilities.html#disable-files-endpoint-in-jmix-application",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.jmix.io/jmix/files-vulnerabilities.html#disable-files-endpoint-in-jmix-application"
}
],
"source": {
"advisory": "GHSA-x27v-f838-jh93",
"discovery": "UNKNOWN"
},
"title": "io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32951",
"datePublished": "2025-04-22T17:32:23.401Z",
"dateReserved": "2025-04-14T21:47:11.450Z",
"dateUpdated": "2025-05-27T17:18:23.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32950 (GCVE-0-2025-32950)
Vulnerability from nvd
Published
2025-04-22 17:14
Modified
2025-05-27 17:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, attackers could manipulate the FileRef parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the FileRef directly in the database or by supplying a harmful value in the fileRef parameter of the `/files` endpoint of the generic REST API. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jmix-framework | jmix |
Version: >= 1.0.0, < 1.6.2 Version: >= 2.0.0, < 2.4.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T19:56:35.680766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T16:03:22.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jmix",
"vendor": "jmix-framework",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.6.2"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, attackers could manipulate the FileRef parameter to access files on the system where the Jmix application is deployed, provided the application server has the necessary permissions. This can be accomplished either by modifying the FileRef directly in the database or by supplying a harmful value in the fileRef parameter of the `/files` endpoint of the generic REST API. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-35",
"description": "CWE-35: Path Traversal: \u0027.../...//\u0027",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T17:07:11.796Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jmix-framework/jmix/security/advisories/GHSA-jx4g-3xqm-62vh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jmix-framework/jmix/security/advisories/GHSA-jx4g-3xqm-62vh"
},
{
"name": "https://github.com/jmix-framework/jmix/issues/3804",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/issues/3804"
},
{
"name": "https://github.com/jmix-framework/jmix/issues/3836",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/issues/3836"
},
{
"name": "https://github.com/jmix-framework/jmix/commit/6a66aa3adb967159a30d703e80403406f4c8f7a2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/commit/6a66aa3adb967159a30d703e80403406f4c8f7a2"
},
{
"name": "https://github.com/jmix-framework/jmix/commit/c589ef4e2b25620770b8036f4ad05f1a6250cb6a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/commit/c589ef4e2b25620770b8036f4ad05f1a6250cb6a"
},
{
"name": "https://github.com/jmix-framework/jmix/commit/cc97e6ff974b9e7af8160fab39cc5866169daa37",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/commit/cc97e6ff974b9e7af8160fab39cc5866169daa37"
},
{
"name": "https://github.com/jmix-framework/jmix/commit/f4e6fb05bd245cf36f3e9319aaa0fcd540d024aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jmix-framework/jmix/commit/f4e6fb05bd245cf36f3e9319aaa0fcd540d024aa"
},
{
"name": "https://docs.jmix.io/jmix/files-vulnerabilities.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.jmix.io/jmix/files-vulnerabilities.html"
},
{
"name": "https://docs.jmix.io/jmix/files-vulnerabilities.html#fix-path-traversal-in-jmix-application",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.jmix.io/jmix/files-vulnerabilities.html#fix-path-traversal-in-jmix-application"
}
],
"source": {
"advisory": "GHSA-jx4g-3xqm-62vh",
"discovery": "UNKNOWN"
},
"title": "io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32950",
"datePublished": "2025-04-22T17:14:43.211Z",
"dateReserved": "2025-04-14T21:47:11.450Z",
"dateUpdated": "2025-05-27T17:07:11.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}