rhsa-2025:3172
Vulnerability from csaf_redhat
Published
2025-03-25 19:58
Modified
2025-10-22 10:54
Summary
Red Hat Security Advisory: VolSync 0.12.1 security fixes and enhancements for RHEL 9
Notes
Topic
VolSync v0.12 general availability release images, which provide
enhancements, security fixes, and updated container images.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.
Details
VolSync v0.12.1 is a Kubernetes operator that enables asynchronous
replication of persistent volumes within a cluster, or across clusters. After
deploying the VolSync operator, it can create and maintain copies of your
persistent data.
For more information about VolSync, see:
https://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync
or the VolSync open source community website at:
https://volsync.readthedocs.io/en/stable/
This advisory contains enhancements and updates to the VolSync
container images.
Security fix(es):
* golang.org/x/oauth2: Unexpected memory consumption during token parsing in
golang.org/x/oauth2 (CVE-2025-22868)
* golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of
golang.org/x/crypto/ssh (CVE-2025-22869)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "VolSync v0.12 general availability release images, which provide\nenhancements, security fixes, and updated container images.\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "VolSync v0.12.1 is a Kubernetes operator that enables asynchronous\nreplication of persistent volumes within a cluster, or across clusters. After\ndeploying the VolSync operator, it can create and maintain copies of your\npersistent data.\n\nFor more information about VolSync, see:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync\n\nor the VolSync open source community website at:\nhttps://volsync.readthedocs.io/en/stable/\n\nThis advisory contains enhancements and updates to the VolSync\ncontainer images.\n\nSecurity fix(es):\n\n* golang.org/x/oauth2: Unexpected memory consumption during token parsing in\ngolang.org/x/oauth2 (CVE-2025-22868)\n* golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of\ngolang.org/x/crypto/ssh (CVE-2025-22869)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:3172",
"url": "https://access.redhat.com/errata/RHSA-2025:3172"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2348366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
},
{
"category": "external",
"summary": "2348367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
},
{
"category": "external",
"summary": "ACM-19030",
"url": "https://issues.redhat.com/browse/ACM-19030"
},
{
"category": "external",
"summary": "HYPBLD-617",
"url": "https://issues.redhat.com/browse/HYPBLD-617"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3172.json"
}
],
"title": "Red Hat Security Advisory: VolSync 0.12.1 security fixes and enhancements for RHEL 9",
"tracking": {
"current_release_date": "2025-10-22T10:54:34+00:00",
"generator": {
"date": "2025-10-22T10:54:34+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.9"
}
},
"id": "RHSA-2025:3172",
"initial_release_date": "2025-03-25T19:58:29+00:00",
"revision_history": [
{
"date": "2025-03-25T19:58:29+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-03-25T19:58:29+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-10-22T10:54:34+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product": {
"name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:acm:2.13::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat ACM"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64",
"product": {
"name": "rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64",
"product_id": "rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.12.1-2"
}
}
},
{
"category": "product_version",
"name": "rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"product": {
"name": "rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"product_id": "rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"product_identification_helper": {
"purl": "pkg:oci/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/volsync-operator-bundle\u0026tag=v0.12.1-2"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"product": {
"name": "rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"product_id": "rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72?arch=arm64\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.12.1-2"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"product": {
"name": "rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"product_id": "rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283?arch=ppc64le\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.12.1-2"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"product": {
"name": "rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"product_id": "rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13?arch=s390x\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.12.1-2"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64"
},
"product_reference": "rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64"
},
"product_reference": "rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x"
},
"product_reference": "rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le"
},
"product_reference": "rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"relates_to_product_reference": "9Base-RHACM-2.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9",
"product_id": "9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
},
"product_reference": "rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64",
"relates_to_product_reference": "9Base-RHACM-2.13"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"jub0bs"
]
}
],
"cve": "CVE-2025-22868",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2025-02-26T04:00:44.350024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348366"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, \".\")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "RHBZ#2348366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22868",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
},
{
"category": "external",
"summary": "https://go.dev/cl/652155",
"url": "https://go.dev/cl/652155"
},
{
"category": "external",
"summary": "https://go.dev/issue/71490",
"url": "https://go.dev/issue/71490"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3488",
"url": "https://pkg.go.dev/vuln/GO-2025-3488"
}
],
"release_date": "2025-02-26T03:07:49.012000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-25T19:58:29+00:00",
"details": "For more details, see the Red Hat Advanced Cluster Management for Kubernetes\ndocumentation:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync",
"product_ids": [
"9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:3172"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, it is recommended to pre-validate any payloads passed to `go-jose` to check that they do not contain an excessive amount of `.` characters.",
"product_ids": [
"9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws"
},
{
"cve": "CVE-2025-22869",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-02-26T04:00:47.683125+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348367"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While this flaw affects both SSH clients and servers implemented with golang.org/x/crypto/ssh, realistically the flaw will only lead to a DoS when transferring large files, greatly reducing the likelihood of exploitation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "RHBZ#2348367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869"
},
{
"category": "external",
"summary": "https://go.dev/cl/652135",
"url": "https://go.dev/cl/652135"
},
{
"category": "external",
"summary": "https://go.dev/issue/71931",
"url": "https://go.dev/issue/71931"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3487",
"url": "https://pkg.go.dev/vuln/GO-2025-3487"
}
],
"release_date": "2025-02-26T03:07:48.855000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-25T19:58:29+00:00",
"details": "For more details, see the Red Hat Advanced Cluster Management for Kubernetes\ndocumentation:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync",
"product_ids": [
"9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:3172"
},
{
"category": "workaround",
"details": "This flaw can be mitigated when using the client only connecting to trusted servers.",
"product_ids": [
"9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHACM-2.13:rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le",
"9Base-RHACM-2.13:rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…