Common Weakness Enumeration

CWE-441

Allowed-with-Review

Unintended Proxy or Intermediary ('Confused Deputy')

Abstraction: Class · Status: Draft

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

155 vulnerabilities reference this CWE, most recent first.

CVE-2026-6993 (GCVE-0-2026-6993)

Vulnerability from cvelistv5 – Published: 2026-04-25 18:30 – Updated: 2026-04-27 13:41 X_Open Source
VLAI
Title
go-kratos http.DefaultServeMux Fallback server.go NewServer confused deputy
Summary
A security flaw has been discovered in go-kratos kratos up to 2.9.2. This impacts the function NewServer of the file transport/http/server.go of the component http.DefaultServeMux Fallback Handler. The manipulation results in unintended intermediary. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 0284a5bcf92b5a7ee015300ce3051baf7ae4718d. Applying a patch is advised to resolve this issue.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-441 - Unintended Intermediary
Assigner
Impacted products
Vendor Product Version
go-kratos kratos Affected: 2.9.0
Affected: 2.9.1
Affected: 2.9.2
Create a notification for this product.
Credits
Yu_Bao (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6993",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-27T13:40:59.388864Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-27T13:41:17.183Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "http.DefaultServeMux Fallback Handler"
          ],
          "product": "kratos",
          "vendor": "go-kratos",
          "versions": [
            {
              "status": "affected",
              "version": "2.9.0"
            },
            {
              "status": "affected",
              "version": "2.9.1"
            },
            {
              "status": "affected",
              "version": "2.9.2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Yu_Bao (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security flaw has been discovered in go-kratos kratos up to 2.9.2. This impacts the function NewServer of the file transport/http/server.go of the component http.DefaultServeMux Fallback Handler. The manipulation results in unintended intermediary. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 0284a5bcf92b5a7ee015300ce3051baf7ae4718d. Applying a patch is advised to resolve this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "Unintended Intermediary",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-25T18:30:16.160Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-359545 | go-kratos http.DefaultServeMux Fallback server.go NewServer confused deputy",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/359545"
        },
        {
          "name": "VDB-359545 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/359545/cti"
        },
        {
          "name": "Submit #797099 | go-kratos kratos 2.9.2 Unintended Route Exposure via DefaultServeMux Fallback",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/797099"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/go-kratos/kratos/issues/3810"
        },
        {
          "tags": [
            "issue-tracking",
            "patch"
          ],
          "url": "https://github.com/go-kratos/kratos/pull/3814"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/Yanhu007/kratos/commit/0284a5bcf92b5a7ee015300ce3051baf7ae4718d"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/go-kratos/kratos/"
        }
      ],
      "tags": [
        "x_open-source"
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-24T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-04-24T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-04-24T21:48:42.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "go-kratos http.DefaultServeMux Fallback server.go NewServer confused deputy"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-6993",
    "datePublished": "2026-04-25T18:30:16.160Z",
    "dateReserved": "2026-04-24T19:43:37.550Z",
    "dateUpdated": "2026-04-27T13:41:17.183Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3160 (GCVE-0-2026-3160)

Vulnerability from cvelistv5 – Published: 2026-05-14 05:35 – Updated: 2026-05-14 13:09
VLAI
Title
Unintended Proxy or Intermediary ('Confused Deputy') in GitLab
Summary
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to view Jira issues outside the configured project scope due to an integration filter functioning only as a display control rather than enforcing access boundaries as specified.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
Assigner
Impacted products
Vendor Product Version
GitLab GitLab Affected: 13.7 , < 18.9.7 (semver)
Affected: 18.10 , < 18.10.6 (semver)
Affected: 18.11 , < 18.11.3 (semver)
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Thanks [maksyche](https://hackerone.com/maksyche) for reporting this vulnerability through our HackerOne bug bounty program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3160",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T13:09:16.159396Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T13:09:24.780Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "18.9.7",
              "status": "affected",
              "version": "13.7",
              "versionType": "semver"
            },
            {
              "lessThan": "18.10.6",
              "status": "affected",
              "version": "18.10",
              "versionType": "semver"
            },
            {
              "lessThan": "18.11.3",
              "status": "affected",
              "version": "18.11",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Thanks [maksyche](https://hackerone.com/maksyche) for reporting this vulnerability through our HackerOne bug bounty program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to view Jira issues outside the configured project scope due to an integration filter functioning only as a display control rather than enforcing access boundaries as specified."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T05:35:57.340Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "name": "HackerOne Bug Bounty Report #3566042",
          "tags": [
            "technical-description",
            "exploit",
            "permissions-required"
          ],
          "url": "https://hackerone.com/reports/3566042"
        },
        {
          "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/591354"
        },
        {
          "url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above. Additionally, review the Jira API token used in your integration and ensure it is scoped to only the Jira projects you intend to expose. The project keys field in the integration configuration filters the displayed issues but does not restrict the token\u0027s access. To limit which issues can be read through the integration, generate the API token from a Jira account with access only to the desired projects."
        }
      ],
      "title": "Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027) in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2026-3160",
    "datePublished": "2026-05-14T05:35:57.340Z",
    "dateReserved": "2026-02-24T21:03:59.433Z",
    "dateUpdated": "2026-05-14T13:09:24.780Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68944 (GCVE-0-2025-68944)

Vulnerability from cvelistv5 – Published: 2025-12-26 03:37 – Updated: 2025-12-26 19:28
VLAI
Summary
Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
Assigner
Impacted products
Vendor Product Version
Gitea Gitea Affected: 0 , < 1.22.2 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-68944",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-26T19:28:17.625511Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-26T19:28:23.900Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:golang/code.gitea.io/gitea",
          "product": "Gitea",
          "vendor": "Gitea",
          "versions": [
            {
              "lessThan": "1.22.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.22.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441 Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-26T18:59:09.375Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://blog.gitea.com/release-of-1.22.2/"
        },
        {
          "url": "https://github.com/go-gitea/gitea/releases/tag/v1.22.2"
        },
        {
          "url": "https://github.com/go-gitea/gitea/pull/31967"
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-68944",
    "datePublished": "2025-12-26T03:37:28.693Z",
    "dateReserved": "2025-12-26T03:37:28.412Z",
    "dateUpdated": "2025-12-26T19:28:23.900Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68667 (GCVE-0-2025-68667)

Vulnerability from cvelistv5 – Published: 2025-12-23 22:45 – Updated: 2025-12-26 20:49
VLAI
Title
Conduit-derived homeservers are affected by a Confused Deputy and Improper Input Validation issue
Summary
Conduit is a chat server powered by Matrix. A vulnerability that affects a number of Conduit-derived homeservers allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. Affected products include Conduit prior to version 0.10.10, continuwuity prior to version 0.5.0, Grapevine prior to commit `9a50c244`, and tuwunel prior to version 1.4.8. The flaw exists because the server fails to validate the origin of a signing request, provided the event's state_key is a valid user ID belonging to the target server. Attackers can forge "leave" events for any user on the target server. This forcibly removes users (including admins and bots) from rooms. This allows denial of service and/or the removal of technical protections for a room (including policy servers, if all users on the policy server are removed). Attackers can forge "invite" events from a victim user to themselves, provided they have an account on a server where there is an account that has the power level to send invites. This allows the attacker to join private or invite-only rooms accessible by the victim, exposing confidential conversation history and room state. Attackers can forge "ban" events from a victim user to any user below the victim user's power level, provided the victim has the power level to issue bans AND the target of the ban resides on the same server as the victim. This allows the attacker to ban anyone in a room who is on the same server as the vulnerable one, however cannot exploit this to ban users on other servers or the victim themself. Conduit fixes the issue in version 0.10.10. continuwuity fixes the issue in commits `7fa4fa98` and `b2bead67`, released in 0.5.0. tuwunel fixes the issue in commit `dc9314de1f8a6e040c5aa331fe52efbe62e6a2c3`, released in 1.4.8. Grapevine fixes the issue in commit `9a50c2448abba6e2b7d79c64243bb438b351616c`. As a workaround, block access to the `PUT /_matrix/federation/v2/invite/{roomId}/{eventId}` endpoint using your reverse proxy.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-20 - Improper Input Validation
  • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-68667",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-24T14:51:42.373847Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-24T14:51:52.781Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "continuwuity",
          "vendor": "continuwuity",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Conduit is a chat server powered by Matrix. A vulnerability that affects a number of Conduit-derived homeservers allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. Affected products include Conduit prior to version 0.10.10, continuwuity prior to version 0.5.0, Grapevine prior to commit `9a50c244`, and tuwunel prior to version 1.4.8. The flaw exists because the server fails to validate the origin of a signing request, provided the event\u0027s state_key is a valid user ID belonging to the target server. Attackers can forge \"leave\" events for any user on the target server. This forcibly removes users (including admins and bots) from rooms. This allows denial of service and/or the removal of technical protections for a room (including policy servers, if all users on the policy server are removed). Attackers can forge \"invite\" events from a victim user to themselves, provided they have an account on a server where there is an account that has the power level to send invites. This allows the attacker to join private or invite-only rooms accessible by the victim, exposing confidential conversation history and room state. Attackers can forge \"ban\" events from a victim user to any user below the victim user\u0027s power level, provided the victim has the power level to issue bans AND the target of the ban resides on the same server as the victim. This allows the attacker to ban anyone in a room who is on the same server as the vulnerable one, however cannot exploit this to ban users on other servers or the victim themself. Conduit fixes the issue in version 0.10.10. continuwuity fixes the issue in commits `7fa4fa98` and `b2bead67`, released in 0.5.0. tuwunel fixes the issue in commit `dc9314de1f8a6e040c5aa331fe52efbe62e6a2c3`, released in 1.4.8. Grapevine fixes the issue in commit `9a50c2448abba6e2b7d79c64243bb438b351616c`. As a workaround, block access to the `PUT /_matrix/federation/v2/invite/{roomId}/{eventId}` endpoint using your reverse proxy."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-26T20:49:02.208Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/continuwuity/continuwuity/security/advisories/GHSA-22fw-4jq7-g8r8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/continuwuity/continuwuity/security/advisories/GHSA-22fw-4jq7-g8r8"
        },
        {
          "name": "https://github.com/matrix-construct/tuwunel/commit/dc9314de1f8a6e040c5aa331fe52efbe62e6a2c3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/matrix-construct/tuwunel/commit/dc9314de1f8a6e040c5aa331fe52efbe62e6a2c3"
        },
        {
          "name": "https://forgejo.ellis.link/continuwuation/continuwuity/commit/7fa4fa98628593c1a963f5aa8dbc3657d604b047",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://forgejo.ellis.link/continuwuation/continuwuity/commit/7fa4fa98628593c1a963f5aa8dbc3657d604b047"
        },
        {
          "name": "https://forgejo.ellis.link/continuwuation/continuwuity/commit/b2bead67ac8bc45de9a612578f295e5b7fc6c2b5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://forgejo.ellis.link/continuwuation/continuwuity/commit/b2bead67ac8bc45de9a612578f295e5b7fc6c2b5"
        },
        {
          "name": "https://gitlab.com/famedly/conduit/-/releases/v0.10.10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gitlab.com/famedly/conduit/-/releases/v0.10.10"
        },
        {
          "name": "https://gitlab.computer.surgery/matrix/grapevine/-/commit/9a50c2448abba6e2b7d79c64243bb438b351616c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gitlab.computer.surgery/matrix/grapevine/-/commit/9a50c2448abba6e2b7d79c64243bb438b351616c"
        }
      ],
      "source": {
        "advisory": "GHSA-22fw-4jq7-g8r8",
        "discovery": "UNKNOWN"
      },
      "title": "Conduit-derived homeservers are affected by a Confused Deputy and Improper Input Validation issue"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-68667",
    "datePublished": "2025-12-23T22:45:25.958Z",
    "dateReserved": "2025-12-22T23:37:00.930Z",
    "dateUpdated": "2025-12-26T20:49:02.208Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-66415 (GCVE-0-2025-66415)

Vulnerability from cvelistv5 – Published: 2025-12-01 22:39 – Updated: 2025-12-02 14:13
VLAI
Title
fastify-reply-from bypass of reply forwarding
Summary
fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. This vulnerability is fixed in 12.5.0.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
Assigner
References
Impacted products
Vendor Product Version
fastify fastify-reply-from Affected: < 12.5.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66415",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-02T14:13:33.196001Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-02T14:13:45.644Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "fastify-reply-from",
          "vendor": "fastify",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 12.5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. This vulnerability is fixed in 12.5.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T22:39:32.468Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-2q7r-29rg-6m5h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-2q7r-29rg-6m5h"
        },
        {
          "name": "https://github.com/fastify/fastify-reply-from/commit/4d9795cd5b57a36756d37b7f036eae369f69fa66",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/fastify/fastify-reply-from/commit/4d9795cd5b57a36756d37b7f036eae369f69fa66"
        }
      ],
      "source": {
        "advisory": "GHSA-2q7r-29rg-6m5h",
        "discovery": "UNKNOWN"
      },
      "title": "fastify-reply-from bypass of reply forwarding"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66415",
    "datePublished": "2025-12-01T22:39:32.468Z",
    "dateReserved": "2025-11-28T23:33:56.366Z",
    "dateUpdated": "2025-12-02T14:13:45.644Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-64125 (GCVE-0-2025-64125)

Vulnerability from cvelistv5 – Published: 2026-01-03 00:21 – Updated: 2026-01-05 20:37
VLAI
Title
Nuvation Energy nCloud Client-to-Client Communication
Summary
A vulnerability in Nuvation Energy nCloud VPN Service allowed Network Boundary Bridging.This issue affected the nCloud VPN Service and was fixed on 2025-12-1 (December, 2025). End users do not have to take any action to mitigate the issue.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-441 - Unintended Proxy or Intermediary
Assigner
Impacted products
Vendor Product Version
Nuvation Energy nCloud VPN Service Affected: 2025-12-1 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64125",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-05T20:31:26.347125Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-05T20:37:11.369Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "nCloud VPN Service",
          "vendor": "Nuvation Energy",
          "versions": [
            {
              "status": "affected",
              "version": "2025-12-1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A vulnerability in Nuvation Energy nCloud VPN Service allowed Network Boundary Bridging.\u003cp\u003eThis issue affected the nCloud VPN Service and was fixed on 2025-12-1 (December, 2025). End users do not have to take any action to mitigate the issue.\u003c/p\u003e"
            }
          ],
          "value": "A vulnerability in Nuvation Energy nCloud VPN Service allowed Network Boundary Bridging.This issue affected the nCloud VPN Service and was fixed on 2025-12-1 (December, 2025). End users do not have to take any action to mitigate the issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-700",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-700 Network Boundary Bridging"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "PRESENT",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-03T00:21:20.052Z",
        "orgId": "12bdf821-1545-4a87-aac5-61670cc6fcef",
        "shortName": "Dragos"
      },
      "references": [
        {
          "url": "https://www.dragos.com/community/advisories/CVE-2025-64119"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Nuvation Energy nCloud Client-to-Client Communication",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "12bdf821-1545-4a87-aac5-61670cc6fcef",
    "assignerShortName": "Dragos",
    "cveId": "CVE-2025-64125",
    "datePublished": "2026-01-03T00:21:20.052Z",
    "dateReserved": "2025-10-27T17:12:37.786Z",
    "dateUpdated": "2026-01-05T20:37:11.369Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-64123 (GCVE-0-2025-64123)

Vulnerability from cvelistv5 – Published: 2026-01-02 21:41 – Updated: 2026-01-05 20:37
VLAI
Title
Nuvation Energy Multi-Stack Controller Proxy service allows arbitrary BMS access
Summary
Unintended Proxy or Intermediary vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Network Boundary Bridging.This issue affects Multi-Stack Controller (MSC): through and including release 2.5.1.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-441 - Unintended Proxy or Intermediary
Assigner
Impacted products
Vendor Product Version
Nuvation Energy Multi-Stack Controller (MSC) Affected: 0 , ≤ 2.5.1 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64123",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-05T20:32:30.427925Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-05T20:37:19.148Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Multi-Stack Controller (MSC)",
          "vendor": "Nuvation Energy",
          "versions": [
            {
              "lessThanOrEqual": "2.5.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Unintended Proxy or Intermediary vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Network Boundary Bridging.\u003cp\u003eThis issue affects Multi-Stack Controller (MSC): through and including release 2.5.1.\u003c/p\u003e"
            }
          ],
          "value": "Unintended Proxy or Intermediary vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Network Boundary Bridging.This issue affects Multi-Stack Controller (MSC): through and including release 2.5.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-700",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-700 Network Boundary Bridging"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "PRESENT",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.9,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/S:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-03T00:25:05.095Z",
        "orgId": "12bdf821-1545-4a87-aac5-61670cc6fcef",
        "shortName": "Dragos"
      },
      "references": [
        {
          "url": "https://www.dragos.com/community/advisories/CVE-2025-64119"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Nuvation Energy Multi-Stack Controller Proxy service allows arbitrary BMS access",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "12bdf821-1545-4a87-aac5-61670cc6fcef",
    "assignerShortName": "Dragos",
    "cveId": "CVE-2025-64123",
    "datePublished": "2026-01-02T21:41:25.568Z",
    "dateReserved": "2025-10-27T17:12:37.786Z",
    "dateUpdated": "2026-01-05T20:37:19.148Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-62718 (GCVE-0-2025-62718)

Vulnerability from cvelistv5 – Published: 2026-04-09 14:31 – Updated: 2026-07-15 01:25
VLAI
Title
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
Summary
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
  • CWE-918 - Server-Side Request Forgery (SSRF)
  • CWE-1289 - Improper Validation of Unsafe Equivalence in Input
Assigner
References
URL Tags
https://github.com/axios/axios/security/advisorie… x_refsource_CONFIRM
https://github.com/axios/axios/pull/10661 x_refsource_MISC
https://github.com/axios/axios/pull/10688 x_refsource_MISC
https://github.com/axios/axios/commit/03cdfc99e8d… x_refsource_MISC
https://github.com/axios/axios/commit/fb3befb6daa… x_refsource_MISC
https://datatracker.ietf.org/doc/html/rfc1034#sec… x_refsource_MISC
https://datatracker.ietf.org/doc/html/rfc3986#sec… x_refsource_MISC
https://github.com/axios/axios/releases/tag/v0.31.0 x_refsource_MISC
https://github.com/axios/axios/releases/tag/v1.15.0 x_refsource_MISC
https://access.redhat.com/security/cve/CVE-2025-62718 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2456913 issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
https://access.redhat.com/errata/RHSA-2026:24761 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26010 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:16874 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:36882 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:20889 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:20938 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:24766 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:24866 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:9742 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:13826 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:14937 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:24977 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19712 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:10175 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8483 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8490 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8491 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8493 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8484 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22840 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22629 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:21017 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:24853 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19375 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:22465 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:23361 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:24471 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:13571 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:17657 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:17699 vendor-advisoryx_refsource_REDHAT
Impacted products
Vendor Product Version
axios axios Affected: >= 1.0.0, < 1.15.0
Affected: < 0.31.0
Create a notification for this product.
Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 8 Unaffected: 0:2.5.20260422-3.el8ap , < * (rpm)
    cpe:/a:redhat:ansible_automation_platform:2.5::el8
Create a notification for this product.
Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 9 Unaffected: 0:2.5.20260422-3.el9ap , < * (rpm)
    cpe:/a:redhat:ansible_automation_platform:2.5::el9
Create a notification for this product.
Red Hat Streams for Apache Kafka 3.2.0     cpe:/a:redhat:amq_streams:3.2::el9
Create a notification for this product.
Red Hat Cluster Observability Operator 1.5.0 Unaffected: 1781116645 , < * (rpm)
    cpe:/a:redhat:cluster_observability_operator:1.5::el9
Create a notification for this product.
Red Hat Cluster Observability Operator 1.5.0 Unaffected: 1781116658 , < * (rpm)
    cpe:/a:redhat:cluster_observability_operator:1.5::el9
Create a notification for this product.
Red Hat Cluster Observability Operator 1.5.0 Unaffected: 1781116387 , < * (rpm)
    cpe:/a:redhat:cluster_observability_operator:1.5::el9
Create a notification for this product.
Red Hat Cluster Observability Operator 1.5.0 Unaffected: 1781116392 , < * (rpm)
    cpe:/a:redhat:cluster_observability_operator:1.5::el9
Create a notification for this product.
Red Hat Cluster Observability Operator 1.5.0 Unaffected: 1781116667 , < * (rpm)
    cpe:/a:redhat:cluster_observability_operator:1.5::el9
Create a notification for this product.
Red Hat multicluster engine for Kubernetes 2.6 Unaffected: 1778511348 , < * (rpm)
    cpe:/a:redhat:multicluster_engine:2.6::el9
Create a notification for this product.
Red Hat multicluster engine for Kubernetes 2.8 Unaffected: 1778383863 , < * (rpm)
    cpe:/a:redhat:multicluster_engine:2.8::el9
Create a notification for this product.
Red Hat Network Observability (NETOBSERV) 1.11.2 Unaffected: 1778508956 , < * (rpm)
    cpe:/a:redhat:network_observ_optr:1.11::el9
Create a notification for this product.
Red Hat Network Observability (NETOBSERV) 1.11.2 Unaffected: 1778510461 , < * (rpm)
    cpe:/a:redhat:network_observ_optr:1.11::el9
Create a notification for this product.
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.14 Unaffected: 1783451729 , < * (rpm)
    cpe:/a:redhat:acm:2.14::el9
Create a notification for this product.
Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.10 Unaffected: 1779293013 , < * (rpm)
    cpe:/a:redhat:advanced_cluster_security:4.10::el8
Create a notification for this product.
Red Hat Red Hat Advanced Cluster Security for Kubernetes 4.9 Unaffected: 1779371594 , < * (rpm)
    cpe:/a:redhat:advanced_cluster_security:4.9::el8
Create a notification for this product.
Red Hat Red Hat Ansible Automation Platform 2.5 Unaffected: 1780082949 , < * (rpm)
    cpe:/a:redhat:ansible_automation_platform:2.5::el8
Create a notification for this product.
Red Hat Red Hat Ansible Automation Platform 2.6 Unaffected: 1779784904 , < * (rpm)
    cpe:/a:redhat:ansible_automation_platform:2.6::el9
Create a notification for this product.
Red Hat Red Hat Developer Hub 1.8 Unaffected: 1776784286 , < * (rpm)
    cpe:/a:redhat:rhdh:1.8::el9
Create a notification for this product.
Red Hat Red Hat Developer Hub 1.9 Unaffected: 1777903262 , < * (rpm)
    cpe:/a:redhat:rhdh:1.9::el9
Create a notification for this product.
Red Hat Red Hat Discovery 2 Unaffected: 1778156756 , < * (rpm)
    cpe:/a:redhat:discovery:2::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 2.25 Unaffected: 1780467029 , < * (rpm)
    cpe:/a:redhat:openshift_ai:2.25::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 2.25 Unaffected: 1780467147 , < * (rpm)
    cpe:/a:redhat:openshift_ai:2.25::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 3.3 Unaffected: 1779189627 , < * (rpm)
    cpe:/a:redhat:openshift_ai:3.3::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 3.3 Unaffected: 1778473763 , < * (rpm)
    cpe:/a:redhat:openshift_ai:3.3::el9
Create a notification for this product.
Red Hat Red Hat OpenShift AI 3.3 Unaffected: 1778666987 , < * (rpm)
    cpe:/a:redhat:openshift_ai:3.3::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Dev Spaces 3.27 Unaffected: 1776744110 , < * (rpm)
    cpe:/a:redhat:openshift_devspaces:3.27::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Dev Spaces 3.27 Unaffected: 1776795511 , < * (rpm)
    cpe:/a:redhat:openshift_devspaces:3.27::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Service Mesh 2.6 Unaffected: 1776202125 , < * (rpm)
    cpe:/a:redhat:service_mesh:2.6::el8
Create a notification for this product.
Red Hat Red Hat OpenShift Service Mesh 2.6 Unaffected: 1776191302 , < * (rpm)
    cpe:/a:redhat:service_mesh:2.6::el8
Create a notification for this product.
Red Hat Red Hat OpenShift Service Mesh 3 Unaffected: 1776151124 , < * (rpm)
    cpe:/a:redhat:service_mesh:3.0::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Service Mesh 3 Unaffected: 1776151272 , < * (rpm)
    cpe:/a:redhat:service_mesh:3.0::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Service Mesh 3.1 Unaffected: 1776151106 , < * (rpm)
    cpe:/a:redhat:service_mesh:3.1::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Service Mesh 3.1 Unaffected: 1776151270 , < * (rpm)
    cpe:/a:redhat:service_mesh:3.1::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Service Mesh 3.2 Unaffected: 1776155669 , < * (rpm)
    cpe:/a:redhat:service_mesh:3.2::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Service Mesh 3.2 Unaffected: 1776149682 , < * (rpm)
    cpe:/a:redhat:service_mesh:3.2::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Service Mesh 3.3 Unaffected: 1776151134 , < * (rpm)
    cpe:/a:redhat:service_mesh:3.3::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Service Mesh 3.3 Unaffected: 1776151277 , < * (rpm)
    cpe:/a:redhat:service_mesh:3.3::el9
Create a notification for this product.
Red Hat Red Hat Quay 3.10 Unaffected: 1779822261 , < * (rpm)
    cpe:/a:redhat:quay:3.10::el8
Create a notification for this product.
Red Hat Red Hat Quay 3.12 Unaffected: 1779811412 , < * (rpm)
    cpe:/a:redhat:quay:3.12::el8
Create a notification for this product.
Red Hat Red Hat Quay 3.14 Unaffected: 1779689392 , < * (rpm)
    cpe:/a:redhat:quay:3.14::el8
Create a notification for this product.
Red Hat Red Hat Quay 3.15 Unaffected: 1780891395 , < * (rpm)
    cpe:/a:redhat:quay:3.15::el8
Create a notification for this product.
Red Hat Red Hat Quay 3.16 Unaffected: 1779204086 , < * (rpm)
    cpe:/a:redhat:quay:3.16::el9
Create a notification for this product.
Red Hat Red Hat Quay 3.17 Unaffected: 1779922205 , < * (rpm)
    cpe:/a:redhat:quay:3.17::el9
Create a notification for this product.
Red Hat Red Hat Quay 3.9 Unaffected: 1779811473 , < * (rpm)
    cpe:/a:redhat:quay:3.9::el8
Create a notification for this product.
Red Hat Red Hat Trusted Artifact Signer 1.3 Unaffected: 1779971506 , < * (rpm)
    cpe:/a:redhat:trusted_artifact_signer:1.3::el9
Create a notification for this product.
Red Hat Cryostat 4     cpe:/a:redhat:cryostat:4
Create a notification for this product.
Red Hat Gatekeeper 3     cpe:/a:redhat:gatekeeper:3
Create a notification for this product.
Red Hat Migration Toolkit for Applications 8     cpe:/a:redhat:migration_toolkit_applications:8
Create a notification for this product.
Red Hat Migration Toolkit for Containers     cpe:/a:redhat:rhmt:1
Create a notification for this product.
Red Hat Multicluster Engine for Kubernetes     cpe:/a:redhat:multicluster_engine
Create a notification for this product.
Red Hat Network Observability Operator     cpe:/a:redhat:network_observ_optr:1
Create a notification for this product.
Red Hat OpenShift Pipelines     cpe:/a:redhat:openshift_pipelines:1
Create a notification for this product.
Red Hat OpenShift Service Mesh 2     cpe:/a:redhat:service_mesh:2
Create a notification for this product.
Red Hat OpenShift Service Mesh 3     cpe:/a:redhat:service_mesh:3
Create a notification for this product.
Red Hat Red Hat 3scale API Management Platform 2     cpe:/a:redhat:red_hat_3scale_amp:2
Create a notification for this product.
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2     cpe:/a:redhat:acm:2
Create a notification for this product.
Red Hat Red Hat Ansible Automation Platform 2     cpe:/a:redhat:ansible_automation_platform:2
Create a notification for this product.
Red Hat Red Hat build of Apache Camel - HawtIO 4     cpe:/a:redhat:apache_camel_hawtio:4
Create a notification for this product.
Red Hat Red Hat build of Apicurio Registry 2     cpe:/a:redhat:service_registry:2
Create a notification for this product.
Red Hat Red Hat build of Apicurio Registry 3     cpe:/a:redhat:apicurio_registry:3
Create a notification for this product.
Red Hat Red Hat Build of Kueue     cpe:/a:redhat:kueue_operator:1
Create a notification for this product.
Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
Create a notification for this product.
Red Hat Red Hat Developer Hub     cpe:/a:redhat:rhdh:1
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AI (RHEL AI) 3     cpe:/a:redhat:enterprise_linux_ai:3
Create a notification for this product.
Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
Create a notification for this product.
Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
Create a notification for this product.
Red Hat Red Hat OpenShift Virtualization 4     cpe:/a:redhat:container_native_virtualization:4
Create a notification for this product.
Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
Create a notification for this product.
Red Hat Red Hat Quay 3     cpe:/a:redhat:quay:3
Create a notification for this product.
Red Hat Red Hat Satellite 6     cpe:/a:redhat:satellite:6
Create a notification for this product.
Red Hat Red Hat Trusted Profile Analyzer     cpe:/a:redhat:trusted_profile_analyzer:2
Create a notification for this product.
Red Hat Self-service automation portal 2     cpe:/a:redhat:ansible_portal:2
Create a notification for this product.
Red Hat streams for Apache Kafka 2     cpe:/a:redhat:amq_streams:2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-62718",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T15:02:50.313939Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-09T16:15:31.322Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.5::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "automation-gateway",
            "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.5.20260422-3.el8ap",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.5::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "automation-gateway",
            "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.5.20260422-3.el9ap",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:amq_streams:3.2::el9"
            ],
            "defaultStatus": "unaffected",
            "packageName": "axios",
            "product": "Streams for Apache Kafka 3.2.0",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:cluster_observability_operator:1.5::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "cluster-observability-operator/distributed-tracing-console-plugin-pf4-rhel9",
            "product": "Cluster Observability Operator 1.5.0",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1781116645",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:cluster_observability_operator:1.5::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "cluster-observability-operator/distributed-tracing-console-plugin-pf5-rhel9",
            "product": "Cluster Observability Operator 1.5.0",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1781116658",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:cluster_observability_operator:1.5::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "cluster-observability-operator/distributed-tracing-console-plugin-pf6-rhel9",
            "product": "Cluster Observability Operator 1.5.0",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1781116387",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:cluster_observability_operator:1.5::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "cluster-observability-operator/distributed-tracing-console-plugin-rhel9",
            "product": "Cluster Observability Operator 1.5.0",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1781116392",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:cluster_observability_operator:1.5::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "cluster-observability-operator/monitoring-console-plugin-pf5-rhel9",
            "product": "Cluster Observability Operator 1.5.0",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1781116667",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:multicluster_engine:2.6::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "multicluster-engine/console-mce-rhel9",
            "product": "multicluster engine for Kubernetes 2.6",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1778511348",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:multicluster_engine:2.8::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "multicluster-engine/console-mce-rhel9",
            "product": "multicluster engine for Kubernetes 2.8",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1778383863",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:network_observ_optr:1.11::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "network-observability/network-observability-console-plugin-compat-rhel9",
            "product": "Network Observability (NETOBSERV) 1.11.2",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1778508956",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:network_observ_optr:1.11::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "network-observability/network-observability-console-plugin-rhel9",
            "product": "Network Observability (NETOBSERV) 1.11.2",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1778510461",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:acm:2.14::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhacm2/console-rhel9",
            "product": "Red Hat Advanced Cluster Management for Kubernetes 2.14",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1783451729",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:advanced_cluster_security:4.10::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "advanced-cluster-security/rhacs-main-rhel8",
            "product": "Red Hat Advanced Cluster Security for Kubernetes 4.10",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1779293013",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:advanced_cluster_security:4.9::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "advanced-cluster-security/rhacs-main-rhel8",
            "product": "Red Hat Advanced Cluster Security for Kubernetes 4.9",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1779371594",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.5::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "ansible-automation-platform-25/lightspeed-rhel8",
            "product": "Red Hat Ansible Automation Platform 2.5",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780082949",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.6::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "ansible-automation-platform-26/lightspeed-rhel9",
            "product": "Red Hat Ansible Automation Platform 2.6",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1779784904",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:rhdh:1.8::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhdh/rhdh-hub-rhel9",
            "product": "Red Hat Developer Hub 1.8",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1776784286",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:rhdh:1.9::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhdh/rhdh-hub-rhel9",
            "product": "Red Hat Developer Hub 1.9",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1777903262",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:discovery:2::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "discovery/discovery-ui-rhel9",
            "product": "Red Hat Discovery 2",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1778156756",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-dashboard-rhel9",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780467029",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:2.25::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-mod-arch-model-registry-rhel9",
            "product": "Red Hat OpenShift AI 2.25",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780467147",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:3.3::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-dashboard-rhel9",
            "product": "Red Hat OpenShift AI 3.3",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1779189627",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:3.3::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-mod-arch-gen-ai-rhel9",
            "product": "Red Hat OpenShift AI 3.3",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1778473763",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai:3.3::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-mod-arch-model-registry-rhel9",
            "product": "Red Hat OpenShift AI 3.3",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1778666987",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_devspaces:3.27::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "devspaces/code-rhel9",
            "product": "Red Hat OpenShift Dev Spaces 3.27",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1776744110",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:openshift_devspaces:3.27::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "devspaces/dashboard-rhel9",
            "product": "Red Hat OpenShift Dev Spaces 3.27",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1776795511",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:2.6::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-service-mesh/kiali-ossmc-rhel8",
            "product": "Red Hat OpenShift Service Mesh 2.6",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1776202125",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:2.6::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-service-mesh/kiali-rhel8",
            "product": "Red Hat OpenShift Service Mesh 2.6",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1776191302",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3.0::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-service-mesh/kiali-ossmc-rhel9",
            "product": "Red Hat OpenShift Service Mesh 3",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1776151124",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3.0::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-service-mesh/kiali-rhel9",
            "product": "Red Hat OpenShift Service Mesh 3",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1776151272",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3.1::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-service-mesh/kiali-ossmc-rhel9",
            "product": "Red Hat OpenShift Service Mesh 3.1",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1776151106",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3.1::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-service-mesh/kiali-rhel9",
            "product": "Red Hat OpenShift Service Mesh 3.1",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1776151270",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3.2::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-service-mesh/kiali-ossmc-rhel9",
            "product": "Red Hat OpenShift Service Mesh 3.2",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1776155669",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3.2::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-service-mesh/kiali-rhel9",
            "product": "Red Hat OpenShift Service Mesh 3.2",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1776149682",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3.3::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-service-mesh/kiali-ossmc-rhel9",
            "product": "Red Hat OpenShift Service Mesh 3.3",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1776151134",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3.3::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-service-mesh/kiali-rhel9",
            "product": "Red Hat OpenShift Service Mesh 3.3",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1776151277",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:quay:3.10::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "quay/quay-rhel8",
            "product": "Red Hat Quay 3.10",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1779822261",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:quay:3.12::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "quay/quay-rhel8",
            "product": "Red Hat Quay 3.12",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1779811412",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:quay:3.14::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "quay/quay-rhel8",
            "product": "Red Hat Quay 3.14",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1779689392",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:quay:3.15::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "quay/quay-rhel8",
            "product": "Red Hat Quay 3.15",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1780891395",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:quay:3.16::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "quay/quay-rhel9",
            "product": "Red Hat Quay 3.16",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1779204086",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:quay:3.17::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "quay/quay-rhel9",
            "product": "Red Hat Quay 3.17",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1779922205",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:quay:3.9::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "quay/quay-rhel8",
            "product": "Red Hat Quay 3.9",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1779811473",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:trusted_artifact_signer:1.3::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhtas/rhtas-console-ui-rhel9",
            "product": "Red Hat Trusted Artifact Signer 1.3",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1779971506",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:cryostat:4"
            ],
            "defaultStatus": "unaffected",
            "packageName": "axios",
            "product": "Cryostat 4",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:gatekeeper:3"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/gatekeeper-3-18",
            "product": "Gatekeeper 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:gatekeeper:3"
            ],
            "defaultStatus": "unaffected",
            "packageName": "redhat-user-workloads/gatekeeper-3-19",
            "product": "Gatekeeper 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:migration_toolkit_applications:8"
            ],
            "defaultStatus": "affected",
            "packageName": "mta/mta-ui-rhel8",
            "product": "Migration Toolkit for Applications 8",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:migration_toolkit_applications:8"
            ],
            "defaultStatus": "affected",
            "packageName": "mta/mta-ui-rhel9",
            "product": "Migration Toolkit for Applications 8",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:migration_toolkit_applications:8"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/art-images",
            "product": "Migration Toolkit for Applications 8",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhmt:1"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/art-images",
            "product": "Migration Toolkit for Containers",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:multicluster_engine"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/console-mce-mce-211",
            "product": "Multicluster Engine for Kubernetes",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:multicluster_engine"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/console-mce-mce-26",
            "product": "Multicluster Engine for Kubernetes",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:multicluster_engine"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/console-mce-mce-27",
            "product": "Multicluster Engine for Kubernetes",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:multicluster_engine"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/console-mce-mce-28",
            "product": "Multicluster Engine for Kubernetes",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:multicluster_engine"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/console-mce-mce-29",
            "product": "Multicluster Engine for Kubernetes",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:network_observ_optr:1"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/network-observability-console-plugin-zstream",
            "product": "Network Observability Operator",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_pipelines:1"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/hub-ui-rhel9",
            "product": "OpenShift Pipelines",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_pipelines:1"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/pipelines-hub-ui-rhel9",
            "product": "OpenShift Pipelines",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:2"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/kiali-2-6-ossmc",
            "product": "OpenShift Service Mesh 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/kiali-3-0",
            "product": "OpenShift Service Mesh 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3"
            ],
            "defaultStatus": "unaffected",
            "packageName": "redhat-user-workloads/kiali-3-0-bundle",
            "product": "OpenShift Service Mesh 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3"
            ],
            "defaultStatus": "unaffected",
            "packageName": "redhat-user-workloads/kiali-3-0-operator",
            "product": "OpenShift Service Mesh 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/kiali-3-1",
            "product": "OpenShift Service Mesh 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3"
            ],
            "defaultStatus": "unaffected",
            "packageName": "redhat-user-workloads/kiali-3-1-bundle",
            "product": "OpenShift Service Mesh 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3"
            ],
            "defaultStatus": "unaffected",
            "packageName": "redhat-user-workloads/kiali-3-1-operator",
            "product": "OpenShift Service Mesh 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/kiali-3-1-ossmc",
            "product": "OpenShift Service Mesh 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/kiali-3-2",
            "product": "OpenShift Service Mesh 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/kiali-3-2-ossmc",
            "product": "OpenShift Service Mesh 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/kiali-3-3",
            "product": "OpenShift Service Mesh 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:service_mesh:3"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/kiali-3-3-ossmc",
            "product": "OpenShift Service Mesh 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:red_hat_3scale_amp:2"
            ],
            "defaultStatus": "affected",
            "packageName": "3scale-amp21/system",
            "product": "Red Hat 3scale API Management Platform 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:red_hat_3scale_amp:2"
            ],
            "defaultStatus": "affected",
            "packageName": "3scale-amp22/system",
            "product": "Red Hat 3scale API Management Platform 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:red_hat_3scale_amp:2"
            ],
            "defaultStatus": "affected",
            "packageName": "3scale-amp2/system-rhel7",
            "product": "Red Hat 3scale API Management Platform 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:red_hat_3scale_amp:2"
            ],
            "defaultStatus": "affected",
            "packageName": "3scale-amp2/system-rhel8",
            "product": "Red Hat 3scale API Management Platform 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:red_hat_3scale_amp:2"
            ],
            "defaultStatus": "affected",
            "packageName": "3scale-amp2/system-rhel9",
            "product": "Red Hat 3scale API Management Platform 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:acm:2"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/console-acm-215",
            "product": "Red Hat Advanced Cluster Management for Kubernetes 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:acm:2"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/console-acm-216",
            "product": "Red Hat Advanced Cluster Management for Kubernetes 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2"
            ],
            "defaultStatus": "affected",
            "packageName": "ansible-automation-platform-26/lightspeed-rhel9-operator",
            "product": "Red Hat Ansible Automation Platform 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2"
            ],
            "defaultStatus": "affected",
            "packageName": "automation-controller",
            "product": "Red Hat Ansible Automation Platform 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2"
            ],
            "defaultStatus": "affected",
            "packageName": "automation-hub",
            "product": "Red Hat Ansible Automation Platform 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2"
            ],
            "defaultStatus": "unaffected",
            "packageName": "automation-platform-ui",
            "product": "Red Hat Ansible Automation Platform 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2"
            ],
            "defaultStatus": "unaffected",
            "packageName": "python3.11-galaxy-ng",
            "product": "Red Hat Ansible Automation Platform 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2"
            ],
            "defaultStatus": "unaffected",
            "packageName": "python3.12-galaxy-ng",
            "product": "Red Hat Ansible Automation Platform 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2"
            ],
            "defaultStatus": "unaffected",
            "packageName": "python3x-galaxy-ng",
            "product": "Red Hat Ansible Automation Platform 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2"
            ],
            "defaultStatus": "unaffected",
            "packageName": "python-galaxy-ng",
            "product": "Red Hat Ansible Automation Platform 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/automation-reports",
            "product": "Red Hat Ansible Automation Platform 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/gateway-rhel9",
            "product": "Red Hat Ansible Automation Platform 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:apache_camel_hawtio:4"
            ],
            "defaultStatus": "affected",
            "packageName": "axios",
            "product": "Red Hat build of Apache Camel - HawtIO 4",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:service_registry:2"
            ],
            "defaultStatus": "affected",
            "packageName": "axios",
            "product": "Red Hat build of Apicurio Registry 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:apicurio_registry:3"
            ],
            "defaultStatus": "affected",
            "packageName": "apicurio/apicurio-registry-ui-rhel8",
            "product": "Red Hat build of Apicurio Registry 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:apicurio_registry:3"
            ],
            "defaultStatus": "affected",
            "packageName": "apicurio/apicurio-registry-ui-rhel9",
            "product": "Red Hat build of Apicurio Registry 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:kueue_operator:1"
            ],
            "defaultStatus": "unaffected",
            "packageName": "redhat-user-workloads/kueue-0-12",
            "product": "Red Hat Build of Kueue",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:kueue_operator:1"
            ],
            "defaultStatus": "unaffected",
            "packageName": "redhat-user-workloads/kueue-bundle-1-1",
            "product": "Red Hat Build of Kueue",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:kueue_operator:1"
            ],
            "defaultStatus": "unaffected",
            "packageName": "redhat-user-workloads/kueue-must-gather-1-1",
            "product": "Red Hat Build of Kueue",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:kueue_operator:1"
            ],
            "defaultStatus": "unaffected",
            "packageName": "redhat-user-workloads/kueue-operator-1-1",
            "product": "Red Hat Build of Kueue",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_data_grid:8"
            ],
            "defaultStatus": "unaffected",
            "packageName": "axios",
            "product": "Red Hat Data Grid 8",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhdh:1"
            ],
            "defaultStatus": "affected",
            "packageName": "rhdh/backstage-community-plugin-catalog-backend-module-scaffolder-relation-processor",
            "product": "Red Hat Developer Hub",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "unaffected",
            "packageName": "grafana",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "unaffected",
            "packageName": "grafana",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux_ai:3"
            ],
            "defaultStatus": "affected",
            "packageName": "rhelai3/bootc-cuda-rhel9",
            "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux_ai:3"
            ],
            "defaultStatus": "affected",
            "packageName": "rhelai3/bootc-rocm-rhel9",
            "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux_ai:3"
            ],
            "defaultStatus": "affected",
            "packageName": "rhelai3/disk-image-cuda-rhel9",
            "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_fuse:7"
            ],
            "defaultStatus": "affected",
            "packageName": "axios",
            "product": "Red Hat Fuse 7",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "unaffected",
            "packageName": "rhoai/odh-dashboard-rhel8",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "affected",
            "packageName": "rhoai/odh-mod-arch-maas-rhel9",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift:4"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift3/ose-console",
            "product": "Red Hat OpenShift Container Platform 4",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift:4"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift4/ose-console",
            "product": "Red Hat OpenShift Container Platform 4",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift:4"
            ],
            "defaultStatus": "unaffected",
            "packageName": "openshift4/ose-console-rhel9",
            "product": "Red Hat OpenShift Container Platform 4",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:openshift:4"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/art-images",
            "product": "Red Hat OpenShift Container Platform 4",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/kubevirt-console-plugin",
            "product": "Red Hat OpenShift Virtualization 4",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/kubevirt-console-plugin-rhel9",
            "product": "Red Hat OpenShift Virtualization 4",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4"
            ],
            "defaultStatus": "affected",
            "packageName": "openshift-virtualization/kubevirt-console-plugin-rhel9",
            "product": "Red Hat OpenShift Virtualization 4",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
            ],
            "defaultStatus": "unaffected",
            "packageName": "axios",
            "product": "Red Hat Process Automation 7",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:quay:3"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/quay-quay-v3-12",
            "product": "Red Hat Quay 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:quay:3"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/quay-quay-v3-13",
            "product": "Red Hat Quay 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:quay:3"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/quay-quay-v3-14",
            "product": "Red Hat Quay 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:quay:3"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/quay-quay-v3-15",
            "product": "Red Hat Quay 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:quay:3"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/quay-quay-v3-16",
            "product": "Red Hat Quay 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:quay:3"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/quay-quay-v3-17",
            "product": "Red Hat Quay 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:quay:3"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/quay-quay-v3-9",
            "product": "Red Hat Quay 3",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:satellite:6"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/iop-advisor-frontend-sat-6-18",
            "product": "Red Hat Satellite 6",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:satellite:6"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/iop-host-inventory-frontend-sat-6-18",
            "product": "Red Hat Satellite 6",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:satellite:6"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/iop-vulnerability-frontend-sat-6-18",
            "product": "Red Hat Satellite 6",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:trusted_profile_analyzer:2"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/rhtpa-product-0-3-z",
            "product": "Red Hat Trusted Profile Analyzer",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:trusted_profile_analyzer:2"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/rhtpa-product-0-4-z",
            "product": "Red Hat Trusted Profile Analyzer",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:ansible_portal:2"
            ],
            "defaultStatus": "affected",
            "packageName": "redhat-user-workloads/ansible-plugins",
            "product": "Self-service automation portal 2",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:amq_streams:2"
            ],
            "defaultStatus": "unaffected",
            "packageName": "axios",
            "product": "streams for Apache Kafka 2",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-04-09T14:31:46.067Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not correctly handle hostname normalization when evaluating NO_PROXY rules. An attacker can exploit this by crafting requests to loopback addresses (e.g., localhost. or [::1]) which bypass the NO_PROXY configuration and are routed through the configured proxy. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, enabling attackers to access sensitive internal or loopback services that should otherwise be protected."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1289",
                "description": "Improper Validation of Unsafe Equivalence in Input",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T01:25:20.445Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2025-62718"
          },
          {
            "name": "RHBZ#2456913",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456913"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-62718.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:24761"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26010"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:16874"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:36882"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:20889"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:20938"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:24766"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:24866"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:9742"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:13826"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:14937"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:24977"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19712"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:10175"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8483"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8490"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8491"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8493"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8484"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:22840"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:22629"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:21017"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:24853"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19375"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:22465"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:23361"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:24471"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:13571"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:17657"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:17699"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:24761: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26010: Cluster Observability Operator 1.5.0"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:16874: Network Observability (NETOBSERV) 1.11.2"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:36882: Red Hat Advanced Cluster Management for Kubernetes 2.14"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:20889: Red Hat Advanced Cluster Security for Kubernetes 4.10"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:20938: Red Hat Advanced Cluster Security for Kubernetes 4.9"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:24766: Red Hat Ansible Automation Platform 2.5"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:24866: Red Hat Ansible Automation Platform 2.6"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:9742: Red Hat Developer Hub 1.8"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:13826: Red Hat Developer Hub 1.9"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:14937: Red Hat Discovery 2"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:24977: Red Hat OpenShift AI 2.25"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19712: Red Hat OpenShift AI 3.3"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:10175: Red Hat OpenShift Dev Spaces 3.27"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8483: Red Hat OpenShift Service Mesh 2.6"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8490: Red Hat OpenShift Service Mesh 3.1"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8491: Red Hat OpenShift Service Mesh 3.2"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8493: Red Hat OpenShift Service Mesh 3.3"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8484: Red Hat OpenShift Service Mesh 3"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:22840: Red Hat Quay 3.10"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:22629: Red Hat Quay 3.12"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:21017: Red Hat Quay 3.14"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:24853: Red Hat Quay 3.15"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19375: Red Hat Quay 3.16"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:22465: Red Hat Quay 3.17"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:23361: Red Hat Quay 3.9"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:24471: Red Hat Trusted Artifact Signer 1.3"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:13571: Streams for Apache Kafka 3.2.0"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:17657: multicluster engine for Kubernetes 2.6"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:17699: multicluster engine for Kubernetes 2.8"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-04-09T15:01:48.111Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-04-09T14:31:46.067Z",
            "value": "Made public."
          }
        ],
        "title": "axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.0"
            },
            {
              "status": "affected",
              "version": "\u003c 0.31.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-16T18:44:20.705Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5"
        },
        {
          "name": "https://github.com/axios/axios/pull/10661",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/pull/10661"
        },
        {
          "name": "https://github.com/axios/axios/pull/10688",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/pull/10688"
        },
        {
          "name": "https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c"
        },
        {
          "name": "https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df"
        },
        {
          "name": "https://datatracker.ietf.org/doc/html/rfc1034#section-3.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://datatracker.ietf.org/doc/html/rfc1034#section-3.1"
        },
        {
          "name": "https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2"
        },
        {
          "name": "https://github.com/axios/axios/releases/tag/v0.31.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/releases/tag/v0.31.0"
        },
        {
          "name": "https://github.com/axios/axios/releases/tag/v1.15.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/releases/tag/v1.15.0"
        }
      ],
      "source": {
        "advisory": "GHSA-3p68-rc4w-qgx5",
        "discovery": "UNKNOWN"
      },
      "title": "Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-62718",
    "datePublished": "2026-04-09T14:31:46.067Z",
    "dateReserved": "2025-10-20T19:41:22.741Z",
    "dateUpdated": "2026-07-15T01:25:20.445Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-61780 (GCVE-0-2025-61780)

Vulnerability from cvelistv5 – Published: 2025-10-10 16:53 – Updated: 2025-10-10 20:35
VLAI
Title
Rack has Possible Information Disclosure Vulnerability
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions. When `Rack::Sendfile` received untrusted `x-sendfile-type` or `x-accel-mapping` headers from a client, it would interpret them as proxy configuration directives. This could cause the middleware to send a "redirect" response to the proxy, prompting it to reissue a new internal request that was not subject to the proxy's access controls. An attacker could exploit this by setting a crafted `x-sendfile-type: x-accel-redirect` header, setting a crafted `x-accel-mapping` header, and requesting a path that qualifies for proxy-based acceleration. Attackers could bypass proxy-enforced restrictions and access internal endpoints intended to be protected (such as administrative pages). The vulnerability did not allow arbitrary file reads but could expose sensitive application routes. This issue only affected systems meeting all of the following conditions: The application used `Rack::Sendfile` with a proxy that supports `x-accel-redirect` (e.g., Nginx); the proxy did **not** always set or remove the `x-sendfile-type` and `x-accel-mapping` headers; and the application exposed an endpoint that returned a body responding to `.to_path`. Users should upgrade to Rack versions 2.2.20, 3.1.18, or 3.2.3, which require explicit configuration to enable `x-accel-redirect`. Alternatively, configure the proxy to always set or strip the header, or in Rails applications, disable sendfile completely.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
  • CWE-913 - Improper Control of Dynamically-Managed Code Resources
Assigner
Impacted products
Vendor Product Version
rack rack Affected: < 2.2.20
Affected: >= 3.0, < 3.1.18
Affected: >= 3.2, < 3.2.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-61780",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-10T20:34:55.399317Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-10T20:35:26.618Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rack",
          "vendor": "rack",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.2.20"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0, \u003c 3.1.18"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.2, \u003c 3.2.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions. When `Rack::Sendfile` received untrusted `x-sendfile-type` or `x-accel-mapping` headers from a client, it would interpret them as proxy configuration directives. This could cause the middleware to send a \"redirect\" response to the proxy, prompting it to reissue a new internal request that was not subject to the proxy\u0027s access controls. An attacker could exploit this by setting a crafted `x-sendfile-type: x-accel-redirect` header, setting a crafted `x-accel-mapping` header, and requesting a path that qualifies for proxy-based acceleration. Attackers could bypass proxy-enforced restrictions and access internal endpoints intended to be protected (such as administrative pages). The vulnerability did not allow arbitrary file reads but could expose sensitive application routes. This issue only affected systems meeting all of the following conditions: The application used `Rack::Sendfile` with a proxy that supports `x-accel-redirect` (e.g., Nginx); the proxy did **not** always set or remove the `x-sendfile-type` and `x-accel-mapping` headers; and the application exposed an endpoint that returned a body responding to `.to_path`. Users should upgrade to Rack versions 2.2.20, 3.1.18, or 3.2.3, which require explicit configuration to enable `x-accel-redirect`. Alternatively, configure the proxy to always set or strip the header, or in Rails applications, disable sendfile completely."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-913",
              "description": "CWE-913: Improper Control of Dynamically-Managed Code Resources",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-10T16:53:57.606Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557"
        },
        {
          "name": "https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784"
        },
        {
          "name": "https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a"
        },
        {
          "name": "https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85"
        }
      ],
      "source": {
        "advisory": "GHSA-r657-rxjc-j557",
        "discovery": "UNKNOWN"
      },
      "title": "Rack has Possible Information Disclosure Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-61780",
    "datePublished": "2025-10-10T16:53:57.606Z",
    "dateReserved": "2025-09-30T19:43:49.902Z",
    "dateUpdated": "2025-10-10T20:35:26.618Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-48710 (GCVE-0-2025-48710)

Vulnerability from cvelistv5 – Published: 2025-06-04 05:50 – Updated: 2025-06-04 13:23
VLAI
Summary
kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro's controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
Assigner
Impacted products
Vendor Product Version
kro.run kro Affected: 0.1.0 , < 0.2.1 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-48710",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-04T13:23:25.727210Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-04T13:23:37.851Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "kro",
          "vendor": "kro.run",
          "versions": [
            {
              "lessThan": "0.2.1",
              "status": "affected",
              "version": "0.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "kro (Kube Resource Orchestrator) 0.1.0 before 0.2.1 allows users (with permission to create or modify ResourceGraphDefinition resources) to supply arbitrary container images. This can lead to a confused-deputy scenario where kro\u0027s controllers deploy and run attacker-controlled images, resulting in unauthenticated remote code execution on cluster nodes."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T05:59:01.144Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/kro-run/kro/compare/v0.2.1...v0.2.2"
        },
        {
          "url": "https://orca.security/resources/blog/kubernetes-crd-abstraction-risks-kro/"
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-48710",
    "datePublished": "2025-06-04T05:50:48.639Z",
    "dateReserved": "2025-05-23T04:16:39.433Z",
    "dateUpdated": "2025-06-04T13:23:37.851Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design

Enforce the use of strong mutual authentication mechanism between the two parties.

Mitigation
Architecture and Design

Whenever a product is an intermediary or proxy for transactions between two other components, the proxy core should not drop the identity of the initiator of the transaction. The immutability of the identity of the initiator must be maintained and should be forwarded all the way to the target.

CAPEC-219: XML Routing Detour Attacks

An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.

CAPEC-465: Transparent Proxy Abuse

A transparent proxy serves as an intermediate between the client and the internet at large. It intercepts all requests originating from the client and forwards them to the correct location. The proxy also intercepts all responses to the client and forwards these to the client. All of this is done in a manner transparent to the client.