Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-22233 (GCVE-0-2025-22233)
Vulnerability from cvelistv5 – Published: 2025-05-16 19:14 – Updated: 2025-05-17 02:37
VLAI
EPSS
Title
Spring Framework DataBinder Case Sensitive Match Exception
Summary
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
Affected Spring Products and Versions
Spring Framework:
* 6.2.0 - 6.2.6
* 6.1.0 - 6.1.19
* 6.0.0 - 6.0.27
* 5.3.0 - 5.3.42
* Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix Version Availability 6.2.x
6.2.7
OSS6.1.x
6.1.20
OSS6.0.x
6.0.28
Commercial https://enterprise.spring.io/ 5.3.x
5.3.43
Commercial https://enterprise.spring.io/
No further mitigation steps are necessary.
Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.
For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.
Credit
This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Spring | Spring Framework |
Affected:
6.2.0 , ≤ 6.2.6
(Framework)
Affected: 6.1.0 , ≤ 6.1.19 (Framework) Affected: 6.0.0 , ≤ 6.0.27 (Enterprise Framework) Affected: 5.3.0 , ≤ 5.3.42 (Enterprise Framework) Unaffected: 6.2.7 (Framework) Unaffected: 6.1.20 (Framework) Unaffected: 6.0.28 (Enterprise Framework) Unaffected: 5.3.43 (Entrprise Framework) |
Date Public
2025-05-15 15:02
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22233",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-17T02:36:53.736871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-17T02:37:03.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Spring Framework",
"vendor": "Spring",
"versions": [
{
"lessThanOrEqual": "6.2.6",
"status": "affected",
"version": "6.2.0",
"versionType": "Framework"
},
{
"lessThanOrEqual": "6.1.19",
"status": "affected",
"version": "6.1.0",
"versionType": "Framework"
},
{
"lessThanOrEqual": "6.0.27",
"status": "affected",
"version": "6.0.0",
"versionType": "Enterprise Framework"
},
{
"lessThanOrEqual": "5.3.42",
"status": "affected",
"version": "5.3.0",
"versionType": "Enterprise Framework"
},
{
"status": "unaffected",
"version": "6.2.7",
"versionType": "Framework"
},
{
"status": "unaffected",
"version": "6.1.20",
"versionType": "Framework"
},
{
"status": "unaffected",
"version": "6.0.28",
"versionType": "Enterprise Framework"
},
{
"status": "unaffected",
"version": "5.3.43",
"versionType": "Entrprise Framework"
}
]
}
],
"datePublic": "2025-05-15T15:02:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eAffected Spring Products and Versions\u003c/b\u003e\u003cbr\u003e\u003cbr\u003eSpring Framework:\u003cbr\u003e\u003cul\u003e\u003cli\u003e6.2.0 - 6.2.6\u003cbr\u003e\u003c/li\u003e\u003cli\u003e6.1.0 - 6.1.19\u003cbr\u003e\u003c/li\u003e\u003cli\u003e6.0.0 - 6.0.27\u003cbr\u003e\u003c/li\u003e\u003cli\u003e5.3.0 - 5.3.42\u003c/li\u003e\u003cli\u003eOlder, unsupported versions are also affected\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\u003cb\u003eMitigation\u003c/b\u003e\u003cbr\u003e\u003cbr\u003eUsers of affected versions should upgrade to the corresponding fixed version.\u003cbr\u003e\u003cbr\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAffected version(s)\u003c/td\u003e\u003ctd\u003eFix Version\u0026nbsp;\u003c/td\u003e\u003ctd\u003eAvailability\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e6.2.x\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e 6.2.7\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e6.1.x\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e 6.1.20\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e6.0.x\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e 6.0.28\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://enterprise.spring.io/\"\u003eCommercial\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.3.x\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e 5.3.43\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://enterprise.spring.io/\"\u003eCommercial\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNo further mitigation steps are necessary.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003eGenerally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.\u003cbr\u003e\u003cbr\u003eFor setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.\u003cbr\u003e\u003cbr\u003eCredit\u003cbr\u003e\u003cbr\u003eThis issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.\u003cbr\u003e"
}
],
"value": "CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.\n\nAffected Spring Products and Versions\n\nSpring Framework:\n * 6.2.0 - 6.2.6\n\n * 6.1.0 - 6.1.19\n\n * 6.0.0 - 6.0.27\n\n * 5.3.0 - 5.3.42\n * Older, unsupported versions are also affected\n\n\n\nMitigation\n\nUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix Version\u00a0Availability\u00a06.2.x\n 6.2.7\nOSS6.1.x\n 6.1.20\nOSS6.0.x\n 6.0.28\n Commercial https://enterprise.spring.io/ 5.3.x\n 5.3.43\n Commercial https://enterprise.spring.io/ \nNo further mitigation steps are necessary.\n\n\nGenerally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.\n\nFor setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.\n\nCredit\n\nThis issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation."
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137: Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T19:14:07.500Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N\u0026version=3.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Spring Framework DataBinder Case Sensitive Match Exception",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-22233",
"datePublished": "2025-05-16T19:14:07.500Z",
"dateReserved": "2025-01-02T04:29:59.191Z",
"dateUpdated": "2025-05-17T02:37:03.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-22233",
"date": "2026-06-29",
"epss": "0.00351",
"percentile": "0.26957"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-22233\",\"sourceIdentifier\":\"security@vmware.com\",\"published\":\"2025-05-16T20:15:22.143\",\"lastModified\":\"2026-06-17T08:45:47.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.\\n\\nAffected Spring Products and Versions\\n\\nSpring Framework:\\n * 6.2.0 - 6.2.6\\n\\n * 6.1.0 - 6.1.19\\n\\n * 6.0.0 - 6.0.27\\n\\n * 5.3.0 - 5.3.42\\n * Older, unsupported versions are also affected\\n\\n\\n\\nMitigation\\n\\nUsers of affected versions should upgrade to the corresponding fixed version.\\n\\nAffected version(s)Fix Version\u00a0Availability\u00a06.2.x\\n 6.2.7\\nOSS6.1.x\\n 6.1.20\\nOSS6.0.x\\n 6.0.28\\n Commercial https://enterprise.spring.io/ 5.3.x\\n 5.3.43\\n Commercial https://enterprise.spring.io/ \\nNo further mitigation steps are necessary.\\n\\n\\nGenerally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.\\n\\nFor setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.\\n\\nCredit\\n\\nThis issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.\"},{\"lang\":\"es\",\"value\":\"La CVE-2024-38820 garantiz\u00f3 la conversi\u00f3n a min\u00fasculas, independiente de la configuraci\u00f3n regional, tanto para los patrones de disallowedFields configurados como para los nombres de los par\u00e1metros de solicitud. Sin embargo, a\u00fan existen casos en los que es posible omitir las comprobaciones de disallowedFields. Productos y versiones de Spring afectados: Spring Framework: * 6.2.0 - 6.2.6 * 6.1.0 - 6.1.19 * 6.0.0 - 6.0.27 * 5.3.0 - 5.3.42 * Las versiones anteriores sin soporte tambi\u00e9n se ven afectadas. Mitigaci\u00f3n: Los usuarios de las versiones afectadas deben actualizar a la versi\u00f3n corregida correspondiente. Versi\u00f3n(s) afectada(s) Versi\u00f3n de correcci\u00f3n Disponibilidad 6.2.x 6.2.7 OSS6.1.x 6.1.20 OSS6.0.x 6.0.28 Comercial https://enterprise.spring.io/ 5.3.x 5.3.43 Comercial https://enterprise.spring.io/ No se necesitan m\u00e1s medidas de mitigaci\u00f3n. En general, recomendamos usar un objeto de modelo dedicado con propiedades solo para el enlace de datos o usar el enlace del constructor, ya que los argumentos del constructor declaran expl\u00edcitamente qu\u00e9 enlazar junto con la desactivaci\u00f3n del enlace del establecedor a trav\u00e9s del indicador declarativeBinding. Consulte la secci\u00f3n Dise\u00f1o del modelo en la documentaci\u00f3n de referencia. Para el enlace de configuraci\u00f3n, prefiera el uso de allowedFields (una lista expl\u00edcita) en lugar de disallowedFields. Cr\u00e9dito Este problema fue reportado responsablemente por el equipo de desarrollo del marco TERASOLUNA de NTT DATA Group Corporation.\"}],\"affected\":[{\"source\":\"security@vmware.com\",\"affectedData\":[{\"vendor\":\"Spring\",\"product\":\"Spring Framework\",\"defaultStatus\":\"affected\",\"versions\":[{\"version\":\"6.2.0\",\"lessThanOrEqual\":\"6.2.6\",\"versionType\":\"Framework\",\"status\":\"affected\"},{\"version\":\"6.1.0\",\"lessThanOrEqual\":\"6.1.19\",\"versionType\":\"Framework\",\"status\":\"affected\"},{\"version\":\"6.0.0\",\"lessThanOrEqual\":\"6.0.27\",\"versionType\":\"Enterprise Framework\",\"status\":\"affected\"},{\"version\":\"5.3.0\",\"lessThanOrEqual\":\"5.3.42\",\"versionType\":\"Enterprise Framework\",\"status\":\"affected\"},{\"version\":\"6.2.7\",\"versionType\":\"Framework\",\"status\":\"unaffected\"},{\"version\":\"6.1.20\",\"versionType\":\"Framework\",\"status\":\"unaffected\"},{\"version\":\"6.0.28\",\"versionType\":\"Enterprise Framework\",\"status\":\"unaffected\"},{\"version\":\"5.3.43\",\"versionType\":\"Entrprise Framework\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":3.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2025-05-17T02:36:53.736871Z\",\"id\":\"CVE-2025-22233\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"references\":[{\"url\":\"https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N\u0026version=3.1\",\"source\":\"security@vmware.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-22233\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-17T02:36:53.736871Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-17T02:36:58.506Z\"}}], \"cna\": {\"title\": \"Spring Framework DataBinder Case Sensitive Match Exception\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-137\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-137: Parameter Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Spring\", \"product\": \"Spring Framework\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.2.0\", \"versionType\": \"Framework\", \"lessThanOrEqual\": \"6.2.6\"}, {\"status\": \"affected\", \"version\": \"6.1.0\", \"versionType\": \"Framework\", \"lessThanOrEqual\": \"6.1.19\"}, {\"status\": \"affected\", \"version\": \"6.0.0\", \"versionType\": \"Enterprise Framework\", \"lessThanOrEqual\": \"6.0.27\"}, {\"status\": \"affected\", \"version\": \"5.3.0\", \"versionType\": \"Enterprise Framework\", \"lessThanOrEqual\": \"5.3.42\"}, {\"status\": \"unaffected\", \"version\": \"6.2.7\", \"versionType\": \"Framework\"}, {\"status\": \"unaffected\", \"version\": \"6.1.20\", \"versionType\": \"Framework\"}, {\"status\": \"unaffected\", \"version\": \"6.0.28\", \"versionType\": \"Enterprise Framework\"}, {\"status\": \"unaffected\", \"version\": \"5.3.43\", \"versionType\": \"Entrprise Framework\"}], \"defaultStatus\": \"affected\"}], \"datePublic\": \"2025-05-15T15:02:00.000Z\", \"references\": [{\"url\": \"https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N\u0026version=3.1\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.\\n\\nAffected Spring Products and Versions\\n\\nSpring Framework:\\n * 6.2.0 - 6.2.6\\n\\n * 6.1.0 - 6.1.19\\n\\n * 6.0.0 - 6.0.27\\n\\n * 5.3.0 - 5.3.42\\n * Older, unsupported versions are also affected\\n\\n\\n\\nMitigation\\n\\nUsers of affected versions should upgrade to the corresponding fixed version.\\n\\nAffected version(s)Fix Version\\u00a0Availability\\u00a06.2.x\\n 6.2.7\\nOSS6.1.x\\n 6.1.20\\nOSS6.0.x\\n 6.0.28\\n Commercial https://enterprise.spring.io/ 5.3.x\\n 5.3.43\\n Commercial https://enterprise.spring.io/ \\nNo further mitigation steps are necessary.\\n\\n\\nGenerally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.\\n\\nFor setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.\\n\\nCredit\\n\\nThis issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eAffected Spring Products and Versions\u003c/b\u003e\u003cbr\u003e\u003cbr\u003eSpring Framework:\u003cbr\u003e\u003cul\u003e\u003cli\u003e6.2.0 - 6.2.6\u003cbr\u003e\u003c/li\u003e\u003cli\u003e6.1.0 - 6.1.19\u003cbr\u003e\u003c/li\u003e\u003cli\u003e6.0.0 - 6.0.27\u003cbr\u003e\u003c/li\u003e\u003cli\u003e5.3.0 - 5.3.42\u003c/li\u003e\u003cli\u003eOlder, unsupported versions are also affected\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\u003cb\u003eMitigation\u003c/b\u003e\u003cbr\u003e\u003cbr\u003eUsers of affected versions should upgrade to the corresponding fixed version.\u003cbr\u003e\u003cbr\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAffected version(s)\u003c/td\u003e\u003ctd\u003eFix Version\u0026nbsp;\u003c/td\u003e\u003ctd\u003eAvailability\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e6.2.x\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e 6.2.7\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e6.1.x\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e 6.1.20\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e6.0.x\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e 6.0.28\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://enterprise.spring.io/\\\"\u003eCommercial\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.3.x\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e 5.3.43\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://enterprise.spring.io/\\\"\u003eCommercial\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eNo further mitigation steps are necessary.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003eGenerally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.\u003cbr\u003e\u003cbr\u003eFor setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.\u003cbr\u003e\u003cbr\u003eCredit\u003cbr\u003e\u003cbr\u003eThis issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"shortName\": \"vmware\", \"dateUpdated\": \"2025-05-16T19:14:07.500Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-22233\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-17T02:37:03.191Z\", \"dateReserved\": \"2025-01-02T04:29:59.191Z\", \"assignerOrgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"datePublished\": \"2025-05-16T19:14:07.500Z\", \"assignerShortName\": \"vmware\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
NCSC-2025-0329
Vulnerability from csaf_ncscnl - Published: 2025-10-23 07:20 - Updated: 2025-10-23 07:20Summary
Kwetsbaarheden verholpen in Oracle Commerce
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: Oracle heeft kwetsbaarheden verholpen in verschillende subcomponenten van Oracle Commerce producten, waaronder Oracle Middleware Common Libraries, Oracle Documaker, Oracle WebCenter Forms Recognition, Oracle WebLogic Server, en Oracle Application Testing Suite.
Interpretaties: De kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om gedeeltelijke of volledige Denial of Service (DoS) te veroorzaken, met CVSS-scores variërend van 2.7 tot 7.5. Dit kan leiden tot systeemuitval en ongeoorloofde toegang tot gegevens. Aanvallers kunnen deze kwetsbaarheden misbruiken door specifieke verzoeken te sturen die de systemen overbelasten of door gebruik te maken van onbetrouwbare invoer. De kwetsbaarheden zijn aangetroffen in verschillende versies van de betrokken producten, wat de impact vergroot.
Oplossingen: Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-20: Improper Input Validation
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-400: Uncontrolled Resource Consumption
CWE-404: Improper Resource Shutdown or Release
CWE-674: Uncontrolled Recursion
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-937: CWE-937
CWE-1035: CWE-1035
Multiple vulnerabilities across Oracle Middleware, Documaker, and Apache Commons IO components allow unauthenticated attackers to exploit denial of service risks, with CVSS scores ranging from 4.3 to 7.5.
7.5 (High)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Commerce
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Guided Search
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Platform
|
vers:unknown/* |
Multiple security vulnerabilities across various Oracle products and the Netplex Json-smart library can lead to Denial of Service (DoS) due to stack exhaustion and other exploits, affecting versions 2.5.0 to 2.5.1 and specific Oracle software.
7.5 (High)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Commerce
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Guided Search
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Platform
|
vers:unknown/* |
CVE-2024-38820 identifies a vulnerability in the Spring Framework affecting multiple versions, while a separate issue in the Oracle Commerce Platform's Dynamo Application Framework allows low-privileged attackers to manipulate data.
CWE-20 - Improper Input ValidationAffected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Commerce
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Guided Search
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Platform
|
vers:unknown/* |
Recent vulnerabilities in Oracle WebCenter Forms Recognition and Apache CXF expose systems to data compromise and denial of service risks, with CVSS scores indicating significant impacts on confidentiality, integrity, and availability.
5.6 (Medium)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Commerce
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Guided Search
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Platform
|
vers:unknown/* |
Recent vulnerabilities in Oracle WebLogic Server and Apache Commons Lang versions expose systems to denial of service risks, including an uncontrolled recursion flaw leading to StackOverflowErrors.
6.5 (Medium)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Commerce
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Guided Search
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Platform
|
vers:unknown/* |
Multiple vulnerabilities affecting Oracle Application Testing Suite and Apache Commons FileUpload, including DoS risks due to insufficient multipart header limits, have been identified, with CVSS scores reaching 7.5.
7.5 (High)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Commerce
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Guided Search
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Platform
|
vers:unknown/* |
Recent updates for Apache Tomcat versions 9, 10, and 11 address the 'MadeYouReset' DoS vulnerability in HTTP/2, along with various enhancements to components like Catalina and Coyote.
7.5 (High)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Commerce
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Guided Search
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Platform
|
vers:unknown/* |
Recent updates to Netty address critical vulnerabilities, including the 'MadeYouReset' DDoS attack in HTTP/2, which can lead to denial of service through resource exhaustion in various affected versions.
7.5 (High)
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Oracle / Commerce
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Guided Search
|
vers:unknown/* | ||
|
vers:unknown/*
Oracle / Oracle Commerce Platform
|
vers:unknown/* |
References
9 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Oracle heeft kwetsbaarheden verholpen in verschillende subcomponenten van Oracle Commerce producten, waaronder Oracle Middleware Common Libraries, Oracle Documaker, Oracle WebCenter Forms Recognition, Oracle WebLogic Server, en Oracle Application Testing Suite.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om gedeeltelijke of volledige Denial of Service (DoS) te veroorzaken, met CVSS-scores vari\u00ebrend van 2.7 tot 7.5. Dit kan leiden tot systeemuitval en ongeoorloofde toegang tot gegevens. Aanvallers kunnen deze kwetsbaarheden misbruiken door specifieke verzoeken te sturen die de systemen overbelasten of door gebruik te maken van onbetrouwbare invoer. De kwetsbaarheden zijn aangetroffen in verschillende versies van de betrokken producten, wat de impact vergroot.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "general",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "general",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "general",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "general",
"text": "CWE-1035",
"title": "CWE-1035"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://www.oracle.com/docs/tech/security-alerts/cpuoct2025csaf.json"
}
],
"title": "Kwetsbaarheden verholpen in Oracle Commerce",
"tracking": {
"current_release_date": "2025-10-23T07:20:51.213314Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2025-0329",
"initial_release_date": "2025-10-23T07:20:51.213314Z",
"revision_history": [
{
"date": "2025-10-23T07:20:51.213314Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "Commerce"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "Oracle Commerce Guided Search"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "Oracle Commerce Platform"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-47554",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "description",
"text": "Multiple vulnerabilities across Oracle Middleware, Documaker, and Apache Commons IO components allow unauthenticated attackers to exploit denial of service risks, with CVSS scores ranging from 4.3 to 7.5.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-47554 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-47554.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
}
],
"title": "CVE-2024-47554"
},
{
"cve": "CVE-2024-57699",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "description",
"text": "Multiple security vulnerabilities across various Oracle products and the Netplex Json-smart library can lead to Denial of Service (DoS) due to stack exhaustion and other exploits, affecting versions 2.5.0 to 2.5.1 and specific Oracle software.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-57699 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-57699.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
}
],
"title": "CVE-2024-57699"
},
{
"cve": "CVE-2025-22233",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "description",
"text": "CVE-2024-38820 identifies a vulnerability in the Spring Framework affecting multiple versions, while a separate issue in the Oracle Commerce Platform\u0027s Dynamo Application Framework allows low-privileged attackers to manipulate data.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-22233 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-22233.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
}
],
"title": "CVE-2025-22233"
},
{
"cve": "CVE-2025-48795",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "other",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "description",
"text": "Recent vulnerabilities in Oracle WebCenter Forms Recognition and Apache CXF expose systems to data compromise and denial of service risks, with CVSS scores indicating significant impacts on confidentiality, integrity, and availability.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48795 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48795.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
}
],
"title": "CVE-2025-48795"
},
{
"cve": "CVE-2025-48924",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "description",
"text": "Recent vulnerabilities in Oracle WebLogic Server and Apache Commons Lang versions expose systems to denial of service risks, including an uncontrolled recursion flaw leading to StackOverflowErrors.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48924 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48924.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
}
],
"title": "CVE-2025-48924"
},
{
"cve": "CVE-2025-48976",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "Multiple vulnerabilities affecting Oracle Application Testing Suite and Apache Commons FileUpload, including DoS risks due to insufficient multipart header limits, have been identified, with CVSS scores reaching 7.5.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48976 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
}
],
"title": "CVE-2025-48976"
},
{
"cve": "CVE-2025-48989",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "description",
"text": "Recent updates for Apache Tomcat versions 9, 10, and 11 address the \u0027MadeYouReset\u0027 DoS vulnerability in HTTP/2, along with various enhancements to components like Catalina and Coyote.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48989 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48989.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
}
],
"title": "CVE-2025-48989"
},
{
"cve": "CVE-2025-55163",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Recent updates to Netty address critical vulnerabilities, including the \u0027MadeYouReset\u0027 DDoS attack in HTTP/2, which can lead to denial of service through resource exhaustion in various affected versions.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-55163 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55163.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3"
]
}
],
"title": "CVE-2025-55163"
}
]
}
WID-SEC-W-2025-1077
Vulnerability from csaf_certbund - Published: 2025-05-15 22:00 - Updated: 2025-11-30 23:00Summary
VMware Tanzu Spring Framework: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
Severity
Niedrig
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Das Spring Framework bietet ein Entwicklungsmodell für Java mit Infrastrukturunterstützung auf Anwendungsebene.
Angriff: Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in VMware Tanzu Spring Framework ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
Betroffene Betriebssysteme: - Linux
- UNIX
- Windows
Affected products
Known affected
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
NetApp ActiveIQ Unified Manager
NetApp
|
cpe:/a:netapp:active_iq_unified_manager:-
|
— | |
|
IBM InfoSphere Information Server
IBM
|
cpe:/a:ibm:infosphere_information_server:-
|
— | |
|
VMware Tanzu Spring Framework <6.0.28
VMware Tanzu / Spring Framework
|
<6.0.28 | ||
|
Hitachi Ops Center
Hitachi
|
cpe:/a:hitachi:ops_center:-
|
— | |
|
RealObjects PDFreactor <12.2
RealObjects / PDFreactor
|
<12.2 | ||
|
VMware Tanzu Spring Framework <6.2.7
VMware Tanzu / Spring Framework
|
<6.2.7 | ||
|
VMware Tanzu Spring Framework <6.1.20
VMware Tanzu / Spring Framework
|
<6.1.20 | ||
|
IBM Sterling Connect:Direct <6.3.0.14
IBM / Sterling Connect:Direct
|
<6.3.0.14 | ||
|
VMware Tanzu Spring Framework <5.3.43
VMware Tanzu / Spring Framework
|
<5.3.43 | ||
|
IBM Business Automation Workflow
IBM
|
cpe:/a:ibm:business_automation_workflow:-
|
— | |
|
IBM Sterling Connect:Direct <6.4.0.3
IBM / Sterling Connect:Direct
|
<6.4.0.3 | ||
|
IBM Operational Decision Manager
IBM
|
cpe:/a:ibm:operational_decision_manager:-
|
— | |
|
HCL BigFix Service Management
HCL / BigFix
|
cpe:/a:hcltech:bigfix:service_management
|
Service Management |
References
12 references
{
"document": {
"aggregate_severity": {
"text": "niedrig"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Das Spring Framework bietet ein Entwicklungsmodell f\u00fcr Java mit Infrastrukturunterst\u00fctzung auf Anwendungsebene.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in VMware Tanzu Spring Framework ausnutzen, um Sicherheitsvorkehrungen zu umgehen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-1077 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1077.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-1077 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1077"
},
{
"category": "external",
"summary": "Spring Security Advisories vom 2025-05-15",
"url": "https://spring.io/security/cve-2025-22233"
},
{
"category": "external",
"summary": "Spring blog vom 2025-05-15",
"url": "https://spring.io/blog/2025/05/15/spring-framework-6-1-20-and-6-2-7-releases-fix-cve-2025-22233"
},
{
"category": "external",
"summary": "PDFreactor 12.2 release notes vom 2025-06-17",
"url": "https://www.pdfreactor.com/pdfreactor-12-2-now-available/"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7237748 vom 2025-06-24",
"url": "https://www.ibm.com/support/pages/node/7237748"
},
{
"category": "external",
"summary": "NetApp Security Advisory NTAP-20250704-0008 vom 2025-07-04",
"url": "https://security.netapp.com/advisory/NTAP-20250704-0008"
},
{
"category": "external",
"summary": "HCL Security Bulletin vom 2025-08-28",
"url": "https://support.hcl-software.com/community?id=community_blog\u0026sys_id=d45b6a4b93636e901254f0cd1dba10f2"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7246096 vom 2025-09-29",
"url": "https://www.ibm.com/support/pages/node/7246096"
},
{
"category": "external",
"summary": "Hitachi Vulnerability Information HITACHI-SEC-2025-127 vom 2025-09-30",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-127/index.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7183042 vom 2025-10-08",
"url": "https://www.ibm.com/support/pages/node/7247442"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7252567 vom 2025-11-26",
"url": "https://www.ibm.com/support/pages/node/7252567"
}
],
"source_lang": "en-US",
"title": "VMware Tanzu Spring Framework: Schwachstelle erm\u00f6glicht Umgehen von Sicherheitsvorkehrungen",
"tracking": {
"current_release_date": "2025-11-30T23:00:00.000+00:00",
"generator": {
"date": "2025-12-01T08:47:31.964+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2025-1077",
"initial_release_date": "2025-05-15T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-05-15T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-05-18T22:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2025-15542"
},
{
"date": "2025-06-17T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-06-24T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-07-06T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von NetApp aufgenommen"
},
{
"date": "2025-08-28T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-09-29T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von IBM und HITACHI aufgenommen"
},
{
"date": "2025-10-08T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-11-25T23:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-11-30T23:00:00.000+00:00",
"number": "10",
"summary": "Referenz(en) aufgenommen: 7253216"
}
],
"status": "final",
"version": "10"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "Service Management",
"product": {
"name": "HCL BigFix Service Management",
"product_id": "T046595",
"product_identification_helper": {
"cpe": "cpe:/a:hcltech:bigfix:service_management"
}
}
}
],
"category": "product_name",
"name": "BigFix"
}
],
"category": "vendor",
"name": "HCL"
},
{
"branches": [
{
"category": "product_name",
"name": "Hitachi Ops Center",
"product": {
"name": "Hitachi Ops Center",
"product_id": "T038840",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:-"
}
}
}
],
"category": "vendor",
"name": "Hitachi"
},
{
"branches": [
{
"category": "product_name",
"name": "IBM Business Automation Workflow",
"product": {
"name": "IBM Business Automation Workflow",
"product_id": "T019704",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:business_automation_workflow:-"
}
}
},
{
"category": "product_name",
"name": "IBM InfoSphere Information Server",
"product": {
"name": "IBM InfoSphere Information Server",
"product_id": "T035705",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:infosphere_information_server:-"
}
}
},
{
"category": "product_name",
"name": "IBM Operational Decision Manager",
"product": {
"name": "IBM Operational Decision Manager",
"product_id": "T005180",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:operational_decision_manager:-"
}
}
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c6.3.0.14",
"product": {
"name": "IBM Sterling Connect:Direct \u003c6.3.0.14",
"product_id": "T044812"
}
},
{
"category": "product_version",
"name": "6.3.0.14",
"product": {
"name": "IBM Sterling Connect:Direct 6.3.0.14",
"product_id": "T044812-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:sterling_connect%3adirect:6.3.0.14"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.4.0.3",
"product": {
"name": "IBM Sterling Connect:Direct \u003c6.4.0.3",
"product_id": "T044813"
}
},
{
"category": "product_version",
"name": "6.4.0.3",
"product": {
"name": "IBM Sterling Connect:Direct 6.4.0.3",
"product_id": "T044813-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:sterling_connect%3adirect:6.4.0.3"
}
}
}
],
"category": "product_name",
"name": "Sterling Connect:Direct"
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"category": "product_name",
"name": "NetApp ActiveIQ Unified Manager",
"product": {
"name": "NetApp ActiveIQ Unified Manager",
"product_id": "T037607",
"product_identification_helper": {
"cpe": "cpe:/a:netapp:active_iq_unified_manager:-"
}
}
}
],
"category": "vendor",
"name": "NetApp"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c12.2",
"product": {
"name": "RealObjects PDFreactor \u003c12.2",
"product_id": "T044675"
}
},
{
"category": "product_version",
"name": "12.2",
"product": {
"name": "RealObjects PDFreactor 12.2",
"product_id": "T044675-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:realobjects:pdfreactor:12.2"
}
}
}
],
"category": "product_name",
"name": "PDFreactor"
}
],
"category": "vendor",
"name": "RealObjects"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c6.2.7",
"product": {
"name": "VMware Tanzu Spring Framework \u003c6.2.7",
"product_id": "T043852"
}
},
{
"category": "product_version",
"name": "6.2.7",
"product": {
"name": "VMware Tanzu Spring Framework 6.2.7",
"product_id": "T043852-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vmware_tanzu:spring_framework:6.2.7"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.1.20",
"product": {
"name": "VMware Tanzu Spring Framework \u003c6.1.20",
"product_id": "T043853"
}
},
{
"category": "product_version",
"name": "6.1.20",
"product": {
"name": "VMware Tanzu Spring Framework 6.1.20",
"product_id": "T043853-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vmware_tanzu:spring_framework:6.1.20"
}
}
},
{
"category": "product_version_range",
"name": "\u003c5.3.43",
"product": {
"name": "VMware Tanzu Spring Framework \u003c5.3.43",
"product_id": "T043855"
}
},
{
"category": "product_version",
"name": "5.3.43",
"product": {
"name": "VMware Tanzu Spring Framework 5.3.43",
"product_id": "T043855-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vmware_tanzu:spring_framework:5.3.43"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.0.28",
"product": {
"name": "VMware Tanzu Spring Framework \u003c6.0.28",
"product_id": "T043858"
}
},
{
"category": "product_version",
"name": "6.0.28",
"product": {
"name": "VMware Tanzu Spring Framework 6.0.28",
"product_id": "T043858-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vmware_tanzu:spring_framework:6.0.28"
}
}
}
],
"category": "product_name",
"name": "Spring Framework"
}
],
"category": "vendor",
"name": "VMware Tanzu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22233",
"product_status": {
"known_affected": [
"T037607",
"T035705",
"T043858",
"T038840",
"T044675",
"T043852",
"T043853",
"T044812",
"T043855",
"T019704",
"T044813",
"T005180",
"T046595"
]
},
"release_date": "2025-05-15T22:00:00.000+00:00",
"title": "CVE-2025-22233"
}
]
}
WID-SEC-W-2025-2357
Vulnerability from csaf_certbund - Published: 2025-10-21 22:00 - Updated: 2025-10-21 22:00Summary
Oracle Commerce: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Oracle Commerce ist eine elektronische Handelsplattform.
Angriff: Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Commerce ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme: - Linux
- UNIX
- Windows
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Commerce 11.4.0
Oracle / Commerce
|
cpe:/a:oracle:commerce:11.4.0
|
11.4.0 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Commerce 11.4.0
Oracle / Commerce
|
cpe:/a:oracle:commerce:11.4.0
|
11.4.0 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Commerce 11.4.0
Oracle / Commerce
|
cpe:/a:oracle:commerce:11.4.0
|
11.4.0 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Commerce 11.4.0
Oracle / Commerce
|
cpe:/a:oracle:commerce:11.4.0
|
11.4.0 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Commerce 11.4.0
Oracle / Commerce
|
cpe:/a:oracle:commerce:11.4.0
|
11.4.0 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Commerce 11.4.0
Oracle / Commerce
|
cpe:/a:oracle:commerce:11.4.0
|
11.4.0 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Commerce 11.4.0
Oracle / Commerce
|
cpe:/a:oracle:commerce:11.4.0
|
11.4.0 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Commerce 11.4.0
Oracle / Commerce
|
cpe:/a:oracle:commerce:11.4.0
|
11.4.0 |
References
3 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Commerce ist eine elektronische Handelsplattform.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Commerce ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2357 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2357.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2357 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2357"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - October 2025 - Appendix Oracle Commerce vom 2025-10-21",
"url": "https://www.oracle.com/security-alerts/cpuoct2025.html#AppendixOCOM"
}
],
"source_lang": "en-US",
"title": "Oracle Commerce: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-10-21T22:00:00.000+00:00",
"generator": {
"date": "2025-10-22T10:03:28.556+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-2357",
"initial_release_date": "2025-10-21T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-10-21T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "11.4.0",
"product": {
"name": "Oracle Commerce 11.4.0",
"product_id": "T038369",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:commerce:11.4.0"
}
}
}
],
"category": "product_name",
"name": "Commerce"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-47554",
"product_status": {
"known_affected": [
"T038369"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2024-47554"
},
{
"cve": "CVE-2024-57699",
"product_status": {
"known_affected": [
"T038369"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2024-57699"
},
{
"cve": "CVE-2025-22233",
"product_status": {
"known_affected": [
"T038369"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-22233"
},
{
"cve": "CVE-2025-48795",
"product_status": {
"known_affected": [
"T038369"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-48795"
},
{
"cve": "CVE-2025-48924",
"product_status": {
"known_affected": [
"T038369"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-48924"
},
{
"cve": "CVE-2025-48976",
"product_status": {
"known_affected": [
"T038369"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-48976"
},
{
"cve": "CVE-2025-48989",
"product_status": {
"known_affected": [
"T038369"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-48989"
},
{
"cve": "CVE-2025-55163",
"product_status": {
"known_affected": [
"T038369"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-55163"
}
]
}
WID-SEC-W-2026-0351
Vulnerability from csaf_certbund - Published: 2026-02-09 23:00 - Updated: 2026-02-09 23:00Summary
Dell NetWorker (Third Party Components): Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Dell NetWorker stellt zentralisiert Backup- und Recovery-Dienste bereit.
Angriff: Ein Angreifer kann mehrere Schwachstellen in Dell NetWorker ausnutzen, um Angriffe zu starten, die die Integrität, Vertraulichkeit und Verfügbarkeit von Systemen beeinträchtigen.
Betroffene Betriebssysteme: - Sonstiges
- UNIX
- Windows
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Dell NetWorker AUTHC <19.14
Dell / NetWorker
|
AUTHC <19.14 | ||
|
Dell NetWorker vCenter User Interface <19.14
Dell / NetWorker
|
vCenter User Interface <19.14 | ||
|
Dell NetWorker Management Web UI <19.14
Dell / NetWorker
|
Management Web UI <19.14 | ||
|
Dell NetWorker Management Console <19.14
Dell / NetWorker
|
Management Console <19.14 | ||
|
Dell NetWorker File-Level Recovery <19.14
Dell / NetWorker
|
File-Level Recovery <19.14 | ||
|
Dell NetWorker REST API <19.14
Dell / NetWorker
|
REST API <19.14 |
References
4 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Dell NetWorker stellt zentralisiert Backup- und Recovery-Dienste bereit.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in Dell NetWorker ausnutzen, um Angriffe zu starten, die die Integrit\u00e4t, Vertraulichkeit und Verf\u00fcgbarkeit von Systemen beeintr\u00e4chtigen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0351 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0351.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0351 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0351"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2026-023 vom 2026-02-09",
"url": "https://www.dell.com/support/kbdoc/de-de/000425429/dsa-2026-023-security-update-for-dell-networker-multiple-third-party-component-vulnerabilities"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2026-024 vom 2026-02-09",
"url": "https://www.dell.com/support/kbdoc/de-de/000425759/dsa-2026-024-security-update-for-dell-networker-multiple-third-party-component-vulnerabilities"
}
],
"source_lang": "en-US",
"title": "Dell NetWorker (Third Party Components): Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-02-09T23:00:00.000+00:00",
"generator": {
"date": "2026-02-10T10:02:33.638+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0351",
"initial_release_date": "2026-02-09T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-02-09T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "AUTHC \u003c19.14",
"product": {
"name": "Dell NetWorker AUTHC \u003c19.14",
"product_id": "T050629"
}
},
{
"category": "product_version",
"name": "AUTHC 19.14",
"product": {
"name": "Dell NetWorker AUTHC 19.14",
"product_id": "T050629-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:dell:networker:authc__19.14"
}
}
},
{
"category": "product_version_range",
"name": "Management Console \u003c19.14",
"product": {
"name": "Dell NetWorker Management Console \u003c19.14",
"product_id": "T050630"
}
},
{
"category": "product_version",
"name": "Management Console 19.14",
"product": {
"name": "Dell NetWorker Management Console 19.14",
"product_id": "T050630-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:dell:networker:management_console__19.14"
}
}
},
{
"category": "product_version_range",
"name": "Management Web UI \u003c19.14",
"product": {
"name": "Dell NetWorker Management Web UI \u003c19.14",
"product_id": "T050631"
}
},
{
"category": "product_version",
"name": "Management Web UI 19.14",
"product": {
"name": "Dell NetWorker Management Web UI 19.14",
"product_id": "T050631-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:dell:networker:management_web_ui__19.14"
}
}
},
{
"category": "product_version_range",
"name": "REST API \u003c19.14",
"product": {
"name": "Dell NetWorker REST API \u003c19.14",
"product_id": "T050632"
}
},
{
"category": "product_version",
"name": "REST API 19.14",
"product": {
"name": "Dell NetWorker REST API 19.14",
"product_id": "T050632-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:dell:networker:rest_api__19.14"
}
}
},
{
"category": "product_version_range",
"name": "File-Level Recovery \u003c19.14",
"product": {
"name": "Dell NetWorker File-Level Recovery \u003c19.14",
"product_id": "T050633"
}
},
{
"category": "product_version",
"name": "File-Level Recovery 19.14",
"product": {
"name": "Dell NetWorker File-Level Recovery 19.14",
"product_id": "T050633-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:dell:networker:file-level_recovery__19.14"
}
}
},
{
"category": "product_version_range",
"name": "vCenter User Interface \u003c19.14",
"product": {
"name": "Dell NetWorker vCenter User Interface \u003c19.14",
"product_id": "T050634"
}
},
{
"category": "product_version",
"name": "vCenter User Interface 19.14",
"product": {
"name": "Dell NetWorker vCenter User Interface 19.14",
"product_id": "T050634-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:dell:networker:vcenter_user_interface__19.14"
}
}
}
],
"category": "product_name",
"name": "NetWorker"
}
],
"category": "vendor",
"name": "Dell"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-5783",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2012-5783"
},
{
"cve": "CVE-2014-3577",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2014-3577"
},
{
"cve": "CVE-2015-5262",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2015-5262"
},
{
"cve": "CVE-2020-13956",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2020-13956"
},
{
"cve": "CVE-2023-35116",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2023-35116"
},
{
"cve": "CVE-2024-29736",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2024-29736"
},
{
"cve": "CVE-2024-32007",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2024-32007"
},
{
"cve": "CVE-2024-41172",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2024-41172"
},
{
"cve": "CVE-2025-11226",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-11226"
},
{
"cve": "CVE-2025-22228",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-22228"
},
{
"cve": "CVE-2025-22233",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-22233"
},
{
"cve": "CVE-2025-22235",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-22235"
},
{
"cve": "CVE-2025-23184",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-23184"
},
{
"cve": "CVE-2025-27820",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-27820"
},
{
"cve": "CVE-2025-31650",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-31650"
},
{
"cve": "CVE-2025-31651",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-31651"
},
{
"cve": "CVE-2025-41234",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-41234"
},
{
"cve": "CVE-2025-41242",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-41242"
},
{
"cve": "CVE-2025-41248",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-41248"
},
{
"cve": "CVE-2025-41254",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-41254"
},
{
"cve": "CVE-2025-46392",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-46392"
},
{
"cve": "CVE-2025-48913",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-48913"
},
{
"cve": "CVE-2025-48924",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-48924"
},
{
"cve": "CVE-2025-48989",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-48989"
},
{
"cve": "CVE-2025-53864",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-53864"
},
{
"cve": "CVE-2025-7962",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-7962"
},
{
"cve": "CVE-2025-8713",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-8713"
},
{
"cve": "CVE-2025-8714",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-8714"
},
{
"cve": "CVE-2025-8715",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-8715"
},
{
"cve": "CVE-2025-8885",
"product_status": {
"known_affected": [
"T050629",
"T050634",
"T050631",
"T050630",
"T050633",
"T050632"
]
},
"release_date": "2026-02-09T23:00:00.000+00:00",
"title": "CVE-2025-8885"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…