Action not permitted
Modal body text goes here.
Modal Title
Modal Body
Vulnerability from cleanstart
Published
2026-05-18 13:14
Modified
2026-05-13 12:05
Summary
Security fixes for CVE-2024-13009, CVE-2024-6763, CVE-2025-12383, CVE-2025-5115, CVE-2026-1225, CVE-2026-24281, CVE-2026-24308, CVE-2026-34479, CVE-2026-41409, CVE-2026-41635, CVE-2026-42778, CVE-2026-42779, ghsa-355h-qmc2-wpwf, ghsa-3677-xxcr-wjqv, ghsa-72hv-8253-57qq, ghsa-84h7-rjj3-6jx4, ghsa-vc5p-v9hr-52mj applied in versions: 7.7.7-r0, 7.7.8-r0, 7.7.8-r1, 7.9.6-r0, 8.1.2-r0
Details
Multiple security vulnerabilities affect the schema-registry package. These issues are resolved in later releases. See references for individual vulnerability details.
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "schema-registry"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.1.2-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the schema-registry package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-LO22603",
"modified": "2026-05-13T12:05:03Z",
"published": "2026-05-18T13:14:55.663650Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-LO22603.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-13009"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-6763"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-12383"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-5115"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1225"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24308"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-34479"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-41409"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-41635"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42778"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42779"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-355h-qmc2-wpwf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3677-xxcr-wjqv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-72hv-8253-57qq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-84h7-rjj3-6jx4"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vc5p-v9hr-52mj"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13009"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6763"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12383"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5115"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1225"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24308"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34479"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41409"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41635"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42778"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42779"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2024-13009, CVE-2024-6763, CVE-2025-12383, CVE-2025-5115, CVE-2026-1225, CVE-2026-24281, CVE-2026-24308, CVE-2026-34479, CVE-2026-41409, CVE-2026-41635, CVE-2026-42778, CVE-2026-42779, ghsa-355h-qmc2-wpwf, ghsa-3677-xxcr-wjqv, ghsa-72hv-8253-57qq, ghsa-84h7-rjj3-6jx4, ghsa-vc5p-v9hr-52mj applied in versions: 7.7.7-r0, 7.7.8-r0, 7.7.8-r1, 7.9.6-r0, 8.1.2-r0",
"upstream": [
"CVE-2024-13009",
"CVE-2024-6763",
"CVE-2025-12383",
"CVE-2025-5115",
"CVE-2026-1225",
"CVE-2026-24281",
"CVE-2026-24308",
"CVE-2026-34479",
"CVE-2026-41409",
"CVE-2026-41635",
"CVE-2026-42778",
"CVE-2026-42779",
"ghsa-355h-qmc2-wpwf",
"ghsa-3677-xxcr-wjqv",
"ghsa-72hv-8253-57qq",
"ghsa-84h7-rjj3-6jx4",
"ghsa-vc5p-v9hr-52mj"
]
}
CVE-2024-13009 (GCVE-0-2024-13009)
Vulnerability from cvelistv5 – Published: 2025-05-08 17:29 – Updated: 2025-05-08 18:56 Unsupported When Assigned
VLAI
EPSS
Title
Eclipse Jetty GZIP buffer release
Summary
In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request
body. This can result in corrupted and/or inadvertent sharing of data between requests.
Severity
7.2 (High)
CWE
- CWE-404 - Improper Resource Shutdown or Release
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eclipse Foundation | Jetty |
Affected:
9.4.0 , ≤ 9.4.56
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13009",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T18:55:32.278977Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T18:56:39.446Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Jetty",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThanOrEqual": "9.4.56",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request\nbody. This can result in corrupted and/or inadvertent sharing of data between requests."
}
],
"value": "In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request\nbody. This can result in corrupted and/or inadvertent sharing of data between requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Improper Resource Shutdown or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T17:29:31.380Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/48"
},
{
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Eclipse Jetty GZIP buffer release",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2024-13009",
"datePublished": "2025-05-08T17:29:31.380Z",
"dateReserved": "2024-12-28T09:11:12.587Z",
"dateUpdated": "2025-05-08T18:56:39.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6763 (GCVE-0-2024-6763)
Vulnerability from cvelistv5 – Published: 2024-10-14 15:06 – Updated: 2025-03-07 00:10
VLAI
EPSS
Title
Jetty URI parsing of invalid authority
Summary
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
Severity
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eclipse Foundation | Jetty |
Affected:
7.0.0 , ≤ 12.0.11
(semver)
|
Date Public
2024-10-14 15:00
Credits
https://github.com/zer0yu
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "jetty",
"vendor": "eclipse",
"versions": [
{
"lessThanOrEqual": "12.0.11",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6763",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:44:14.448650Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T17:45:35.771Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-03-07T00:10:46.301Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250306-0005/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/",
"defaultStatus": "unaffected",
"modules": [
"jetty-http"
],
"packageName": "org.eclipse.jetty:jetty-http",
"product": "Jetty",
"repo": "https://github.com/jetty/jetty.project",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThanOrEqual": "12.0.11",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "https://github.com/zer0yu"
}
],
"datePublic": "2024-10-14T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eEclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, \u003ccode\u003eHttpURI\u003c/code\u003e, for URI/URL parsing.\u003c/p\u003e\u003cp\u003eThe \u003ccode\u003eHttpURI\u003c/code\u003e class does insufficient validation on the authority segment of a URI. However the behaviour of \u003ccode\u003eHttpURI\u003c/code\u003e\n differs from the common browsers in how it handles a URI that would be \nconsidered invalid if fully validated against the RRC. Specifically \u003ccode\u003eHttpURI\u003c/code\u003e\n and the browser may differ on the value of the host extracted from an \ninvalid URI and thus a combination of Jetty and a vulnerable browser may\n be vulnerable to a open redirect attack or to a SSRF attack if the URI \nis used after passing validation checks.\u003c/p\u003e"
}
],
"value": "Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.\n\nThe HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI\n differs from the common browsers in how it handles a URI that would be \nconsidered invalid if fully validated against the RRC. Specifically HttpURI\n and the browser may differ on the value of the host extracted from an \ninvalid URI and thus a combination of Jetty and a vulnerable browser may\n be vulnerable to a open redirect attack or to a SSRF attack if the URI \nis used after passing validation checks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1286",
"description": "CWE-1286",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-14T15:30:38.815Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh"
},
{
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/25"
},
{
"url": "https://github.com/jetty/jetty.project/pull/12012"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Jetty URI parsing of invalid authority",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe attacks outlined above rely on decoded user data being passed to the \u003ccode\u003eHttpURI\u003c/code\u003e class. Application should not pass decoded user data as an encoded URI to any URI class/method, including \u003ccode\u003eHttpURI\u003c/code\u003e. Such applications are likely to be vulnerable in other ways.\u003cbr\u003e\nThe immediate solution is to upgrade to a version of the class that will\n fully validate the characters of the URI authority. Ultimately, Jetty \nwill deprecate and remove support for user info in the authority per \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://datatracker.ietf.org/doc/html/rfc9110#section-4.2.4\"\u003eRFC9110 Section 4.2.4\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eNote that the Chrome (and other browsers) parse the \ninvalid user info section improperly as well (due to flawed WhatWG URL \nparsing rules that do not apply outside of a Web Browser).\u003c/p\u003e"
}
],
"value": "The attacks outlined above rely on decoded user data being passed to the HttpURI class. Application should not pass decoded user data as an encoded URI to any URI class/method, including HttpURI. Such applications are likely to be vulnerable in other ways.\n\nThe immediate solution is to upgrade to a version of the class that will\n fully validate the characters of the URI authority. Ultimately, Jetty \nwill deprecate and remove support for user info in the authority per RFC9110 Section 4.2.4 https://datatracker.ietf.org/doc/html/rfc9110#section-4.2.4 .\n\n\nNote that the Chrome (and other browsers) parse the \ninvalid user info section improperly as well (due to flawed WhatWG URL \nparsing rules that do not apply outside of a Web Browser)."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2024-6763",
"datePublished": "2024-10-14T15:06:07.298Z",
"dateReserved": "2024-07-15T17:37:53.605Z",
"dateUpdated": "2025-03-07T00:10:46.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-12383 (GCVE-0-2025-12383)
Vulnerability from cvelistv5 – Published: 2025-11-18 15:14 – Updated: 2025-11-18 21:34
VLAI
EPSS
Title
Race Condition allows Bypass of Trust Restrictions
Summary
In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)
Severity
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eclipse Foundation | Jersey |
Affected:
2.45
Affected: 3.0.16 Affected: 3.1.9 |
Credits
Dimitri Tenenbaum
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T21:34:28.248675Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T21:34:35.027Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Jersey",
"repo": "https://github.com/eclipse-ee4j/jersey",
"vendor": "Eclipse Foundation",
"versions": [
{
"status": "affected",
"version": "2.45"
},
{
"status": "affected",
"version": "3.0.16"
},
{
"status": "affected",
"version": "3.1.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dimitri Tenenbaum"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)"
}
],
"value": "In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T15:14:37.765Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/74"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Race Condition allows Bypass of Trust Restrictions",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2025-12383",
"datePublished": "2025-11-18T15:14:37.765Z",
"dateReserved": "2025-10-28T10:21:45.989Z",
"dateUpdated": "2025-11-18T21:34:35.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5115 (GCVE-0-2025-5115)
Vulnerability from cvelistv5 – Published: 2025-08-20 19:07 – Updated: 2025-11-04 21:11
VLAI
EPSS
Title
MadeYouReset HTTP/2 vulnerability
Summary
In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory.
For example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal.
Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a RST_STREAM frame.
The client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time.
The attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame.
Links:
* https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h
Severity
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/jetty/jetty.project/security/a… | issue-tracking |
| https://github.com/jetty/jetty.project/pull/13449 | patch |
| https://github.com/jetty/jetty.project/releases/t… | release-notes |
| https://github.com/jetty/jetty.project/releases/t… | release-notes |
| https://github.com/jetty/jetty.project/releases/t… | release-notes |
| https://github.com/jetty/jetty.project/releases/t… | release-notes |
| https://github.com/jetty/jetty.project/releases/t… | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eclipse Jetty | Eclipse Jetty |
Affected:
>=9.3.0 , ≤ <=9.4.57
(semver)
Affected: >=10.0.0 , ≤ <=10.0.25 (semver) Affected: >=11.0.0 , ≤ <=11.0.25 (semver) Affected: >=12.0.0 , ≤ <=12.0.21 (semver) Affected: >=12.1.0.alpha0 , ≤ <=12.1.0.alpha2 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5115",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T19:28:04.700843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T19:28:12.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:11:37.182Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00014.html"
},
{
"url": "https://www.kb.cert.org/vuls/id/767506"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/17/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/20/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "pkg:maven/org.eclipse.jetty.http2/http2-common",
"product": "Eclipse Jetty",
"repo": "https://github.com/jetty/jetty.project",
"vendor": "Eclipse Jetty",
"versions": [
{
"lessThanOrEqual": "\u003c=9.4.57",
"status": "affected",
"version": "\u003e=9.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "\u003c=10.0.25",
"status": "affected",
"version": "\u003e=10.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "\u003c=11.0.25",
"status": "affected",
"version": "\u003e=11.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "\u003c=12.0.21",
"status": "affected",
"version": "\u003e=12.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "\u003c=12.1.0.alpha2",
"status": "affected",
"version": "\u003e=12.1.0.alpha0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eIn Eclipse Jetty, versions \u0026lt;=9.4.57, \u0026lt;=10.0.25, \u0026lt;=11.0.25, \u0026lt;=12.0.21, \u0026lt;=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory.\u003c/p\u003e\n\u003cp\u003eFor example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal.\nPer specification\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update\"\u003e\u003c/a\u003e, the server should send a RST_STREAM frame.\nThe client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time.\u003c/p\u003e\n\u003cp\u003eThe attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame.\u003c/p\u003e\n\n\u003cp\u003e\u003cstrong\u003eLinks:\u003c/strong\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h\"\u003ehttps://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "In Eclipse Jetty, versions \u003c=9.4.57, \u003c=10.0.25, \u003c=11.0.25, \u003c=12.0.21, \u003c=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory.\n\n\nFor example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal.\nPer specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a RST_STREAM frame.\nThe client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time.\n\n\nThe attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame.\n\n\n\nLinks:\n\n\n\n * https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T10:36:49.477Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h"
},
{
"tags": [
"patch"
],
"url": "https://github.com/jetty/jetty.project/pull/13449"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/jetty/jetty.project/releases/tag/jetty-12.1.0"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/jetty/jetty.project/releases/tag/jetty-12.0.25"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/jetty/jetty.project/releases/tag/jetty-11.0.26"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/jetty/jetty.project/releases/tag/jetty-10.0.26"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.58.v20250814"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MadeYouReset HTTP/2 vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2025-5115",
"datePublished": "2025-08-20T19:07:11.546Z",
"dateReserved": "2025-05-23T08:55:59.861Z",
"dateUpdated": "2025-11-04T21:11:37.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1225 (GCVE-0-2026-1225)
Vulnerability from cvelistv5 – Published: 2026-01-22 09:24 – Updated: 2026-01-22 14:14
VLAI
EPSS
Title
Malicious logback.xml configuration file allows instantiation of arbitrary classes
Summary
ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.
The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a
configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.
Severity
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| QOS.CH Sarl | Logback-core |
Affected:
0.9.20 , ≤ 1.5.24
(maven)
Unaffected: 1.5.25 |
Credits
https://www.code-intelligence.com/
Google Fuzz
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1225",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T14:14:09.436515Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T14:14:17.842Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"logback-core",
"logback-classic"
],
"platforms": [
"Java"
],
"product": "Logback-core",
"vendor": "QOS.CH Sarl",
"versions": [
{
"lessThanOrEqual": "1.5.24",
"status": "affected",
"version": "0.9.20",
"versionType": "maven"
},
{
"status": "unaffected",
"version": "1.5.25"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "https://www.code-intelligence.com/"
},
{
"lang": "en",
"type": "finder",
"value": "Google Fuzz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe instantiation of a potentially malicious Java class requires that said class is present on the user\u0027s class-path. In addition, the attacker must have write access to a \nconfiguration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.\u003c/div\u003e"
}
],
"value": "ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.\n\n\n\n\nThe instantiation of a potentially malicious Java class requires that said class is present on the user\u0027s class-path. In addition, the attacker must have write access to a \nconfiguration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No known exploitation\u003cbr\u003e"
}
],
"value": "No known exploitation"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Arbitrary code execution on previously compromised system"
}
]
},
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "NOT_DEFINED",
"Safety": "NEGLIGIBLE",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 1.8,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T12:10:39.562Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://logback.qos.ch/news.html#1.5.25"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to logback version 1.5.25 or later. \u003cbr\u003e"
}
],
"value": "Update to logback version 1.5.25 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Malicious logback.xml configuration file allows instantiation of arbitrary classes",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2026-1225",
"datePublished": "2026-01-22T09:24:14.634Z",
"dateReserved": "2026-01-20T12:29:25.357Z",
"dateUpdated": "2026-01-22T14:14:17.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24281 (GCVE-0-2026-24281)
Vulnerability from cvelistv5 – Published: 2026-03-07 08:50 – Updated: 2026-03-10 17:37
VLAI
EPSS
Title
Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager
Summary
Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.
Severity
No CVSS data available.
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/088ddsbrzhd5lxzbq… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache ZooKeeper |
Affected:
3.9.0 , ≤ 3.9.4
(maven)
Affected: 3.8.0 , ≤ 3.8.5 (maven) |
Credits
Nikita Markevich <markevich.nikita1@gmail.com>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-07T17:05:10.486Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/07/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-24281",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T17:36:42.765646Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T17:37:28.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zookeeper:zookeeper",
"product": "Apache ZooKeeper",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.9.4",
"status": "affected",
"version": "3.9.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "3.8.5",
"status": "affected",
"version": "3.8.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Nikita Markevich \u003cmarkevich.nikita1@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It\u0027s important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It\u0027s important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-350",
"description": "CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T08:50:32.525Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2"
}
],
"source": {
"defect": [
"ZOOKEEPER-4986"
],
"discovery": "UNKNOWN"
},
"title": "Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-24281",
"datePublished": "2026-03-07T08:50:32.525Z",
"dateReserved": "2026-01-21T19:40:25.776Z",
"dateUpdated": "2026-03-10T17:37:28.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24308 (GCVE-0-2026-24308)
Vulnerability from cvelistv5 – Published: 2026-03-07 08:51 – Updated: 2026-03-10 17:36
VLAI
EPSS
Title
Apache ZooKeeper: Sensitive information disclosure in client configuration handling
Summary
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
Severity
No CVSS data available.
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/qng3rtzv2pqkmko4r… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache ZooKeeper |
Affected:
3.9.0 , ≤ 3.9.4
(maven)
Affected: 3.8.0 , ≤ 3.8.5 (maven) |
Credits
Youlong Chen <chenyoulong20g@ict.ac.cn>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-07T17:05:11.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/07/5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-24308",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T17:34:03.326224Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T17:36:03.931Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.zookeeper:zookeeper",
"product": "Apache ZooKeeper",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.9.4",
"status": "affected",
"version": "3.9.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "3.8.5",
"status": "affected",
"version": "3.8.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Youlong Chen \u003cchenyoulong20g@ict.ac.cn\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ccode\u003eImproper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client\u0027s logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue.\u0026nbsp;\u003c/code\u003eUsers are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue."
}
],
"value": "Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client\u0027s logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue.\u00a0Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T08:51:17.567Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdr"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ZooKeeper: Sensitive information disclosure in client configuration handling",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-24308",
"datePublished": "2026-03-07T08:51:17.567Z",
"dateReserved": "2026-01-21T21:37:46.975Z",
"dateUpdated": "2026-03-10T17:36:03.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34479 (GCVE-0-2026-34479)
Vulnerability from cvelistv5 – Published: 2026-04-10 15:41 – Updated: 2026-04-10 17:47
VLAI
EPSS
Title
Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters
Summary
The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.
Two groups of users are affected:
* Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.
* Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.
Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.
Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.
Severity
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/apache/logging-log4j2/pull/4078 | patch |
| https://logging.apache.org/security.html#CVE-2026-34479 | vendor-advisory |
| https://logging.apache.org/cyclonedx/vdr.xml | vendor-advisory |
| https://logging.apache.org/log4j/2.x/migrate-from… | related |
| https://lists.apache.org/thread/gd0hp6mj17rn3kj27… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Log4j 1 to Log4j 2 bridge |
Affected:
2.7 , < 2.25.4
(maven)
Affected: 3.0.0-alpha1 , ≤ 3.0.0-beta2 (maven) cpe:2.3:a:apache:log4j_1_2_api:*:*:*:*:*:*:*:* |
Credits
Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters)
jabaltarik1 (independently)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-10T16:18:18.699Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/10/8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34479",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T17:45:24.466114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T17:47:34.402Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"cpes": [
"cpe:2.3:a:apache:log4j_1_2_api:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "org.apache.logging.log4j:log4j-1.2-api",
"packageURL": "pkg:maven/org.apache.logging.log4j/log4j-1.2-api",
"product": "Apache Log4j 1 to Log4j 2 bridge",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.25.4",
"status": "affected",
"version": "2.7",
"versionType": "maven"
},
{
"lessThanOrEqual": "3.0.0-beta2",
"status": "affected",
"version": "3.0.0-alpha1",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters)"
},
{
"lang": "en",
"type": "finder",
"value": "jabaltarik1 (independently)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe \u003ccode\u003eLog4j1XmlLayout\u003c/code\u003e from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\u003c/p\u003e\u003cp\u003eTwo groups of users are affected:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThose using \u003ccode\u003eLog4j1XmlLayout\u003c/code\u003e directly in a Log4j Core 2 configuration file.\u003c/li\u003e\u003cli\u003eThose using the Log4j 1 configuration compatibility layer with \u003ccode\u003eorg.apache.log4j.xml.XMLLayout\u003c/code\u003e specified as the layout class.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNote:\u003c/strong\u003e The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html\"\u003eLog4j 1 to Log4j 2 migration guide\u003c/a\u003e, and specifically the section on eliminating reliance on the bridge.\u003c/p\u003e"
}
],
"value": "The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\n\nTwo groups of users are affected:\n\n * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.\n * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.\n\n\nUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\n\nNote: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T15:41:07.888Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/logging-log4j2/pull/4078"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://logging.apache.org/security.html#CVE-2026-34479"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://logging.apache.org/cyclonedx/vdr.xml"
},
{
"tags": [
"related"
],
"url": "https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2026-02-16T17:11:00.000Z",
"value": "Vulnerability reported by Ap4sh and ethicxz"
},
{
"lang": "en",
"time": "2026-03-15T05:39:00.000Z",
"value": "Independent report received from jabaltarik1"
},
{
"lang": "en",
"time": "2026-03-24T18:56:00.000Z",
"value": "Fix shared publicly by Piotr P. Karwasz as pull request #4078"
},
{
"lang": "en",
"time": "2026-03-25T09:46:00.000Z",
"value": "Fix verified by reporter"
},
{
"lang": "en",
"time": "2026-03-28T11:19:00.000Z",
"value": "Log4j 2.25.4 released"
}
],
"title": "Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-34479",
"datePublished": "2026-04-10T15:41:07.888Z",
"dateReserved": "2026-03-28T14:06:31.965Z",
"dateUpdated": "2026-04-10T17:47:34.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41409 (GCVE-0-2026-41409)
Vulnerability from cvelistv5 – Published: 2026-04-27 09:20 – Updated: 2026-04-27 12:21
VLAI
EPSS
Title
Apache MINA: CWE-502 Deserialization of Untrusted Data
Summary
The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.
Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5.
The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by
applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade
Severity
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache MINA |
Affected:
2.2.0 , ≤ 2.2.5
(semver)
Affected: 2.1.0 , ≤ 2.1.10 (semver) Affected: 2.0.0 , ≤ 2.0.27 (semver) |
Credits
Venkatraman Kumar, Securin
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41409",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T12:21:46.348024Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T12:21:52.067Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2/org/apache/mina/",
"defaultStatus": "unaffected",
"packageName": "org.apache.mina:mina.core",
"product": "Apache MINA",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.2.5",
"status": "affected",
"version": "2.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.1.10",
"status": "affected",
"version": "2.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.0.27",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Venkatraman Kumar, Securin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAffected versions are Apache MINA 2.0.0 \u0026lt;= 2.0.27, 2.1.0 \u0026lt;= 2.1.10, and 2.2.0 \u0026lt;= 2.2.5.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eAffected are applications using Apache MINA that call IoBuffer.getObject().\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eApplications using Apache MINA are advised to upgrade\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\n\n\n\n\nAffected versions are Apache MINA 2.0.0 \u003c= 2.0.27, 2.1.0 \u003c= 2.1.10, and 2.2.0 \u003c= 2.2.5.\n\n\n\n\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\n\n\n\n\nAffected are applications using Apache MINA that call IoBuffer.getObject().\n\n\n\n\nApplications using Apache MINA are advised to upgrade"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T09:20:12.866Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache MINA: CWE-502 Deserialization of Untrusted Data",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-41409",
"datePublished": "2026-04-27T09:20:12.866Z",
"dateReserved": "2026-04-20T15:04:54.505Z",
"dateUpdated": "2026-04-27T12:21:52.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41635 (GCVE-0-2026-41635)
Vulnerability from cvelistv5 – Published: 2026-04-27 08:59 – Updated: 2026-04-28 03:55
VLAI
EPSS
Title
Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE
Summary
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and
2.2.0 <= 2.2.5.
The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by
applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade.
Severity
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/1l91w1mqsb3lwfd50… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache MINA |
Affected:
2.2.0 , ≤ 2.2.5
(semver)
Affected: 2.1.0 , ≤ 2.1.10 (semver) Affected: 2.0.0 , ≤ 2.0.27 (semver) |
Credits
Venkatraman Kumar, Securin
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41635",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T03:55:38.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-27T16:32:59.767Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/27/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.mina:mina-core",
"product": "Apache MINA",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.2.5",
"status": "affected",
"version": "2.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.1.10",
"status": "affected",
"version": "2.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.0.27",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Venkatraman Kumar, Securin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eApache \u003cb\u003eMINA\u003c/b\u003e\u0027s \u003ci\u003eAbstractIoBuffer.resolveClass()\u003c/i\u003e contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe fix checks if the class is present in the accepted class filter\u0026nbsp;\u003cb\u003ebefore\u003c/b\u003e calling\u0026nbsp;\u003ci\u003eClass.forName()\u003c/i\u003e.\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003eAffected versions are Apache MINA 2.0.0 \u0026lt;= 2.0.27, 2.1.0 \u0026lt;= 2.1.10, and\n\u003cbr\u003e\n2.2.0 \u0026lt;= 2.2.5.\n\u003cbr\u003e\n\n\u003cbr\u003e\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\n\u003cbr\u003e\n\n\u003cbr\u003e\nAffected are applications using Apache MINA that call\u0026nbsp; IoBuffer.getObject().\n\u003cbr\u003e\n\n\u003cbr\u003e\nApplications using Apache MINA are advised to upgrade.\u003cdiv\u003e\u003c/div\u003e"
}
],
"value": "Apache MINA\u0027s AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.\n\n\n\n\nThe fix checks if the class is present in the accepted class filter\u00a0before calling\u00a0Class.forName().\u00a0\n\n\n\n\n\n\nAffected versions are Apache MINA 2.0.0 \u003c= 2.0.27, 2.1.0 \u003c= 2.1.10, and\n\n\n2.2.0 \u003c= 2.2.5.\n\n\n\n\n\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\n\n\n\n\n\nAffected are applications using Apache MINA that call\u00a0 IoBuffer.getObject().\n\n\n\n\n\nApplications using Apache MINA are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T09:15:46.203Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm"
}
],
"source": {
"advisory": "ZDRES-059",
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2026-04-17T00:00:00.000Z",
"value": "Initial reporting"
}
],
"title": "Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter \u2014 Full Object Deserialization RCE",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-41635",
"datePublished": "2026-04-27T08:59:50.652Z",
"dateReserved": "2026-04-21T22:18:22.755Z",
"dateUpdated": "2026-04-28T03:55:38.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…