fkie_cve-2025-46548
Vulnerability from fkie_nvd
Published
2025-06-03 15:15
Modified
2025-07-02 14:19
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.
References
security@apache.orghttps://github.com/akka/akka-management/pull/1385Exploit, Issue Tracking
security@apache.orghttps://github.com/apache/pekko-management/pull/418Issue Tracking, Patch
security@apache.orghttps://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2025/06/03/7Mailing List, Third Party Advisory
Impacted products
Vendor Product Version
apache pekko_management *
akka akka_management *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:pekko_management:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "100D0B74-D9C2-4DC2-B14E-25416E0A7B7B",
              "versionEndIncluding": "1.1.1",
              "versionStartIncluding": "1.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:akka:akka_management:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "216EF615-CEA6-4CF7-8BE2-E215442B8935",
              "versionEndExcluding": "1.6.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.\n\n\nUsers that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.\n\n\n\n\nAkka was affected by the same issue and has released the fix in version 1.6.1."
    },
    {
      "lang": "es",
      "value": "Si habilita la autenticaci\u00f3n b\u00e1sica en Pekko Management mediante el DSL de Java, es posible que el autenticador no se aplique correctamente. Se recomienda a los usuarios que dependen de la autenticaci\u00f3n en lugar de asegurarse de que los puertos de la API de administraci\u00f3n solo est\u00e9n disponibles para usuarios de confianza que actualicen a la versi\u00f3n 1.1.1, que soluciona este problema."
    }
  ],
  "id": "CVE-2025-46548",
  "lastModified": "2025-07-02T14:19:10.130",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-06-03T15:15:59.110",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Exploit",
        "Issue Tracking"
      ],
      "url": "https://github.com/akka/akka-management/pull/1385"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/apache/pekko-management/pull/418"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2025/06/03/7"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.