Search criteria
6 vulnerabilities found for OVA based Connect by Saviynt
CVE-2025-3840 (GCVE-0-2025-3840)
Vulnerability from cvelistv5 – Published: 2025-04-21 09:39 – Updated: 2025-04-21 12:38
VLAI?
Summary
An improper neutralization of input vulnerability was identified in the End of Life (EOL) OVA based connect installer component which is deployed for installation purposes in a customer network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. An actor can manipulate the action parameter of the login form to inject malicious scripts which would lead to a XSS attack under certain conditions.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Saviynt | OVA based Connect |
Affected:
AlmaLinux-8.x_SC2.0-Client-2.0
Affected: AlmaLinux-8.x_SC2.0-Client-3.0 Affected: CentOS-7.x_SC2.0-Client-2.0 Affected: CentOS-7.x_SC2.0-Client-3.0 Affected: RHEL-8.x_SC2.0-Client-2.0 Affected: RHEL-8.x_SC2.0-Client-3.0 |
Credits
Achmea Security Assessment Team (SAT)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3840",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T12:37:34.087132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T12:38:16.967Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "OVA based Connect",
"platforms": [
"Linux"
],
"product": "OVA based Connect",
"vendor": "Saviynt",
"versions": [
{
"status": "affected",
"version": "AlmaLinux-8.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "AlmaLinux-8.x_SC2.0-Client-3.0"
},
{
"status": "affected",
"version": "CentOS-7.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "CentOS-7.x_SC2.0-Client-3.0"
},
{
"status": "affected",
"version": "RHEL-8.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "RHEL-8.x_SC2.0-Client-3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Achmea Security Assessment Team (SAT)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eAn improper neutralization of input vulnerability was identified in the End of Life (EOL) OVA based connect installer component which is deployed for installation purposes in a customer network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eAn actor can manipulate the action parameter of the login form to inject malicious scripts which would lead to a XSS attack under certain conditions.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "An improper neutralization of input vulnerability was identified in the End of Life (EOL) OVA based connect installer component which is deployed for installation purposes in a customer network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. An actor can manipulate the action parameter of the login form to inject malicious scripts which would lead to a XSS attack under certain conditions."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T09:39:16.343Z",
"orgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093",
"shortName": "Saviynt"
},
"references": [
{
"url": "https://saviynt.com/trust-compliance-security"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow this documentation \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm\"\u003elink\u003c/a\u003e\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u0026nbsp;and migrate to the latest version of Saviynt Connect component\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Follow this documentation link https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm \u00a0and migrate to the latest version of Saviynt Connect component"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093",
"assignerShortName": "Saviynt",
"cveId": "CVE-2025-3840",
"datePublished": "2025-04-21T09:39:16.343Z",
"dateReserved": "2025-04-21T09:34:01.701Z",
"dateUpdated": "2025-04-21T12:38:16.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3838 (GCVE-0-2025-3838)
Vulnerability from cvelistv5 – Published: 2025-04-21 09:33 – Updated: 2025-04-21 12:47
VLAI?
Summary
An Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. Under certain conditions, this could allow a bad actor to gain unauthorized access to the local db containing weakly hashed credentials of the installer. This EOL component was deprecated in September 2023 with end of support extended till January 2024.
Severity ?
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Saviynt | OVA based Connect |
Affected:
AlmaLinux-8.x_SC2.0-Client-2.0
Affected: AlmaLinux-8.x_SC2.0-Client-3.0 Affected: CentOS-7.x_SC2.0-Client-2.0 Affected: CentOS-7.x_SC2.0-Client-3.0 Affected: RHEL-8.x_SC2.0-Client-2.0 Affected: RHEL-8.x_SC2.0-Client-3.0 |
Credits
Achmea Security Assessment Team (SAT)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T12:46:52.331775Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T12:47:37.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "OVA based Connect",
"platforms": [
"Linux"
],
"product": "OVA based Connect",
"vendor": "Saviynt",
"versions": [
{
"status": "affected",
"version": "AlmaLinux-8.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "AlmaLinux-8.x_SC2.0-Client-3.0"
},
{
"status": "affected",
"version": "CentOS-7.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "CentOS-7.x_SC2.0-Client-3.0"
},
{
"status": "affected",
"version": "RHEL-8.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "RHEL-8.x_SC2.0-Client-3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Achmea Security Assessment Team (SAT)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eAn Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eUnder certain conditions, this could allow a bad actor to gain unauthorized access to the local db containing weakly hashed credentials of the installer. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis EOL component was deprecated in September 2023 with end of support extended till January 2024.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "An Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. Under certain conditions, this could allow a bad actor to gain unauthorized access to the local db containing weakly hashed credentials of the installer. This EOL component was deprecated in September 2023 with end of support extended till January 2024."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T09:33:33.390Z",
"orgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093",
"shortName": "Saviynt"
},
"references": [
{
"url": "https://saviynt.com/trust-compliance-security"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow this documentation \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm\"\u003e\u003cspan style=\"background-color: transparent;\"\u003elink\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u0026nbsp;and migrate to the latest version of Saviynt Connect component\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Follow this documentation link https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm \u00a0and migrate to the latest version of Saviynt Connect component"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Authorization in the installer for the EOL OVA based connect component",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093",
"assignerShortName": "Saviynt",
"cveId": "CVE-2025-3838",
"datePublished": "2025-04-21T09:33:33.390Z",
"dateReserved": "2025-04-21T09:22:37.451Z",
"dateUpdated": "2025-04-21T12:47:37.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3837 (GCVE-0-2025-3837)
Vulnerability from cvelistv5 – Published: 2025-04-21 09:20 – Updated: 2025-04-21 13:05
VLAI?
Summary
An improper input validation vulnerability is identified in the End of Life (EOL) OVA based connect component which is deployed for installation purposes in the customer internal network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. Under certain circumstances, an actor can manipulate a specific request parameter and inject code execution payload which could lead to a remote code execution on the infrastructure hosting this component.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Saviynt | OVA based Connect |
Affected:
AlmaLinux-8.x_SC2.0-Client-2.0
Affected: AlmaLinux-8.x_SC2.0-Client-3.0 Affected: CentOS-7.x_SC2.0-Client-2.0 Affected: CentOS-7.x_SC2.0-Client-3.0 Affected: RHEL-8.x_SC2.0-Client-2.0 Affected: RHEL-8.x_SC2.0-Client-3.0 |
Credits
Achmea Security Assessment Team (SAT)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3837",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T12:48:02.361321Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T13:05:14.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "OVA based Connect",
"platforms": [
"Linux"
],
"product": "OVA based Connect",
"vendor": "Saviynt",
"versions": [
{
"status": "affected",
"version": "AlmaLinux-8.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "AlmaLinux-8.x_SC2.0-Client-3.0"
},
{
"status": "affected",
"version": "CentOS-7.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "CentOS-7.x_SC2.0-Client-3.0"
},
{
"status": "affected",
"version": "RHEL-8.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "RHEL-8.x_SC2.0-Client-3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Achmea Security Assessment Team (SAT)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper input validation vulnerability is identified in the End of Life (EOL) OVA based connect component which is deployed for installation purposes in the customer internal network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. Under certain circumstances, an actor can manipulate a specific request parameter and inject code execution payload which could lead to a remote code execution on the infrastructure hosting this component."
}
],
"value": "An improper input validation vulnerability is identified in the End of Life (EOL) OVA based connect component which is deployed for installation purposes in the customer internal network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. Under certain circumstances, an actor can manipulate a specific request parameter and inject code execution payload which could lead to a remote code execution on the infrastructure hosting this component."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T09:20:14.110Z",
"orgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093",
"shortName": "Saviynt"
},
"references": [
{
"url": "https://saviynt.com/trust-compliance-security"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow this documentation \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm\"\u003e\u003cspan style=\"background-color: transparent;\"\u003elink\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u0026nbsp;and migrate to the latest version of Saviynt Connect component\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Follow this documentation link https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm \u00a0and migrate to the latest version of Saviynt Connect component"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Input Validation vulnerability in the End of Life (EOL) OVA based connect component",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093",
"assignerShortName": "Saviynt",
"cveId": "CVE-2025-3837",
"datePublished": "2025-04-21T09:20:14.110Z",
"dateReserved": "2025-04-21T08:33:27.146Z",
"dateUpdated": "2025-04-21T13:05:14.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3840 (GCVE-0-2025-3840)
Vulnerability from nvd – Published: 2025-04-21 09:39 – Updated: 2025-04-21 12:38
VLAI?
Summary
An improper neutralization of input vulnerability was identified in the End of Life (EOL) OVA based connect installer component which is deployed for installation purposes in a customer network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. An actor can manipulate the action parameter of the login form to inject malicious scripts which would lead to a XSS attack under certain conditions.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Saviynt | OVA based Connect |
Affected:
AlmaLinux-8.x_SC2.0-Client-2.0
Affected: AlmaLinux-8.x_SC2.0-Client-3.0 Affected: CentOS-7.x_SC2.0-Client-2.0 Affected: CentOS-7.x_SC2.0-Client-3.0 Affected: RHEL-8.x_SC2.0-Client-2.0 Affected: RHEL-8.x_SC2.0-Client-3.0 |
Credits
Achmea Security Assessment Team (SAT)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3840",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T12:37:34.087132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T12:38:16.967Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "OVA based Connect",
"platforms": [
"Linux"
],
"product": "OVA based Connect",
"vendor": "Saviynt",
"versions": [
{
"status": "affected",
"version": "AlmaLinux-8.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "AlmaLinux-8.x_SC2.0-Client-3.0"
},
{
"status": "affected",
"version": "CentOS-7.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "CentOS-7.x_SC2.0-Client-3.0"
},
{
"status": "affected",
"version": "RHEL-8.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "RHEL-8.x_SC2.0-Client-3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Achmea Security Assessment Team (SAT)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eAn improper neutralization of input vulnerability was identified in the End of Life (EOL) OVA based connect installer component which is deployed for installation purposes in a customer network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eAn actor can manipulate the action parameter of the login form to inject malicious scripts which would lead to a XSS attack under certain conditions.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "An improper neutralization of input vulnerability was identified in the End of Life (EOL) OVA based connect installer component which is deployed for installation purposes in a customer network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. An actor can manipulate the action parameter of the login form to inject malicious scripts which would lead to a XSS attack under certain conditions."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T09:39:16.343Z",
"orgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093",
"shortName": "Saviynt"
},
"references": [
{
"url": "https://saviynt.com/trust-compliance-security"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow this documentation \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm\"\u003elink\u003c/a\u003e\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u0026nbsp;and migrate to the latest version of Saviynt Connect component\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Follow this documentation link https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm \u00a0and migrate to the latest version of Saviynt Connect component"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093",
"assignerShortName": "Saviynt",
"cveId": "CVE-2025-3840",
"datePublished": "2025-04-21T09:39:16.343Z",
"dateReserved": "2025-04-21T09:34:01.701Z",
"dateUpdated": "2025-04-21T12:38:16.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3838 (GCVE-0-2025-3838)
Vulnerability from nvd – Published: 2025-04-21 09:33 – Updated: 2025-04-21 12:47
VLAI?
Summary
An Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. Under certain conditions, this could allow a bad actor to gain unauthorized access to the local db containing weakly hashed credentials of the installer. This EOL component was deprecated in September 2023 with end of support extended till January 2024.
Severity ?
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Saviynt | OVA based Connect |
Affected:
AlmaLinux-8.x_SC2.0-Client-2.0
Affected: AlmaLinux-8.x_SC2.0-Client-3.0 Affected: CentOS-7.x_SC2.0-Client-2.0 Affected: CentOS-7.x_SC2.0-Client-3.0 Affected: RHEL-8.x_SC2.0-Client-2.0 Affected: RHEL-8.x_SC2.0-Client-3.0 |
Credits
Achmea Security Assessment Team (SAT)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T12:46:52.331775Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T12:47:37.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "OVA based Connect",
"platforms": [
"Linux"
],
"product": "OVA based Connect",
"vendor": "Saviynt",
"versions": [
{
"status": "affected",
"version": "AlmaLinux-8.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "AlmaLinux-8.x_SC2.0-Client-3.0"
},
{
"status": "affected",
"version": "CentOS-7.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "CentOS-7.x_SC2.0-Client-3.0"
},
{
"status": "affected",
"version": "RHEL-8.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "RHEL-8.x_SC2.0-Client-3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Achmea Security Assessment Team (SAT)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eAn Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eUnder certain conditions, this could allow a bad actor to gain unauthorized access to the local db containing weakly hashed credentials of the installer. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis EOL component was deprecated in September 2023 with end of support extended till January 2024.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "An Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. Under certain conditions, this could allow a bad actor to gain unauthorized access to the local db containing weakly hashed credentials of the installer. This EOL component was deprecated in September 2023 with end of support extended till January 2024."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T09:33:33.390Z",
"orgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093",
"shortName": "Saviynt"
},
"references": [
{
"url": "https://saviynt.com/trust-compliance-security"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow this documentation \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm\"\u003e\u003cspan style=\"background-color: transparent;\"\u003elink\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u0026nbsp;and migrate to the latest version of Saviynt Connect component\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Follow this documentation link https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm \u00a0and migrate to the latest version of Saviynt Connect component"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Authorization in the installer for the EOL OVA based connect component",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093",
"assignerShortName": "Saviynt",
"cveId": "CVE-2025-3838",
"datePublished": "2025-04-21T09:33:33.390Z",
"dateReserved": "2025-04-21T09:22:37.451Z",
"dateUpdated": "2025-04-21T12:47:37.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3837 (GCVE-0-2025-3837)
Vulnerability from nvd – Published: 2025-04-21 09:20 – Updated: 2025-04-21 13:05
VLAI?
Summary
An improper input validation vulnerability is identified in the End of Life (EOL) OVA based connect component which is deployed for installation purposes in the customer internal network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. Under certain circumstances, an actor can manipulate a specific request parameter and inject code execution payload which could lead to a remote code execution on the infrastructure hosting this component.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Saviynt | OVA based Connect |
Affected:
AlmaLinux-8.x_SC2.0-Client-2.0
Affected: AlmaLinux-8.x_SC2.0-Client-3.0 Affected: CentOS-7.x_SC2.0-Client-2.0 Affected: CentOS-7.x_SC2.0-Client-3.0 Affected: RHEL-8.x_SC2.0-Client-2.0 Affected: RHEL-8.x_SC2.0-Client-3.0 |
Credits
Achmea Security Assessment Team (SAT)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3837",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T12:48:02.361321Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T13:05:14.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "OVA based Connect",
"platforms": [
"Linux"
],
"product": "OVA based Connect",
"vendor": "Saviynt",
"versions": [
{
"status": "affected",
"version": "AlmaLinux-8.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "AlmaLinux-8.x_SC2.0-Client-3.0"
},
{
"status": "affected",
"version": "CentOS-7.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "CentOS-7.x_SC2.0-Client-3.0"
},
{
"status": "affected",
"version": "RHEL-8.x_SC2.0-Client-2.0"
},
{
"status": "affected",
"version": "RHEL-8.x_SC2.0-Client-3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Achmea Security Assessment Team (SAT)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper input validation vulnerability is identified in the End of Life (EOL) OVA based connect component which is deployed for installation purposes in the customer internal network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. Under certain circumstances, an actor can manipulate a specific request parameter and inject code execution payload which could lead to a remote code execution on the infrastructure hosting this component."
}
],
"value": "An improper input validation vulnerability is identified in the End of Life (EOL) OVA based connect component which is deployed for installation purposes in the customer internal network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. Under certain circumstances, an actor can manipulate a specific request parameter and inject code execution payload which could lead to a remote code execution on the infrastructure hosting this component."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T09:20:14.110Z",
"orgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093",
"shortName": "Saviynt"
},
"references": [
{
"url": "https://saviynt.com/trust-compliance-security"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow this documentation \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm\"\u003e\u003cspan style=\"background-color: transparent;\"\u003elink\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u0026nbsp;and migrate to the latest version of Saviynt Connect component\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Follow this documentation link https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm \u00a0and migrate to the latest version of Saviynt Connect component"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Input Validation vulnerability in the End of Life (EOL) OVA based connect component",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd8dbf88-98d9-42c6-be08-cf8e48a32093",
"assignerShortName": "Saviynt",
"cveId": "CVE-2025-3837",
"datePublished": "2025-04-21T09:20:14.110Z",
"dateReserved": "2025-04-21T08:33:27.146Z",
"dateUpdated": "2025-04-21T13:05:14.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}