github - ghsa-6pp6-5h3q-mgg3

ghsa-6pp6-5h3q-mgg3

Vulnerability from github

Published

2025-05-14 21:31

Modified

2025-05-14 21:31

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

IBM Semeru Runtime 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0 is vulnerable to a denial of service caused by a buffer overflow and subsequent crash, due to a defect in its native AES/CBC encryption implementation.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-2900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-14T19:15:52Z",
    "severity": "HIGH"
  },
  "details": "IBM Semeru Runtime 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0 is vulnerable to a denial of service caused by a buffer overflow and subsequent crash, due to a defect in its native AES/CBC encryption implementation.",
  "id": "GHSA-6pp6-5h3q-mgg3",
  "modified": "2025-05-14T21:31:18Z",
  "published": "2025-05-14T21:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2900"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7233415"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2025-2900 (GCVE-0-2025-2900)

Vulnerability from cvelistv5

Published

2025-05-14 18:50

Modified

2025-08-28 14:12

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-122 - Heap-based Buffer Overflow

Summary

References

▼	URL	Tags
	https://www.ibm.com/support/pages/node/7233415	vendor-advisory, patch

Impacted products

	Vendor	Product	Version
	IBM	Semeru Runtime	Version: 8.0.302.0 ≤ 8.0.442.0 Version: 11.0.12.0 ≤ 11.0.26.0 Version: 17.0.0.0 ≤ 17.0.14.0 Version: 21.0.0.0 ≤ 21.0.6.0 cpe:2.3:a:ibm:semeru_runtime:8.0.302.0:::::::* cpe:2.3:a:ibm:semeru_runtime:8.0.442.0:::::::* cpe:2.3:a:ibm:semeru_runtime:11.0.12.0:::::::* cpe:2.3:a:ibm:semeru_runtime:11.0.26.0:::::::* cpe:2.3:a:ibm:semeru_runtime:17.0.0.0:::::::* cpe:2.3:a:ibm:semeru_runtime:17.0.14.0:::::::* cpe:2.3:a:ibm:semeru_runtime:21.0.0.0:::::::* cpe:2.3:a:ibm:semeru_runtime:21.0.6.0:::::::*

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-2900",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-14T19:42:43.060744Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-14T19:43:19.127Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:semeru_runtime:8.0.302.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:semeru_runtime:8.0.442.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:semeru_runtime:11.0.12.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:semeru_runtime:11.0.26.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:semeru_runtime:17.0.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:semeru_runtime:17.0.14.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:semeru_runtime:21.0.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:semeru_runtime:21.0.6.0:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "Semeru Runtime",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "8.0.442.0",
              "status": "affected",
              "version": "8.0.302.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "11.0.26.0",
              "status": "affected",
              "version": "11.0.12.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "17.0.14.0",
              "status": "affected",
              "version": "17.0.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "21.0.6.0",
              "status": "affected",
              "version": "21.0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IBM Semeru Runtime 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0 is vulnerable to a denial of service caused by a buffer overflow and subsequent crash, due to a defect in its native AES/CBC encryption implementation."
            }
          ],
          "value": "IBM Semeru Runtime 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0 is vulnerable to a denial of service caused by a buffer overflow and subsequent crash, due to a defect in its native AES/CBC encryption implementation."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122 Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:12:21.020Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7233415"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Remediation/Fixes\u003cbr\u003e\u003cbr\u003e8.0.452.0\u003cbr\u003e11.0.27.0\u003cbr\u003e17.0.15.0\u003cbr\u003e21.0.7.0\u003cbr\u003e\u003cbr\u003eIBM Semeru Runtime releases can be downloaded from the GitHub repositories for Semeru 8, Semeru 11, Semeru 17, and Semeru 21 and from the IBM Semeru Developer Center.\u003cbr\u003e\u003cbr\u003eIBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin.\u003cbr\u003e"
            }
          ],
          "value": "Remediation/Fixes\n\n8.0.452.0\n11.0.27.0\n17.0.15.0\n21.0.7.0\n\nIBM Semeru Runtime releases can be downloaded from the GitHub repositories for Semeru 8, Semeru 11, Semeru 17, and Semeru 21 and from the IBM Semeru Developer Center.\n\nIBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Semeru Runtime denial of service",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-2900",
    "datePublished": "2025-05-14T18:50:27.327Z",
    "dateReserved": "2025-03-28T02:06:38.367Z",
    "dateUpdated": "2025-08-28T14:12:21.020Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted