Vulnerability-Lookup

CVE-2024-47554 (GCVE-0-2024-47554)

Vulnerability from cvelistv5 – Published: 2024-10-03 11:32 – Updated: 2025-01-31 15:02

Title

Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader

Summary

Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

Severity

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

apache

References

3 references

URL	Tags
https://lists.apache.org/thread/6ozr91rr9cj5lm0zy…	vendor-advisory
http://www.openwall.com/lists/oss-security/2024/10/03/2
https://security.netapp.com/advisory/ntap-2025013…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Commons IO	Affected: 2.0 , < 2.14.0 (semver)

Credits

CodeQL

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-47554",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-03T13:00:56.326970Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-04T15:03:37.949Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-01-31T15:02:47.229Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2024/10/03/2"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250131-0010/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "commons-io:commons-io",
          "product": "Apache Commons IO",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.14.0",
              "status": "affected",
              "version": "2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "tool",
          "value": "CodeQL"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUncontrolled Resource Consumption vulnerability in Apache Commons IO.\u003c/p\u003e\u003cp\u003eThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\n\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\n\n\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\n\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-03T11:32:48.936Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-47554",
    "datePublished": "2024-10-03T11:32:48.936Z",
    "dateReserved": "2024-09-26T16:12:46.116Z",
    "dateUpdated": "2025-01-31T15:02:47.229Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-47554",
      "date": "2026-06-22",
      "epss": "0.01249",
      "percentile": "0.65487"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\\n\\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\\n\\n\\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\\n\\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad de consumo descontrolado de recursos en Apache Commons IO. La clase org.apache.commons.io.input.XmlStreamReader puede consumir recursos de CPU en exceso al procesar una entrada manipulada con fines malintencionados. Este problema afecta a Apache Commons IO: desde la versi\\u00f3n 2.0 hasta la 2.14.0. Se recomienda a los usuarios que actualicen a la versi\\u00f3n 2.14.0 o posterior, que soluciona el problema.\"}]",
      "id": "CVE-2024-47554",
      "lastModified": "2024-12-04T15:15:11.940",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}]}",
      "published": "2024-10-03T12:15:02.613",
      "references": "[{\"url\": \"https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1\", \"source\": \"security@apache.org\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/10/03/2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-47554\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2024-10-03T12:15:02.613\",\"lastModified\":\"2025-07-10T21:10:32.113\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\\n\\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\\n\\n\\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\\n\\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de consumo descontrolado de recursos en Apache Commons IO. La clase org.apache.commons.io.input.XmlStreamReader puede consumir recursos de CPU en exceso al procesar una entrada manipulada con fines malintencionados. Este problema afecta a Apache Commons IO: desde la versi\u00f3n 2.0 hasta la 2.14.0. Se recomienda a los usuarios que actualicen a la versi\u00f3n 2.14.0 o posterior, que soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_io:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0\",\"versionEndExcluding\":\"2.14.0\",\"matchCriteriaId\":\"133FC9D6-82C4-40E3-AB39-FE04E5A0BF4D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*\",\"matchCriteriaId\":\"F3E0B672-3E06-4422-B2A4-0BD073AEC2A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*\",\"matchCriteriaId\":\"3A756737-1CC4-42C2-A4DF-E1C893B4E2D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*\",\"matchCriteriaId\":\"B55E8D50-99B4-47EC-86F9-699B67D473CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC1AE8BD-EE3F-494C-9F03-D4B2B7233106\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BB695329-036B-447D-BEB0-AA4D89D1D99C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"23F148EC-6D6D-4C4F-B57C-CFBCD3D32B41\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:ontap_tools:9:*:*:*:*:vmware_vsphere:*:*\",\"matchCriteriaId\":\"C2D814BE-93EC-42EF-88C5-EA7E7DF07BE5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:ontap_tools:10:*:*:*:*:vmware_vsphere:*:*\",\"matchCriteriaId\":\"5333B745-F7A3-46CB-8437-8668DB08CD6F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:santricity_storage_plugin:-:*:*:*:*:vcenter:*:*\",\"matchCriteriaId\":\"82E94B87-065E-475F-815C-F49978CE22FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BDFB1169-41A0-4A86-8E4F-FDA9730B1E94\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/10/03/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20250131-0010/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2024/10/03/2\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20250131-0010/\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-01-31T15:02:47.229Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-47554\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-03T13:00:56.326970Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-03T13:00:59.433Z\"}}], \"cna\": {\"title\": \"Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"tool\", \"value\": \"CodeQL\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"low\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Commons IO\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0\", \"lessThan\": \"2.14.0\", \"versionType\": \"semver\"}], \"packageName\": \"commons-io:commons-io\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\\n\\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\\n\\n\\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\\n\\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUncontrolled Resource Consumption vulnerability in Apache Commons IO.\u003c/p\u003e\u003cp\u003eThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400 Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2024-10-03T11:32:48.936Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-47554\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-31T15:02:47.229Z\", \"dateReserved\": \"2024-09-26T16:12:46.116Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2024-10-03T11:32:48.936Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

NCSC-2025-0131

Vulnerability from csaf_ncscnl - Published: 2025-04-16 15:10 - Updated: 2025-04-16 15:10

Summary

Kwetsbaarheden verholpen in Oracle JD Edwards

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: Oracle heeft kwetsbaarheden verholpen in JD Edwards EnterpriseOne Tools (Specifiek voor versies 9.2.0.0 tot 9.2.9.2).

Interpretaties: De kwetsbaarheden in JD Edwards EnterpriseOne Tools stellen ongeauthenticeerde kwaadwillenden in staat om via HTTP toegang te krijgen tot het systeem, wat kan leiden tot ongeautoriseerde toegang tot gevoelige gegevens en manipulatie daarvan of zelfs volledige overname van JD Edwards EnterpriseOne Tools. Enkele van de kwetsbaarheden kunnen leiden tot gedeeltelijke of volledige DoS, hiervoor is echter wel gebruikersinteractie vereist.

Oplossingen: Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans: medium

Schade: high

CWE-1395: Dependency on Vulnerable Third-Party Component

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-416: Use After Free

CWE-400: Uncontrolled Resource Consumption

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2024-5535

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Affected products

Known affected 4 products

Product	Identifier	Version
vers:unknown/9.2.0.0-9.2.9.2 Oracle / JD Edwards	`cpe:/a:oracle:jd_edwards_enterpriseone:9.2.0.0_-_9.2.9.2`	vers:unknown/9.2.0.0-9.2.9.2
vers:oracle/>=9.2.0.0\|<=9.2.9.2 Oracle / Oracle JD Edwards / JD Edwards EnterpriseOne Tools	`cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.0.0-9.2.9.2:::::::*`	vers:oracle/>=9.2.0.0\|<=9.2.9.2
vers:unknown/>=9.2.0.0\|<=9.2.9.2 Oracle / Oracle / Jd Edwards Enterpriseone Tools		vers:unknown/>=9.2.0.0\|<=9.2.9.2
vers:semver/9.2.0.0\|<=9.2.9.2 Oracle Corporation / JD Edwards EnterpriseOne Tools		vers:semver/9.2.0.0\|<=9.2.9.2

CVE-2024-23807

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-416 - Use After Free

Affected products

Known affected 4 products

Product	Identifier	Version
vers:unknown/9.2.0.0-9.2.9.2 Oracle / JD Edwards	`cpe:/a:oracle:jd_edwards_enterpriseone:9.2.0.0_-_9.2.9.2`	vers:unknown/9.2.0.0-9.2.9.2
vers:oracle/>=9.2.0.0\|<=9.2.9.2 Oracle / Oracle JD Edwards / JD Edwards EnterpriseOne Tools	`cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.0.0-9.2.9.2:::::::*`	vers:oracle/>=9.2.0.0\|<=9.2.9.2
vers:unknown/>=9.2.0.0\|<=9.2.9.2 Oracle / Oracle / Jd Edwards Enterpriseone Tools		vers:unknown/>=9.2.0.0\|<=9.2.9.2
vers:semver/9.2.0.0\|<=9.2.9.2 Oracle Corporation / JD Edwards EnterpriseOne Tools		vers:semver/9.2.0.0\|<=9.2.9.2

CVE-2024-25710

8.1 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Affected products

Known affected 4 products

Product	Identifier	Version
vers:unknown/9.2.0.0-9.2.9.2 Oracle / JD Edwards	`cpe:/a:oracle:jd_edwards_enterpriseone:9.2.0.0_-_9.2.9.2`	vers:unknown/9.2.0.0-9.2.9.2
vers:oracle/>=9.2.0.0\|<=9.2.9.2 Oracle / Oracle JD Edwards / JD Edwards EnterpriseOne Tools	`cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.0.0-9.2.9.2:::::::*`	vers:oracle/>=9.2.0.0\|<=9.2.9.2
vers:unknown/>=9.2.0.0\|<=9.2.9.2 Oracle / Oracle / Jd Edwards Enterpriseone Tools		vers:unknown/>=9.2.0.0\|<=9.2.9.2
vers:semver/9.2.0.0\|<=9.2.9.2 Oracle Corporation / JD Edwards EnterpriseOne Tools		vers:semver/9.2.0.0\|<=9.2.9.2

CVE-2024-45613

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected products

Known affected 4 products

Product	Identifier	Version
vers:unknown/9.2.0.0-9.2.9.2 Oracle / JD Edwards	`cpe:/a:oracle:jd_edwards_enterpriseone:9.2.0.0_-_9.2.9.2`	vers:unknown/9.2.0.0-9.2.9.2
vers:oracle/>=9.2.0.0\|<=9.2.9.2 Oracle / Oracle JD Edwards / JD Edwards EnterpriseOne Tools	`cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.0.0-9.2.9.2:::::::*`	vers:oracle/>=9.2.0.0\|<=9.2.9.2
vers:unknown/>=9.2.0.0\|<=9.2.9.2 Oracle / Oracle / Jd Edwards Enterpriseone Tools		vers:unknown/>=9.2.0.0\|<=9.2.9.2
vers:semver/9.2.0.0\|<=9.2.9.2 Oracle Corporation / JD Edwards EnterpriseOne Tools		vers:semver/9.2.0.0\|<=9.2.9.2

CVE-2024-47554

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 4 products

Product	Identifier	Version
vers:unknown/9.2.0.0-9.2.9.2 Oracle / JD Edwards	`cpe:/a:oracle:jd_edwards_enterpriseone:9.2.0.0_-_9.2.9.2`	vers:unknown/9.2.0.0-9.2.9.2
vers:oracle/>=9.2.0.0\|<=9.2.9.2 Oracle / Oracle JD Edwards / JD Edwards EnterpriseOne Tools	`cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.0.0-9.2.9.2:::::::*`	vers:oracle/>=9.2.0.0\|<=9.2.9.2
vers:unknown/>=9.2.0.0\|<=9.2.9.2 Oracle / Oracle / Jd Edwards Enterpriseone Tools		vers:unknown/>=9.2.0.0\|<=9.2.9.2
vers:semver/9.2.0.0\|<=9.2.9.2 Oracle Corporation / JD Edwards EnterpriseOne Tools		vers:semver/9.2.0.0\|<=9.2.9.2

CVE-2025-21586

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Affected products

Known affected 4 products

Product	Identifier	Version
vers:unknown/9.2.0.0-9.2.9.2 Oracle / JD Edwards	`cpe:/a:oracle:jd_edwards_enterpriseone:9.2.0.0_-_9.2.9.2`	vers:unknown/9.2.0.0-9.2.9.2
vers:oracle/>=9.2.0.0\|<=9.2.9.2 Oracle / Oracle JD Edwards / JD Edwards EnterpriseOne Tools	`cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.0.0-9.2.9.2:::::::*`	vers:oracle/>=9.2.0.0\|<=9.2.9.2
vers:unknown/>=9.2.0.0\|<=9.2.9.2 Oracle / Oracle / Jd Edwards Enterpriseone Tools		vers:unknown/>=9.2.0.0\|<=9.2.9.2
vers:semver/9.2.0.0\|<=9.2.9.2 Oracle Corporation / JD Edwards EnterpriseOne Tools		vers:semver/9.2.0.0\|<=9.2.9.2

CVE-2025-30709

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

Known affected 4 products

Product	Identifier	Version
vers:unknown/9.2.0.0-9.2.9.2 Oracle / JD Edwards	`cpe:/a:oracle:jd_edwards_enterpriseone:9.2.0.0_-_9.2.9.2`	vers:unknown/9.2.0.0-9.2.9.2
vers:oracle/>=9.2.0.0\|<=9.2.9.2 Oracle / Oracle JD Edwards / JD Edwards EnterpriseOne Tools	`cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.0.0-9.2.9.2:::::::*`	vers:oracle/>=9.2.0.0\|<=9.2.9.2
vers:unknown/>=9.2.0.0\|<=9.2.9.2 Oracle / Oracle / Jd Edwards Enterpriseone Tools		vers:unknown/>=9.2.0.0\|<=9.2.9.2
vers:semver/9.2.0.0\|<=9.2.9.2 Oracle Corporation / JD Edwards EnterpriseOne Tools		vers:semver/9.2.0.0\|<=9.2.9.2

CVE-2025-30740

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products

Known affected 4 products

Product	Identifier	Version
vers:unknown/9.2.0.0-9.2.9.2 Oracle / JD Edwards	`cpe:/a:oracle:jd_edwards_enterpriseone:9.2.0.0_-_9.2.9.2`	vers:unknown/9.2.0.0-9.2.9.2
vers:oracle/>=9.2.0.0\|<=9.2.9.2 Oracle / Oracle JD Edwards / JD Edwards EnterpriseOne Tools	`cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.0.0-9.2.9.2:::::::*`	vers:oracle/>=9.2.0.0\|<=9.2.9.2
vers:unknown/>=9.2.0.0\|<=9.2.9.2 Oracle / Oracle / Jd Edwards Enterpriseone Tools		vers:unknown/>=9.2.0.0\|<=9.2.9.2
vers:semver/9.2.0.0\|<=9.2.9.2 Oracle Corporation / JD Edwards EnterpriseOne Tools		vers:semver/9.2.0.0\|<=9.2.9.2

References

9 references

URL	Category
https://www.oracle.com/security-alerts/cpuapr2025.html	external
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2025…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2025…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2025…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Oracle heeft kwetsbaarheden verholpen in JD Edwards EnterpriseOne Tools (Specifiek voor versies 9.2.0.0 tot 9.2.9.2).",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden in JD Edwards EnterpriseOne Tools stellen ongeauthenticeerde kwaadwillenden in staat om via HTTP toegang te krijgen tot het systeem, wat kan leiden tot ongeautoriseerde toegang tot gevoelige gegevens en manipulatie daarvan of zelfs volledige overname van JD Edwards EnterpriseOne Tools. Enkele van de kwetsbaarheden kunnen leiden tot gedeeltelijke of volledige DoS, hiervoor is echter wel gebruikersinteractie vereist.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Dependency on Vulnerable Third-Party Component",
        "title": "CWE-1395"
      },
      {
        "category": "general",
        "text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
        "title": "CWE-119"
      },
      {
        "category": "general",
        "text": "Use After Free",
        "title": "CWE-416"
      },
      {
        "category": "general",
        "text": "Uncontrolled Resource Consumption",
        "title": "CWE-400"
      },
      {
        "category": "general",
        "text": "Exposure of Sensitive Information to an Unauthorized Actor",
        "title": "CWE-200"
      },
      {
        "category": "general",
        "text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
        "title": "CWE-835"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
        "title": "CWE-79"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference - cveprojectv5; nvd; oracle",
        "url": "https://www.oracle.com/security-alerts/cpuapr2025.html"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Oracle JD Edwards",
    "tracking": {
      "current_release_date": "2025-04-16T15:10:06.149204Z",
      "generator": {
        "date": "2025-02-25T15:15:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.0"
        }
      },
      "id": "NCSC-2025-0131",
      "initial_release_date": "2025-04-16T15:10:06.149204Z",
      "revision_history": [
        {
          "date": "2025-04-16T15:10:06.149204Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/9.2.0.0-9.2.9.2",
                "product": {
                  "name": "vers:unknown/9.2.0.0-9.2.9.2",
                  "product_id": "CSAFPID-2726961",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:jd_edwards_enterpriseone:9.2.0.0_-_9.2.9.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "JD Edwards"
          },
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:oracle/\u003e=9.2.0.0|\u003c=9.2.9.2",
                    "product": {
                      "name": "vers:oracle/\u003e=9.2.0.0|\u003c=9.2.9.2",
                      "product_id": "CSAFPID-2698984",
                      "product_identification_helper": {
                        "cpe": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.0.0-9.2.9.2:*:*:*:*:*:*:*"
                      }
                    }
                  }
                ],
                "category": "product_name",
                "name": "JD Edwards EnterpriseOne Tools"
              }
            ],
            "category": "product_family",
            "name": "Oracle JD Edwards"
          },
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:unknown/\u003e=9.2.0.0|\u003c=9.2.9.2",
                    "product": {
                      "name": "vers:unknown/\u003e=9.2.0.0|\u003c=9.2.9.2",
                      "product_id": "CSAFPID-2698367"
                    }
                  }
                ],
                "category": "product_name",
                "name": "Jd Edwards Enterpriseone Tools"
              }
            ],
            "category": "product_family",
            "name": "Oracle"
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:semver/9.2.0.0|\u003c=9.2.9.2",
                "product": {
                  "name": "vers:semver/9.2.0.0|\u003c=9.2.9.2",
                  "product_id": "CSAFPID-2698646"
                }
              }
            ],
            "category": "product_name",
            "name": "JD Edwards EnterpriseOne Tools"
          }
        ],
        "category": "vendor",
        "name": "Oracle Corporation"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-5535",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "other",
          "text": "Exposure of Sensitive Information to an Unauthorized Actor",
          "title": "CWE-200"
        },
        {
          "category": "other",
          "text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
          "title": "CWE-119"
        },
        {
          "category": "other",
          "text": "Dependency on Vulnerable Third-Party Component",
          "title": "CWE-1395"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2726961",
          "CSAFPID-2698984",
          "CSAFPID-2698367",
          "CSAFPID-2698646"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-5535",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-5535.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2726961",
            "CSAFPID-2698984",
            "CSAFPID-2698367",
            "CSAFPID-2698646"
          ]
        }
      ],
      "title": "CVE-2024-5535"
    },
    {
      "cve": "CVE-2024-23807",
      "cwe": {
        "id": "CWE-416",
        "name": "Use After Free"
      },
      "notes": [
        {
          "category": "other",
          "text": "Use After Free",
          "title": "CWE-416"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2726961",
          "CSAFPID-2698984",
          "CSAFPID-2698367",
          "CSAFPID-2698646"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-23807",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-23807.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2726961",
            "CSAFPID-2698984",
            "CSAFPID-2698367",
            "CSAFPID-2698646"
          ]
        }
      ],
      "title": "CVE-2024-23807"
    },
    {
      "cve": "CVE-2024-25710",
      "cwe": {
        "id": "CWE-835",
        "name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
          "title": "CWE-835"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2726961",
          "CSAFPID-2698984",
          "CSAFPID-2698367",
          "CSAFPID-2698646"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-25710",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-25710.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2726961",
            "CSAFPID-2698984",
            "CSAFPID-2698367",
            "CSAFPID-2698646"
          ]
        }
      ],
      "title": "CVE-2024-25710"
    },
    {
      "cve": "CVE-2024-45613",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "title": "CWE-79"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2726961",
          "CSAFPID-2698984",
          "CSAFPID-2698367",
          "CSAFPID-2698646"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-45613",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45613.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2726961",
            "CSAFPID-2698984",
            "CSAFPID-2698367",
            "CSAFPID-2698646"
          ]
        }
      ],
      "title": "CVE-2024-45613"
    },
    {
      "cve": "CVE-2024-47554",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2726961",
          "CSAFPID-2698984",
          "CSAFPID-2698367",
          "CSAFPID-2698646"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-47554",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-47554.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2726961",
            "CSAFPID-2698984",
            "CSAFPID-2698367",
            "CSAFPID-2698646"
          ]
        }
      ],
      "title": "CVE-2024-47554"
    },
    {
      "cve": "CVE-2025-21586",
      "product_status": {
        "known_affected": [
          "CSAFPID-2726961",
          "CSAFPID-2698984",
          "CSAFPID-2698367",
          "CSAFPID-2698646"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-21586",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-21586.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2726961",
            "CSAFPID-2698984",
            "CSAFPID-2698367",
            "CSAFPID-2698646"
          ]
        }
      ],
      "title": "CVE-2025-21586"
    },
    {
      "cve": "CVE-2025-30709",
      "product_status": {
        "known_affected": [
          "CSAFPID-2726961",
          "CSAFPID-2698984",
          "CSAFPID-2698367",
          "CSAFPID-2698646"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-30709",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-30709.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2726961",
            "CSAFPID-2698984",
            "CSAFPID-2698367",
            "CSAFPID-2698646"
          ]
        }
      ],
      "title": "CVE-2025-30709"
    },
    {
      "cve": "CVE-2025-30740",
      "product_status": {
        "known_affected": [
          "CSAFPID-2726961",
          "CSAFPID-2698984",
          "CSAFPID-2698367",
          "CSAFPID-2698646"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-30740",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-30740.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2726961",
            "CSAFPID-2698984",
            "CSAFPID-2698367",
            "CSAFPID-2698646"
          ]
        }
      ],
      "title": "CVE-2025-30740"
    }
  ]
}

NCSC-2025-0329

Vulnerability from csaf_ncscnl - Published: 2025-10-23 07:20 - Updated: 2025-10-23 07:20

Summary

Kwetsbaarheden verholpen in Oracle Commerce

Notes

Feiten: Oracle heeft kwetsbaarheden verholpen in verschillende subcomponenten van Oracle Commerce producten, waaronder Oracle Middleware Common Libraries, Oracle Documaker, Oracle WebCenter Forms Recognition, Oracle WebLogic Server, en Oracle Application Testing Suite.

Interpretaties: De kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om gedeeltelijke of volledige Denial of Service (DoS) te veroorzaken, met CVSS-scores variërend van 2.7 tot 7.5. Dit kan leiden tot systeemuitval en ongeoorloofde toegang tot gegevens. Aanvallers kunnen deze kwetsbaarheden misbruiken door specifieke verzoeken te sturen die de systemen overbelasten of door gebruik te maken van onbetrouwbare invoer. De kwetsbaarheden zijn aangetroffen in verschillende versies van de betrokken producten, wat de impact vergroot.

Oplossingen: Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans: medium

Schade: high

CWE-20: Improper Input Validation

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-400: Uncontrolled Resource Consumption

CWE-404: Improper Resource Shutdown or Release

CWE-674: Uncontrolled Recursion

CWE-770: Allocation of Resources Without Limits or Throttling

CWE-937: CWE-937

CWE-1035: CWE-1035

CVE-2024-47554

Multiple vulnerabilities across Oracle Middleware, Documaker, and Apache Commons IO components allow unauthenticated attackers to exploit denial of service risks, with CVSS scores ranging from 4.3 to 7.5.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 3 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Commerce		vers:unknown/*
vers:unknown/* Oracle / Oracle Commerce Guided Search		vers:unknown/*
vers:unknown/* Oracle / Oracle Commerce Platform		vers:unknown/*

CVE-2024-57699

Multiple security vulnerabilities across various Oracle products and the Netplex Json-smart library can lead to Denial of Service (DoS) due to stack exhaustion and other exploits, affecting versions 2.5.0 to 2.5.1 and specific Oracle software.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 3 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Commerce		vers:unknown/*
vers:unknown/* Oracle / Oracle Commerce Guided Search		vers:unknown/*
vers:unknown/* Oracle / Oracle Commerce Platform		vers:unknown/*

CVE-2025-22233

CVE-2024-38820 identifies a vulnerability in the Spring Framework affecting multiple versions, while a separate issue in the Oracle Commerce Platform's Dynamo Application Framework allows low-privileged attackers to manipulate data.

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-20 - Improper Input Validation

Affected products

Known affected 3 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Commerce		vers:unknown/*
vers:unknown/* Oracle / Oracle Commerce Guided Search		vers:unknown/*
vers:unknown/* Oracle / Oracle Commerce Platform		vers:unknown/*

CVE-2025-48795

Recent vulnerabilities in Oracle WebCenter Forms Recognition and Apache CXF expose systems to data compromise and denial of service risks, with CVSS scores indicating significant impacts on confidentiality, integrity, and availability.

5.6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 3 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Commerce		vers:unknown/*
vers:unknown/* Oracle / Oracle Commerce Guided Search		vers:unknown/*
vers:unknown/* Oracle / Oracle Commerce Platform		vers:unknown/*

CVE-2025-48924

Recent vulnerabilities in Oracle WebLogic Server and Apache Commons Lang versions expose systems to denial of service risks, including an uncontrolled recursion flaw leading to StackOverflowErrors.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 3 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Commerce		vers:unknown/*
vers:unknown/* Oracle / Oracle Commerce Guided Search		vers:unknown/*
vers:unknown/* Oracle / Oracle Commerce Platform		vers:unknown/*

CVE-2025-48976

Multiple vulnerabilities affecting Oracle Application Testing Suite and Apache Commons FileUpload, including DoS risks due to insufficient multipart header limits, have been identified, with CVSS scores reaching 7.5.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 3 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Commerce		vers:unknown/*
vers:unknown/* Oracle / Oracle Commerce Guided Search		vers:unknown/*
vers:unknown/* Oracle / Oracle Commerce Platform		vers:unknown/*

CVE-2025-48989

Recent updates for Apache Tomcat versions 9, 10, and 11 address the 'MadeYouReset' DoS vulnerability in HTTP/2, along with various enhancements to components like Catalina and Coyote.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-404 - Improper Resource Shutdown or Release

Affected products

Known affected 3 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Commerce		vers:unknown/*
vers:unknown/* Oracle / Oracle Commerce Guided Search		vers:unknown/*
vers:unknown/* Oracle / Oracle Commerce Platform		vers:unknown/*

CVE-2025-55163

Recent updates to Netty address critical vulnerabilities, including the 'MadeYouReset' DDoS attack in HTTP/2, which can lead to denial of service through resource exhaustion in various affected versions.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 3 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Commerce		vers:unknown/*
vers:unknown/* Oracle / Oracle Commerce Guided Search		vers:unknown/*
vers:unknown/* Oracle / Oracle Commerce Platform		vers:unknown/*

References

9 references

URL	Category
https://www.oracle.com/docs/tech/security-alerts/…	external
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Oracle heeft kwetsbaarheden verholpen in verschillende subcomponenten van Oracle Commerce producten, waaronder Oracle Middleware Common Libraries, Oracle Documaker, Oracle WebCenter Forms Recognition, Oracle WebLogic Server, en Oracle Application Testing Suite.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om gedeeltelijke of volledige Denial of Service (DoS) te veroorzaken, met CVSS-scores vari\u00ebrend van 2.7 tot 7.5. Dit kan leiden tot systeemuitval en ongeoorloofde toegang tot gegevens. Aanvallers kunnen deze kwetsbaarheden misbruiken door specifieke verzoeken te sturen die de systemen overbelasten of door gebruik te maken van onbetrouwbare invoer. De kwetsbaarheden zijn aangetroffen in verschillende versies van de betrokken producten, wat de impact vergroot.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Input Validation",
        "title": "CWE-20"
      },
      {
        "category": "general",
        "text": "Exposure of Sensitive Information to an Unauthorized Actor",
        "title": "CWE-200"
      },
      {
        "category": "general",
        "text": "Uncontrolled Resource Consumption",
        "title": "CWE-400"
      },
      {
        "category": "general",
        "text": "Improper Resource Shutdown or Release",
        "title": "CWE-404"
      },
      {
        "category": "general",
        "text": "Uncontrolled Recursion",
        "title": "CWE-674"
      },
      {
        "category": "general",
        "text": "Allocation of Resources Without Limits or Throttling",
        "title": "CWE-770"
      },
      {
        "category": "general",
        "text": "CWE-937",
        "title": "CWE-937"
      },
      {
        "category": "general",
        "text": "CWE-1035",
        "title": "CWE-1035"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://www.oracle.com/docs/tech/security-alerts/cpuoct2025csaf.json"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Oracle Commerce",
    "tracking": {
      "current_release_date": "2025-10-23T07:20:51.213314Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2025-0329",
      "initial_release_date": "2025-10-23T07:20:51.213314Z",
      "revision_history": [
        {
          "date": "2025-10-23T07:20:51.213314Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "Commerce"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-2"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Commerce Guided Search"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-3"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Commerce Platform"
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-47554",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle Middleware, Documaker, and Apache Commons IO components allow unauthenticated attackers to exploit denial of service risks, with CVSS scores ranging from 4.3 to 7.5.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-47554 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-47554.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3"
          ]
        }
      ],
      "title": "CVE-2024-47554"
    },
    {
      "cve": "CVE-2024-57699",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Multiple security vulnerabilities across various Oracle products and the Netplex Json-smart library can lead to Denial of Service (DoS) due to stack exhaustion and other exploits, affecting versions 2.5.0 to 2.5.1 and specific Oracle software.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-57699 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-57699.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3"
          ]
        }
      ],
      "title": "CVE-2024-57699"
    },
    {
      "cve": "CVE-2025-22233",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "description",
          "text": "CVE-2024-38820 identifies a vulnerability in the Spring Framework affecting multiple versions, while a separate issue in the Oracle Commerce Platform\u0027s Dynamo Application Framework allows low-privileged attackers to manipulate data.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-22233 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-22233.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3"
          ]
        }
      ],
      "title": "CVE-2025-22233"
    },
    {
      "cve": "CVE-2025-48795",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "other",
          "text": "Exposure of Sensitive Information to an Unauthorized Actor",
          "title": "CWE-200"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle WebCenter Forms Recognition and Apache CXF expose systems to data compromise and denial of service risks, with CVSS scores indicating significant impacts on confidentiality, integrity, and availability.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48795 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48795.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3"
          ]
        }
      ],
      "title": "CVE-2025-48795"
    },
    {
      "cve": "CVE-2025-48924",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle WebLogic Server and Apache Commons Lang versions expose systems to denial of service risks, including an uncontrolled recursion flaw leading to StackOverflowErrors.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48924 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48924.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3"
          ]
        }
      ],
      "title": "CVE-2025-48924"
    },
    {
      "cve": "CVE-2025-48976",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities affecting Oracle Application Testing Suite and Apache Commons FileUpload, including DoS risks due to insufficient multipart header limits, have been identified, with CVSS scores reaching 7.5.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48976 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3"
          ]
        }
      ],
      "title": "CVE-2025-48976"
    },
    {
      "cve": "CVE-2025-48989",
      "cwe": {
        "id": "CWE-404",
        "name": "Improper Resource Shutdown or Release"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Resource Shutdown or Release",
          "title": "CWE-404"
        },
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "description",
          "text": "Recent updates for Apache Tomcat versions 9, 10, and 11 address the \u0027MadeYouReset\u0027 DoS vulnerability in HTTP/2, along with various enhancements to components like Catalina and Coyote.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48989 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48989.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3"
          ]
        }
      ],
      "title": "CVE-2025-48989"
    },
    {
      "cve": "CVE-2025-55163",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Recent updates to Netty address critical vulnerabilities, including the \u0027MadeYouReset\u0027 DDoS attack in HTTP/2, which can lead to denial of service through resource exhaustion in various affected versions.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-55163 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55163.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3"
          ]
        }
      ],
      "title": "CVE-2025-55163"
    }
  ]
}

NCSC-2025-0330

Vulnerability from csaf_ncscnl - Published: 2025-10-23 13:20 - Updated: 2025-10-23 13:20

Summary

Kwetsbaarheden verholpen in Oracle Communications producten

Notes

Feiten: Oracle heeft meerdere kwetsbaarheden verholpen in zijn Communications producten, waaronder de Unified Assurance en Cloud Native Core.

Interpretaties: De kwetsbaarheden in de Oracle Communications producten stellen kwaadwillenden in staat om ongeautoriseerde toegang te verkrijgen, wat kan leiden tot gedeeltelijke of volledige Denial-of-Service (DoS) aanvallen. Specifiek kunnen aanvallers met netwerktoegang de systemen compromitteren, wat resulteert in ongeautoriseerde toegang tot gevoelige gegevens. De CVSS-scores van deze kwetsbaarheden variëren van 3.1 tot 9.8, wat wijst op een breed scala aan risico's, van beperkte tot ernstige impact op de vertrouwelijkheid, integriteit en beschikbaarheid van de systemen.

Oplossingen: Oracle heeft updates uitgebracht om de kwetsbaarheden in zijn Communications producten te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans: medium

Schade: high

CWE-20: Improper Input Validation

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-23: Relative Path Traversal

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-121: Stack-based Buffer Overflow

CWE-122: Heap-based Buffer Overflow

CWE-124: Buffer Underwrite ('Buffer Underflow')

CWE-125: Out-of-bounds Read

CWE-129: Improper Validation of Array Index

CWE-130: Improper Handling of Length Parameter Inconsistency

CWE-147: Improper Neutralization of Input Terminators

CWE-190: Integer Overflow or Wraparound

CWE-197: Numeric Truncation Error

CWE-241: Improper Handling of Unexpected Data Type

CWE-252: Unchecked Return Value

CWE-253: Incorrect Check of Function Return Value

CWE-284: Improper Access Control

CWE-287: Improper Authentication

CWE-290: Authentication Bypass by Spoofing

CWE-328: Use of Weak Hash

CWE-385: Covert Timing Channel

CWE-390: Detection of Error Condition Without Action

CWE-400: Uncontrolled Resource Consumption

CWE-404: Improper Resource Shutdown or Release

CWE-407: Inefficient Algorithmic Complexity

CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)

CWE-415: Double Free

CWE-416: Use After Free

CWE-426: Untrusted Search Path

CWE-440: Expected Behavior Violation

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CWE-476: NULL Pointer Dereference

CWE-674: Uncontrolled Recursion

CWE-697: Incorrect Comparison

CWE-770: Allocation of Resources Without Limits or Throttling

CWE-787: Out-of-bounds Write

CWE-789: Memory Allocation with Excessive Size Value

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

CWE-918: Server-Side Request Forgery (SSRF)

CWE-937: CWE-937

CWE-1035: CWE-1035

CWE-1284: Improper Validation of Specified Quantity in Input

CWE-1333: Inefficient Regular Expression Complexity

CVE-2023-26555

Recent updates address vulnerabilities in NTP 4.2.8p17 and Oracle products, including CVE-2023-26555 related to malformed RT-11 dates and various security issues in Oracle Communications and Database systems.

6.4 (Medium)


                        
                          CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-787 - Out-of-bounds Write

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2024-7254

Multiple vulnerabilities across various Oracle, IBM, and Protobuf products could lead to Denial of Service and unauthorized access, with significant risks identified in versions of Oracle Communications, MySQL Connector/J, and IBM WebSphere.

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CWE-20 - Improper Input Validation

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2024-8006

Multiple vulnerabilities in Oracle Communications products and the libpcap library allow high-privileged attackers to cause denial of service and NULL pointer dereference issues, with CVSS scores of 4.4 for the former.

4.4 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CWE-476 - NULL Pointer Dereference

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2024-12133

Multiple vulnerabilities affecting Oracle Communications EAGLE LNP Application Processor, Oracle Communications Cloud Native Core Policy, and libtasn1 could lead to denial of service attacks, with CVSS scores of 5.3 for some products.

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-407 - Inefficient Algorithmic Complexity

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2024-28182

Multiple vulnerabilities across Oracle MySQL, Oracle Communications, and nghttp2 products allow remote attackers to exploit confidentiality, integrity, and availability, with varying damage ratings from medium to high.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2024-35164

Recent vulnerabilities in Oracle Communications Unified Assurance and Apache Guacamole could allow high-privileged attackers to compromise systems and execute arbitrary code, respectively.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-129 - Improper Validation of Array Index

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2024-37371

Multiple vulnerabilities across Oracle products, including Communications and MySQL, as well as MIT Kerberos 5, allow for unauthorized access, denial of service, and other malicious activities, with CVSS scores reaching 9.1.

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE-130 - Improper Handling of Length Parameter Inconsistency

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2024-47554

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2024-50609

Fluent Bit 3.1.9 has a vulnerability allowing remote Denial of Service attacks via a zero-length packet, while Oracle Communications Unified Assurance versions 6.1.0-6.1.1 can be exploited by high-privileged attackers for complete Denial of Service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-476 - NULL Pointer Dereference

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2024-51504

Recent vulnerabilities in Apache ZooKeeper and Oracle Communications Unified Assurance expose systems to authentication bypass and unauthorized access, allowing attackers to execute commands and access critical data.

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE-290 - Authentication Bypass by Spoofing

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2024-57699

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-1948

Eclipse Jetty versions 12.0.0 to 12.0.16 are vulnerable to OutOfMemoryError and denial of service attacks due to improper validation of the SETTINGS_MAX_HEADER_LIST_SIZE parameter, affecting various products including Oracle Communications EAGLE and NetApp.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-3576

Recent vulnerabilities in krb5 and MIT Kerberos implementations allow for message spoofing via MD5 checksum weaknesses, while Oracle Communications Network Analytics Data Director is susceptible to unauthorized data manipulation through SSH access.

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-328 - Use of Weak Hash

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-4373

Recent vulnerabilities in Oracle Communications Cloud Native Core and glib2 involve unauthorized access risks and buffer overflow issues, affecting multiple products with varying severity levels.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L/E:U

CWE-124 - Buffer Underwrite ('Buffer Underflow')

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-4517

Recent updates to Python versions 3.6 through 3.13.5 address multiple security vulnerabilities, particularly in the tarfile module, while enhancing various functionalities and resolving issues related to memory management and IPv6 handling.

9.4 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-4802

Vulnerabilities in Oracle Communications Cloud Native Core and glibc allow unauthenticated access and privilege escalation, with CVSS scores of 7.8, affecting confidentiality, integrity, and availability.

8.4 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-426 - Untrusted Search Path

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-5115

The 'MadeYouReset' vulnerability in HTTP/2 affects certain Jetty versions, allowing denial of service through malformed control frames, while additional vulnerabilities exist in Oracle Communications and SAP Commerce Cloud.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-5318

Recent vulnerabilities in Oracle MySQL Workbench and the libssh library expose sensitive data and allow unauthorized access, with CVSS scores indicating moderate severity.

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-125 - Out-of-bounds Read

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-5399

Multiple vulnerabilities in Oracle MySQL Server and Cluster, along with libcurl's WebSocket code, allow for various denial of service attacks, with CVSS scores ranging from 4.3 to 7.5.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-5889

The juliangruber brace-expansion library has a vulnerability in versions up to 4.0.0 affecting the expand function, while Oracle Communications Unified Assurance versions 6.1.0-6.1.1 are susceptible to a partial denial of service by low-privileged attackers.

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

CWE-1333 - Inefficient Regular Expression Complexity

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-6965

Critical vulnerabilities in Oracle Communications Cloud Native Core and SQLite versions prior to 3.50.2 expose systems to severe risks, including memory corruption and integer truncation issues.

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-197 - Numeric Truncation Error

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-7339

Oracle Communications Unified Assurance has a vulnerability allowing unauthorized data access, while the on-headers middleware for Node.js has a bug affecting response header modifications in versions prior to 1.1.0.

3.4 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

CWE-241 - Improper Handling of Unexpected Data Type

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-7425

Recent vulnerabilities in Oracle Communications Cloud Native Core and libxslt expose systems to unauthorized access and memory corruption, with significant impacts on integrity and availability.

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H

CWE-416 - Use After Free

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-7962

Recent vulnerabilities in Oracle Communications Cloud Native Core Console and Jakarta Mail versions 2.0.2 and 2.2 expose systems to significant risks, including unauthorized access and SMTP Injection attacks.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-147 - Improper Neutralization of Input Terminators

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-8058

Recent vulnerabilities in Oracle Enterprise Operations Monitor and GNU C library versions 2.4 to 2.41 expose systems to potential unauthorized access, memory corruption, and denial of service risks.

7.0 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H

CWE-415 - Double Free

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-8916

Bouncy Castle for Java and BCPKIX FIPS have a vulnerability allowing excessive resource allocation, while Oracle Communications Cloud Native Core Certificate Management and certain NetApp products face denial of service risks.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-9086

The curl update 8.14.1 addresses security vulnerabilities, including out-of-bounds reads, proxy cache poisoning, and a bug allowing insecure sites to override secure cookies, alongside a denial of service vulnerability in Oracle Communications Unified Inventory Management.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-125 - Out-of-bounds Read

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-25724

Multiple vulnerabilities have been identified in Oracle Communications Network Analytics Data Director and the libarchive component, affecting system integrity and availability, with CVSS scores indicating significant risks.

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-252 - Unchecked Return Value

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-27210

Node.js versions 20.x, 22.x, and 24.x have an incomplete fix for CVE-2025-23084 affecting Windows device names and the `path.join` API, while Oracle Communications' Cloud Native Environment has a non-exploitable Security-in-Depth issue.

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-27533

Multiple vulnerabilities across Apache ActiveMQ and Oracle products allow for denial of service attacks due to improper validation and excessive memory allocation, affecting various versions and configurations.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-789 - Memory Allocation with Excessive Size Value

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-27553

Recent vulnerabilities in Oracle Middleware and Apache Commons VFS expose critical data and allow unauthorized file access, with significant risks associated with their exploitation.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-23 - Relative Path Traversal

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-27587

OpenSSL versions 3.0.0 to 3.3.2 on PowerPC are vulnerable to a Minerva attack, while Oracle Communications Cloud Native Core Certificate Management 25.1.200 has a critical data access vulnerability, and OpenSSL 3 has addressed timing side channel issues.

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-385 - Covert Timing Channel

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-27817

Multiple vulnerabilities across Apache Kafka and Oracle applications allow unauthorized access to sensitive data, with notable SSRF risks and CVSS scores of 7.5 for Oracle products.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-918 - Server-Side Request Forgery (SSRF)

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-32415

Multiple vulnerabilities have been identified in Oracle Java SE and libxml2, allowing for potential system compromise and denial of service, with CVSS scores of 7.5 for several issues.

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE-1284 - Improper Validation of Specified Quantity in Input

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-32728

Multiple vulnerabilities across Oracle Enterprise Communications Broker, OpenSSH, and HP-UX Secure Shell daemon could lead to unauthorized data access and system compromise, with varying CVSS scores and exploitation potential.

4.3 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CWE-440 - Expected Behavior Violation

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-32990

Recent vulnerabilities in Oracle Communications Unified Inventory Management and GnuTLS's certtool expose systems to denial-of-service and unauthorized data access, with significant integrity impacts and a CVSS score of 8.2 for Oracle's flaw.

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CWE-122 - Heap-based Buffer Overflow

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-48734

Recent updates to Apache Commons BeanUtils address multiple vulnerabilities, including arbitrary code execution risks and unauthorized access to Java enum properties, affecting versions prior to 1.11.0 and 2.0.0-M2.

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-284 - Improper Access Control

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-48924

Recent vulnerabilities in Oracle WebLogic Server and Apache Commons Lang versions expose systems to denial of service risks, including an uncontrolled recursion flaw leading to StackOverflowErrors.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-48976

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-48989

Recent updates for Apache Tomcat versions 9, 10, and 11 address the 'MadeYouReset' DoS vulnerability in HTTP/2, along with various enhancements to components like Catalina and Coyote.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-404 - Improper Resource Shutdown or Release

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-49796

Recent updates for libxml2 address multiple vulnerabilities, including heap use after free and type confusion, which could lead to denial of service or crashes, alongside an Oracle vulnerability allowing unauthorized data access.

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE-125 - Out-of-bounds Read

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-52999

Oracle Communications Unified Assurance has a vulnerability allowing denial of service, while jackson-core versions prior to 2.15.0 can cause StackoverflowError with deeply nested data, now mitigated in version 2.15.0.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-121 - Stack-based Buffer Overflow

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-53547

Helm v3.18.4 addresses a critical vulnerability allowing local code execution through crafted `Chart.yaml` and symlinked `Chart.lock` files during dependency updates, alongside an Oracle Communications flaw with a CVSS score of 8.6.

8.6 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-53643

Recent vulnerabilities in Oracle Communications Operations Monitor and aiohttp could allow unauthorized access and data manipulation, with significant integrity impacts and request smuggling risks in affected versions.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-53864

Recent vulnerabilities in Oracle GoldenGate and Connect2id Nimbus JOSE + JWT expose systems to denial of service attacks, with CVSS scores indicating significant availability impacts due to issues with deeply nested JSON objects.

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-54090

Recent vulnerabilities in Oracle Communications Cloud Native Core Automated Test Suite and Apache HTTP Server 2.4.64 expose systems to unauthorized data access and potential denial of service, with a CVSS score of 6.3 for the Oracle issue.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-253 - Incorrect Check of Function Return Value

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-55163

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-57803

ImageMagick has addressed critical vulnerabilities in its BMP encoder, including a 32-bit integer overflow leading to heap corruption and potential code execution, alongside other security enhancements.

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-122 - Heap-based Buffer Overflow

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-58057

Multiple vulnerabilities in decompressing decoders, including `BrotliDecoder`, and components of Oracle and HPE products can lead to denial of service through excessive buffer allocation and malformed HTTP/2 frames.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

CVE-2025-59375

A memory amplification vulnerability in libexpat (CVE-2025-59375) allows excessive memory allocations from crafted XML input, affecting versions prior to 2.7.2, while a Security-in-Depth issue exists in Oracle Database Server's Perl component but is not exploitable.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 36 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Communications Cloud Native Core Console		vers:unknown/*
vers:unknown/* Oracle / Management Cloud Engine		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Billing and Revenue Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Calendar Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Automated Test Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Binding Support Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Certificate Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core DBTier		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Function Cloud Native Environment		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Repository Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Network Slice Selection Function		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Policy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Security Edge Protection Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Service Communication Proxy		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Cloud Native Core Unified Data Repository		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Converged Charging System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergence		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Convergent Charging Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Diameter Signaling Router		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE Element Management System		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications EAGLE LNP Application Processor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications LSMS		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Messaging Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Analytics Data Director		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Charging and Control		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Network Integrity		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Offline Mediation Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Operations Monitor		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Order and Service Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Pricing Design Center		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Service Catalog and Design		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Session Border Controller		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Assurance		vers:unknown/*
vers:unknown/* Oracle / Oracle Communications Unified Inventory Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Communications Broker		vers:unknown/*
vers:unknown/* Oracle / Oracle Enterprise Operations Monitor		vers:unknown/*

References

51 references

URL	Category
https://www.oracle.com/security-alerts/cpuoct2025.html	external
https://vulnerabilities.ncsc.nl/csaf/v2/2023/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Oracle heeft meerdere kwetsbaarheden verholpen in zijn Communications producten, waaronder de Unified Assurance en Cloud Native Core.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden in de Oracle Communications producten stellen kwaadwillenden in staat om ongeautoriseerde toegang te verkrijgen, wat kan leiden tot gedeeltelijke of volledige Denial-of-Service (DoS) aanvallen. Specifiek kunnen aanvallers met netwerktoegang de systemen compromitteren, wat resulteert in ongeautoriseerde toegang tot gevoelige gegevens. De CVSS-scores van deze kwetsbaarheden vari\u00ebren van 3.1 tot 9.8, wat wijst op een breed scala aan risico\u0027s, van beperkte tot ernstige impact op de vertrouwelijkheid, integriteit en beschikbaarheid van de systemen.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Oracle heeft updates uitgebracht om de kwetsbaarheden in zijn Communications producten te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Input Validation",
        "title": "CWE-20"
      },
      {
        "category": "general",
        "text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
        "title": "CWE-22"
      },
      {
        "category": "general",
        "text": "Relative Path Traversal",
        "title": "CWE-23"
      },
      {
        "category": "general",
        "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
        "title": "CWE-94"
      },
      {
        "category": "general",
        "text": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
        "title": "CWE-120"
      },
      {
        "category": "general",
        "text": "Stack-based Buffer Overflow",
        "title": "CWE-121"
      },
      {
        "category": "general",
        "text": "Heap-based Buffer Overflow",
        "title": "CWE-122"
      },
      {
        "category": "general",
        "text": "Buffer Underwrite (\u0027Buffer Underflow\u0027)",
        "title": "CWE-124"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Read",
        "title": "CWE-125"
      },
      {
        "category": "general",
        "text": "Improper Validation of Array Index",
        "title": "CWE-129"
      },
      {
        "category": "general",
        "text": "Improper Handling of Length Parameter Inconsistency",
        "title": "CWE-130"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Input Terminators",
        "title": "CWE-147"
      },
      {
        "category": "general",
        "text": "Integer Overflow or Wraparound",
        "title": "CWE-190"
      },
      {
        "category": "general",
        "text": "Numeric Truncation Error",
        "title": "CWE-197"
      },
      {
        "category": "general",
        "text": "Improper Handling of Unexpected Data Type",
        "title": "CWE-241"
      },
      {
        "category": "general",
        "text": "Unchecked Return Value",
        "title": "CWE-252"
      },
      {
        "category": "general",
        "text": "Incorrect Check of Function Return Value",
        "title": "CWE-253"
      },
      {
        "category": "general",
        "text": "Improper Access Control",
        "title": "CWE-284"
      },
      {
        "category": "general",
        "text": "Improper Authentication",
        "title": "CWE-287"
      },
      {
        "category": "general",
        "text": "Authentication Bypass by Spoofing",
        "title": "CWE-290"
      },
      {
        "category": "general",
        "text": "Use of Weak Hash",
        "title": "CWE-328"
      },
      {
        "category": "general",
        "text": "Covert Timing Channel",
        "title": "CWE-385"
      },
      {
        "category": "general",
        "text": "Detection of Error Condition Without Action",
        "title": "CWE-390"
      },
      {
        "category": "general",
        "text": "Uncontrolled Resource Consumption",
        "title": "CWE-400"
      },
      {
        "category": "general",
        "text": "Improper Resource Shutdown or Release",
        "title": "CWE-404"
      },
      {
        "category": "general",
        "text": "Inefficient Algorithmic Complexity",
        "title": "CWE-407"
      },
      {
        "category": "general",
        "text": "Improper Handling of Highly Compressed Data (Data Amplification)",
        "title": "CWE-409"
      },
      {
        "category": "general",
        "text": "Double Free",
        "title": "CWE-415"
      },
      {
        "category": "general",
        "text": "Use After Free",
        "title": "CWE-416"
      },
      {
        "category": "general",
        "text": "Untrusted Search Path",
        "title": "CWE-426"
      },
      {
        "category": "general",
        "text": "Expected Behavior Violation",
        "title": "CWE-440"
      },
      {
        "category": "general",
        "text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
        "title": "CWE-444"
      },
      {
        "category": "general",
        "text": "NULL Pointer Dereference",
        "title": "CWE-476"
      },
      {
        "category": "general",
        "text": "Uncontrolled Recursion",
        "title": "CWE-674"
      },
      {
        "category": "general",
        "text": "Incorrect Comparison",
        "title": "CWE-697"
      },
      {
        "category": "general",
        "text": "Allocation of Resources Without Limits or Throttling",
        "title": "CWE-770"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Write",
        "title": "CWE-787"
      },
      {
        "category": "general",
        "text": "Memory Allocation with Excessive Size Value",
        "title": "CWE-789"
      },
      {
        "category": "general",
        "text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
        "title": "CWE-835"
      },
      {
        "category": "general",
        "text": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
        "title": "CWE-843"
      },
      {
        "category": "general",
        "text": "Server-Side Request Forgery (SSRF)",
        "title": "CWE-918"
      },
      {
        "category": "general",
        "text": "CWE-937",
        "title": "CWE-937"
      },
      {
        "category": "general",
        "text": "CWE-1035",
        "title": "CWE-1035"
      },
      {
        "category": "general",
        "text": "Improper Validation of Specified Quantity in Input",
        "title": "CWE-1284"
      },
      {
        "category": "general",
        "text": "Inefficient Regular Expression Complexity",
        "title": "CWE-1333"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://www.oracle.com/security-alerts/cpuoct2025.html"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Oracle Communications producten",
    "tracking": {
      "current_release_date": "2025-10-23T13:20:15.363063Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2025-0330",
      "initial_release_date": "2025-10-23T13:20:15.363063Z",
      "revision_history": [
        {
          "date": "2025-10-23T13:20:15.363063Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "Communications Cloud Native Core Console"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-2"
                }
              }
            ],
            "category": "product_name",
            "name": "Management Cloud Engine"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-3"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Billing and Revenue Management"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-4"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Calendar Server"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-5"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Cloud Native Core Automated Test Suite"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-6"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Cloud Native Core Binding Support Function"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-7"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Cloud Native Core Certificate Management"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-8"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Cloud Native Core DBTier"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-9"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Cloud Native Core Network Function Cloud Native Environment"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-10"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Cloud Native Core Network Repository Function"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-11"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Cloud Native Core Network Slice Selection Function"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-12"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Cloud Native Core Policy"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-13"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Cloud Native Core Security Edge Protection Proxy"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-14"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Cloud Native Core Service Communication Proxy"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-15"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Cloud Native Core Unified Data Repository"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-16"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Converged Charging System"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-17"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Convergence"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-18"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Convergent Charging Controller"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-19"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Diameter Signaling Router"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-20"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications EAGLE Element Management System"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-21"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications EAGLE LNP Application Processor"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-22"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications LSMS"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-23"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Messaging Server"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-24"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Network Analytics Data Director"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-25"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Network Charging and Control"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-26"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Network Integrity"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-27"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Offline Mediation Controller"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-28"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Operations Monitor"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-29"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Order and Service Management"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-30"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Pricing Design Center"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-31"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Service Catalog and Design"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-32"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Session Border Controller"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-33"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Unified Assurance"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-34"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Communications Unified Inventory Management"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-35"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Enterprise Communications Broker"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-36"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Enterprise Operations Monitor"
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-26555",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "notes": [
        {
          "category": "other",
          "text": "Out-of-bounds Write",
          "title": "CWE-787"
        },
        {
          "category": "description",
          "text": "Recent updates address vulnerabilities in NTP 4.2.8p17 and Oracle products, including CVE-2023-26555 related to malformed RT-11 dates and various security issues in Oracle Communications and Database systems.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-26555 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2023/cve-2023-26555.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2023-26555"
    },
    {
      "cve": "CVE-2024-7254",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "other",
          "text": "Out-of-bounds Write",
          "title": "CWE-787"
        },
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across various Oracle, IBM, and Protobuf products could lead to Denial of Service and unauthorized access, with significant risks identified in versions of Oracle Communications, MySQL Connector/J, and IBM WebSphere.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-7254 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-7254.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2024-7254"
    },
    {
      "cve": "CVE-2024-8006",
      "cwe": {
        "id": "CWE-476",
        "name": "NULL Pointer Dereference"
      },
      "notes": [
        {
          "category": "other",
          "text": "NULL Pointer Dereference",
          "title": "CWE-476"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in Oracle Communications products and the libpcap library allow high-privileged attackers to cause denial of service and NULL pointer dereference issues, with CVSS scores of 4.4 for the former.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-8006 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-8006.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2024-8006"
    },
    {
      "cve": "CVE-2024-12133",
      "cwe": {
        "id": "CWE-407",
        "name": "Inefficient Algorithmic Complexity"
      },
      "notes": [
        {
          "category": "other",
          "text": "Inefficient Algorithmic Complexity",
          "title": "CWE-407"
        },
        {
          "category": "other",
          "text": "Improper Resource Shutdown or Release",
          "title": "CWE-404"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities affecting Oracle Communications EAGLE LNP Application Processor, Oracle Communications Cloud Native Core Policy, and libtasn1 could lead to denial of service attacks, with CVSS scores of 5.3 for some products.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-12133 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-12133.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2024-12133"
    },
    {
      "cve": "CVE-2024-28182",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "other",
          "text": "Detection of Error Condition Without Action",
          "title": "CWE-390"
        },
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle MySQL, Oracle Communications, and nghttp2 products allow remote attackers to exploit confidentiality, integrity, and availability, with varying damage ratings from medium to high.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-28182 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-28182.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2024-28182"
    },
    {
      "cve": "CVE-2024-35164",
      "cwe": {
        "id": "CWE-129",
        "name": "Improper Validation of Array Index"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Validation of Array Index",
          "title": "CWE-129"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle Communications Unified Assurance and Apache Guacamole could allow high-privileged attackers to compromise systems and execute arbitrary code, respectively.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-35164 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-35164.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2024-35164"
    },
    {
      "cve": "CVE-2024-37371",
      "cwe": {
        "id": "CWE-130",
        "name": "Improper Handling of Length Parameter Inconsistency"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Handling of Length Parameter Inconsistency",
          "title": "CWE-130"
        },
        {
          "category": "other",
          "text": "Out-of-bounds Read",
          "title": "CWE-125"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle products, including Communications and MySQL, as well as MIT Kerberos 5, allow for unauthorized access, denial of service, and other malicious activities, with CVSS scores reaching 9.1.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-37371 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-37371.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2024-37371"
    },
    {
      "cve": "CVE-2024-47554",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle Middleware, Documaker, and Apache Commons IO components allow unauthenticated attackers to exploit denial of service risks, with CVSS scores ranging from 4.3 to 7.5.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-47554 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-47554.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2024-47554"
    },
    {
      "cve": "CVE-2024-50609",
      "cwe": {
        "id": "CWE-476",
        "name": "NULL Pointer Dereference"
      },
      "notes": [
        {
          "category": "other",
          "text": "NULL Pointer Dereference",
          "title": "CWE-476"
        },
        {
          "category": "description",
          "text": "Fluent Bit 3.1.9 has a vulnerability allowing remote Denial of Service attacks via a zero-length packet, while Oracle Communications Unified Assurance versions 6.1.0-6.1.1 can be exploited by high-privileged attackers for complete Denial of Service.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-50609 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-50609.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2024-50609"
    },
    {
      "cve": "CVE-2024-51504",
      "cwe": {
        "id": "CWE-290",
        "name": "Authentication Bypass by Spoofing"
      },
      "notes": [
        {
          "category": "other",
          "text": "Authentication Bypass by Spoofing",
          "title": "CWE-290"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Apache ZooKeeper and Oracle Communications Unified Assurance expose systems to authentication bypass and unauthorized access, allowing attackers to execute commands and access critical data.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-51504 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-51504.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2024-51504"
    },
    {
      "cve": "CVE-2024-57699",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Multiple security vulnerabilities across various Oracle products and the Netplex Json-smart library can lead to Denial of Service (DoS) due to stack exhaustion and other exploits, affecting versions 2.5.0 to 2.5.1 and specific Oracle software.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-57699 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-57699.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2024-57699"
    },
    {
      "cve": "CVE-2025-1948",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "description",
          "text": "Eclipse Jetty versions 12.0.0 to 12.0.16 are vulnerable to OutOfMemoryError and denial of service attacks due to improper validation of the SETTINGS_MAX_HEADER_LIST_SIZE parameter, affecting various products including Oracle Communications EAGLE and NetApp.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-1948 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-1948.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-1948"
    },
    {
      "cve": "CVE-2025-3576",
      "cwe": {
        "id": "CWE-328",
        "name": "Use of Weak Hash"
      },
      "notes": [
        {
          "category": "other",
          "text": "Use of Weak Hash",
          "title": "CWE-328"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in krb5 and MIT Kerberos implementations allow for message spoofing via MD5 checksum weaknesses, while Oracle Communications Network Analytics Data Director is susceptible to unauthorized data manipulation through SSH access.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-3576 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-3576.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-3576"
    },
    {
      "cve": "CVE-2025-4373",
      "cwe": {
        "id": "CWE-124",
        "name": "Buffer Underwrite (\u0027Buffer Underflow\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Buffer Underwrite (\u0027Buffer Underflow\u0027)",
          "title": "CWE-124"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle Communications Cloud Native Core and glib2 involve unauthorized access risks and buffer overflow issues, affecting multiple products with varying severity levels.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-4373 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-4373.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L/E:U",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-4373"
    },
    {
      "cve": "CVE-2025-4517",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
          "title": "CWE-22"
        },
        {
          "category": "description",
          "text": "Recent updates to Python versions 3.6 through 3.13.5 address multiple security vulnerabilities, particularly in the tarfile module, while enhancing various functionalities and resolving issues related to memory management and IPv6 handling.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-4517 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-4517.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-4517"
    },
    {
      "cve": "CVE-2025-4802",
      "cwe": {
        "id": "CWE-426",
        "name": "Untrusted Search Path"
      },
      "notes": [
        {
          "category": "other",
          "text": "Untrusted Search Path",
          "title": "CWE-426"
        },
        {
          "category": "description",
          "text": "Vulnerabilities in Oracle Communications Cloud Native Core and glibc allow unauthenticated access and privilege escalation, with CVSS scores of 7.8, affecting confidentiality, integrity, and availability.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-4802 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-4802.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-4802"
    },
    {
      "cve": "CVE-2025-5115",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "The \u0027MadeYouReset\u0027 vulnerability in HTTP/2 affects certain Jetty versions, allowing denial of service through malformed control frames, while additional vulnerabilities exist in Oracle Communications and SAP Commerce Cloud.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-5115 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-5115.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-5115"
    },
    {
      "cve": "CVE-2025-5318",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "other",
          "text": "Out-of-bounds Read",
          "title": "CWE-125"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle MySQL Workbench and the libssh library expose sensitive data and allow unauthorized access, with CVSS scores indicating moderate severity.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-5318 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-5318.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-5318"
    },
    {
      "cve": "CVE-2025-5399",
      "cwe": {
        "id": "CWE-835",
        "name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
          "title": "CWE-835"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in Oracle MySQL Server and Cluster, along with libcurl\u0027s WebSocket code, allow for various denial of service attacks, with CVSS scores ranging from 4.3 to 7.5.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-5399 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-5399.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-5399"
    },
    {
      "cve": "CVE-2025-5889",
      "cwe": {
        "id": "CWE-1333",
        "name": "Inefficient Regular Expression Complexity"
      },
      "notes": [
        {
          "category": "other",
          "text": "Inefficient Regular Expression Complexity",
          "title": "CWE-1333"
        },
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "description",
          "text": "The juliangruber brace-expansion library has a vulnerability in versions up to 4.0.0 affecting the expand function, while Oracle Communications Unified Assurance versions 6.1.0-6.1.1 are susceptible to a partial denial of service by low-privileged attackers.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-5889 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-5889.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-5889"
    },
    {
      "cve": "CVE-2025-6965",
      "cwe": {
        "id": "CWE-197",
        "name": "Numeric Truncation Error"
      },
      "notes": [
        {
          "category": "other",
          "text": "Numeric Truncation Error",
          "title": "CWE-197"
        },
        {
          "category": "description",
          "text": "Critical vulnerabilities in Oracle Communications Cloud Native Core and SQLite versions prior to 3.50.2 expose systems to severe risks, including memory corruption and integer truncation issues.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Green",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-6965 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-6965.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-6965"
    },
    {
      "cve": "CVE-2025-7339",
      "cwe": {
        "id": "CWE-241",
        "name": "Improper Handling of Unexpected Data Type"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Handling of Unexpected Data Type",
          "title": "CWE-241"
        },
        {
          "category": "description",
          "text": "Oracle Communications Unified Assurance has a vulnerability allowing unauthorized data access, while the on-headers middleware for Node.js has a bug affecting response header modifications in versions prior to 1.1.0.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-7339 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-7339.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.4,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-7339"
    },
    {
      "cve": "CVE-2025-7425",
      "cwe": {
        "id": "CWE-416",
        "name": "Use After Free"
      },
      "notes": [
        {
          "category": "other",
          "text": "Use After Free",
          "title": "CWE-416"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle Communications Cloud Native Core and libxslt expose systems to unauthorized access and memory corruption, with significant impacts on integrity and availability.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-7425 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-7425.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-7425"
    },
    {
      "cve": "CVE-2025-7962",
      "cwe": {
        "id": "CWE-147",
        "name": "Improper Neutralization of Input Terminators"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Input Terminators",
          "title": "CWE-147"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle Communications Cloud Native Core Console and Jakarta Mail versions 2.0.2 and 2.2 expose systems to significant risks, including unauthorized access and SMTP Injection attacks.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-7962 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-7962.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-7962"
    },
    {
      "cve": "CVE-2025-8058",
      "cwe": {
        "id": "CWE-415",
        "name": "Double Free"
      },
      "notes": [
        {
          "category": "other",
          "text": "Double Free",
          "title": "CWE-415"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle Enterprise Operations Monitor and GNU C library versions 2.4 to 2.41 expose systems to potential unauthorized access, memory corruption, and denial of service risks.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-8058 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-8058.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.0,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-8058"
    },
    {
      "cve": "CVE-2025-8916",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Bouncy Castle for Java and BCPKIX FIPS have a vulnerability allowing excessive resource allocation, while Oracle Communications Cloud Native Core Certificate Management and certain NetApp products face denial of service risks.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-8916 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-8916.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-8916"
    },
    {
      "cve": "CVE-2025-9086",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "other",
          "text": "Out-of-bounds Read",
          "title": "CWE-125"
        },
        {
          "category": "description",
          "text": "The curl update 8.14.1 addresses security vulnerabilities, including out-of-bounds reads, proxy cache poisoning, and a bug allowing insecure sites to override secure cookies, alongside a denial of service vulnerability in Oracle Communications Unified Inventory Management.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-9086 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-9086.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-9086"
    },
    {
      "cve": "CVE-2025-25724",
      "cwe": {
        "id": "CWE-252",
        "name": "Unchecked Return Value"
      },
      "notes": [
        {
          "category": "other",
          "text": "Unchecked Return Value",
          "title": "CWE-252"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified in Oracle Communications Network Analytics Data Director and the libarchive component, affecting system integrity and availability, with CVSS scores indicating significant risks.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-25724 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-25724.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-25724"
    },
    {
      "cve": "CVE-2025-27210",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
          "title": "CWE-22"
        },
        {
          "category": "description",
          "text": "Node.js versions 20.x, 22.x, and 24.x have an incomplete fix for CVE-2025-23084 affecting Windows device names and the `path.join` API, while Oracle Communications\u0027 Cloud Native Environment has a non-exploitable Security-in-Depth issue.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-27210 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-27210.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-27210"
    },
    {
      "cve": "CVE-2025-27533",
      "cwe": {
        "id": "CWE-789",
        "name": "Memory Allocation with Excessive Size Value"
      },
      "notes": [
        {
          "category": "other",
          "text": "Memory Allocation with Excessive Size Value",
          "title": "CWE-789"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Apache ActiveMQ and Oracle products allow for denial of service attacks due to improper validation and excessive memory allocation, affecting various versions and configurations.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:D/RE:M/U:Red",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-27533 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-27533.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-27533"
    },
    {
      "cve": "CVE-2025-27553",
      "cwe": {
        "id": "CWE-23",
        "name": "Relative Path Traversal"
      },
      "notes": [
        {
          "category": "other",
          "text": "Relative Path Traversal",
          "title": "CWE-23"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle Middleware and Apache Commons VFS expose critical data and allow unauthorized file access, with significant risks associated with their exploitation.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-27553 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-27553.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-27553"
    },
    {
      "cve": "CVE-2025-27587",
      "cwe": {
        "id": "CWE-385",
        "name": "Covert Timing Channel"
      },
      "notes": [
        {
          "category": "other",
          "text": "Covert Timing Channel",
          "title": "CWE-385"
        },
        {
          "category": "description",
          "text": "OpenSSL versions 3.0.0 to 3.3.2 on PowerPC are vulnerable to a Minerva attack, while Oracle Communications Cloud Native Core Certificate Management 25.1.200 has a critical data access vulnerability, and OpenSSL 3 has addressed timing side channel issues.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-27587 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-27587.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-27587"
    },
    {
      "cve": "CVE-2025-27817",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Server-Side Request Forgery (SSRF)",
          "title": "CWE-918"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Apache Kafka and Oracle applications allow unauthorized access to sensitive data, with notable SSRF risks and CVSS scores of 7.5 for Oracle products.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-27817 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-27817.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-27817"
    },
    {
      "cve": "CVE-2025-32415",
      "cwe": {
        "id": "CWE-1284",
        "name": "Improper Validation of Specified Quantity in Input"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Validation of Specified Quantity in Input",
          "title": "CWE-1284"
        },
        {
          "category": "other",
          "text": "Out-of-bounds Read",
          "title": "CWE-125"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified in Oracle Java SE and libxml2, allowing for potential system compromise and denial of service, with CVSS scores of 7.5 for several issues.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-32415 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-32415.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-32415"
    },
    {
      "cve": "CVE-2025-32728",
      "cwe": {
        "id": "CWE-440",
        "name": "Expected Behavior Violation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Expected Behavior Violation",
          "title": "CWE-440"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle Enterprise Communications Broker, OpenSSH, and HP-UX Secure Shell daemon could lead to unauthorized data access and system compromise, with varying CVSS scores and exploitation potential.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-32728 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-32728.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-32728"
    },
    {
      "cve": "CVE-2025-32990",
      "cwe": {
        "id": "CWE-122",
        "name": "Heap-based Buffer Overflow"
      },
      "notes": [
        {
          "category": "other",
          "text": "Heap-based Buffer Overflow",
          "title": "CWE-122"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle Communications Unified Inventory Management and GnuTLS\u0027s certtool expose systems to denial-of-service and unauthorized data access, with significant integrity impacts and a CVSS score of 8.2 for Oracle\u0027s flaw.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-32990 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-32990.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-32990"
    },
    {
      "cve": "CVE-2025-48734",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Access Control",
          "title": "CWE-284"
        },
        {
          "category": "description",
          "text": "Recent updates to Apache Commons BeanUtils address multiple vulnerabilities, including arbitrary code execution risks and unauthorized access to Java enum properties, affecting versions prior to 1.11.0 and 2.0.0-M2.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48734 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48734.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-48734"
    },
    {
      "cve": "CVE-2025-48924",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle WebLogic Server and Apache Commons Lang versions expose systems to denial of service risks, including an uncontrolled recursion flaw leading to StackOverflowErrors.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48924 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48924.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-48924"
    },
    {
      "cve": "CVE-2025-48976",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities affecting Oracle Application Testing Suite and Apache Commons FileUpload, including DoS risks due to insufficient multipart header limits, have been identified, with CVSS scores reaching 7.5.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48976 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-48976"
    },
    {
      "cve": "CVE-2025-48989",
      "cwe": {
        "id": "CWE-404",
        "name": "Improper Resource Shutdown or Release"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Resource Shutdown or Release",
          "title": "CWE-404"
        },
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "description",
          "text": "Recent updates for Apache Tomcat versions 9, 10, and 11 address the \u0027MadeYouReset\u0027 DoS vulnerability in HTTP/2, along with various enhancements to components like Catalina and Coyote.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48989 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48989.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-48989"
    },
    {
      "cve": "CVE-2025-49796",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "other",
          "text": "Out-of-bounds Read",
          "title": "CWE-125"
        },
        {
          "category": "description",
          "text": "Recent updates for libxml2 address multiple vulnerabilities, including heap use after free and type confusion, which could lead to denial of service or crashes, alongside an Oracle vulnerability allowing unauthorized data access.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49796 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49796.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-49796"
    },
    {
      "cve": "CVE-2025-52999",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "notes": [
        {
          "category": "other",
          "text": "Stack-based Buffer Overflow",
          "title": "CWE-121"
        },
        {
          "category": "description",
          "text": "Oracle Communications Unified Assurance has a vulnerability allowing denial of service, while jackson-core versions prior to 2.15.0 can cause StackoverflowError with deeply nested data, now mitigated in version 2.15.0.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-52999 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-52999.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-52999"
    },
    {
      "cve": "CVE-2025-53547",
      "cwe": {
        "id": "CWE-94",
        "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
          "title": "CWE-94"
        },
        {
          "category": "description",
          "text": "Helm v3.18.4 addresses a critical vulnerability allowing local code execution through crafted `Chart.yaml` and symlinked `Chart.lock` files during dependency updates, alongside an Oracle Communications flaw with a CVSS score of 8.6.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-53547 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53547.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-53547"
    },
    {
      "cve": "CVE-2025-53643",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
          "title": "CWE-444"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle Communications Operations Monitor and aiohttp could allow unauthorized access and data manipulation, with significant integrity impacts and request smuggling risks in affected versions.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-53643 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53643.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-53643"
    },
    {
      "cve": "CVE-2025-53864",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle GoldenGate and Connect2id Nimbus JOSE + JWT expose systems to denial of service attacks, with CVSS scores indicating significant availability impacts due to issues with deeply nested JSON objects.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-53864 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53864.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-53864"
    },
    {
      "cve": "CVE-2025-54090",
      "cwe": {
        "id": "CWE-253",
        "name": "Incorrect Check of Function Return Value"
      },
      "notes": [
        {
          "category": "other",
          "text": "Incorrect Check of Function Return Value",
          "title": "CWE-253"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle Communications Cloud Native Core Automated Test Suite and Apache HTTP Server 2.4.64 expose systems to unauthorized data access and potential denial of service, with a CVSS score of 6.3 for the Oracle issue.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-54090 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-54090.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-54090"
    },
    {
      "cve": "CVE-2025-55163",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Recent updates to Netty address critical vulnerabilities, including the \u0027MadeYouReset\u0027 DDoS attack in HTTP/2, which can lead to denial of service through resource exhaustion in various affected versions.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-55163 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55163.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-55163"
    },
    {
      "cve": "CVE-2025-57803",
      "cwe": {
        "id": "CWE-122",
        "name": "Heap-based Buffer Overflow"
      },
      "notes": [
        {
          "category": "other",
          "text": "Heap-based Buffer Overflow",
          "title": "CWE-122"
        },
        {
          "category": "other",
          "text": "Integer Overflow or Wraparound",
          "title": "CWE-190"
        },
        {
          "category": "description",
          "text": "ImageMagick has addressed critical vulnerabilities in its BMP encoder, including a 32-bit integer overflow leading to heap corruption and potential code execution, alongside other security enhancements.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-57803 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-57803.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-57803"
    },
    {
      "cve": "CVE-2025-58057",
      "cwe": {
        "id": "CWE-409",
        "name": "Improper Handling of Highly Compressed Data (Data Amplification)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Handling of Highly Compressed Data (Data Amplification)",
          "title": "CWE-409"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in decompressing decoders, including `BrotliDecoder`, and components of Oracle and HPE products can lead to denial of service through excessive buffer allocation and malformed HTTP/2 frames.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-58057 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-58057.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-58057"
    },
    {
      "cve": "CVE-2025-59375",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "A memory amplification vulnerability in libexpat (CVE-2025-59375) allows excessive memory allocations from crafted XML input, affecting versions prior to 2.7.2, while a Security-in-Depth issue exists in Oracle Database Server\u0027s Perl component but is not exploitable.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20",
          "CSAFPID-21",
          "CSAFPID-22",
          "CSAFPID-23",
          "CSAFPID-24",
          "CSAFPID-25",
          "CSAFPID-26",
          "CSAFPID-27",
          "CSAFPID-28",
          "CSAFPID-29",
          "CSAFPID-30",
          "CSAFPID-31",
          "CSAFPID-32",
          "CSAFPID-33",
          "CSAFPID-34",
          "CSAFPID-35",
          "CSAFPID-36"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-59375 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-59375.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20",
            "CSAFPID-21",
            "CSAFPID-22",
            "CSAFPID-23",
            "CSAFPID-24",
            "CSAFPID-25",
            "CSAFPID-26",
            "CSAFPID-27",
            "CSAFPID-28",
            "CSAFPID-29",
            "CSAFPID-30",
            "CSAFPID-31",
            "CSAFPID-32",
            "CSAFPID-33",
            "CSAFPID-34",
            "CSAFPID-35",
            "CSAFPID-36"
          ]
        }
      ],
      "title": "CVE-2025-59375"
    }
  ]
}

NCSC-2025-0335

Vulnerability from csaf_ncscnl - Published: 2025-10-23 13:45 - Updated: 2025-10-23 13:45

Summary

Kwetsbaarheden verholpen in Oracle Analytics

Notes

Feiten: Oracle heeft meerdere kwetsbaarheden verholpen in Oracle Analytics producten.

Interpretaties: De kwetsbaarheden kunnen de vertrouwelijkheid, integriteit en beschikbaarheid in gevaar brengen, met een maximale impactscore van 'HOOG'. Aanvallers kunnen deze kwetsbaarheden misbruiken om ongeautoriseerde toegang te verkrijgen of Denial-of-Service (DoS) aanvallen uit te voeren. Specifieke versies van subcomponenten als Oracle Communications Cloud Native Core Binding Support Function en DBTier zijn getroffen, evenals Oracle Business Intelligence Enterprise Edition, die kwetsbaarheden bevatten die ongeautoriseerde toegang en gedeeltelijke Denial-of-Service mogelijk maken.

Oplossingen: Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans: medium

Schade: high

CWE-20: Improper Input Validation

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-267: Privilege Defined With Unsafe Actions

CWE-284: Improper Access Control

CWE-295: Improper Certificate Validation

CWE-392: Missing Report of Error Condition

CWE-400: Uncontrolled Resource Consumption

CWE-404: Improper Resource Shutdown or Release

CWE-674: Uncontrolled Recursion

CWE-770: Allocation of Resources Without Limits or Throttling

CWE-787: Out-of-bounds Write

CWE-1395: Dependency on Vulnerable Third-Party Component

CVE-2024-7254

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CWE-20 - Improper Input Validation

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle BI Publisher		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Intelligence Enterprise Edition		vers:unknown/*

CVE-2024-12797

Multiple vulnerabilities across OpenSSL and Oracle products expose clients to man-in-the-middle attacks, unauthorized access, and partial denial of service, particularly affecting RFC7250 Raw Public Keys and specific versions of Oracle Communications and Business Intelligence software.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-392 - Missing Report of Error Condition

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle BI Publisher		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Intelligence Enterprise Edition		vers:unknown/*

CVE-2024-47554

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle BI Publisher		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Intelligence Enterprise Edition		vers:unknown/*

CVE-2025-25193

Recent updates to Netty and Oracle products address critical vulnerabilities, including denial of service risks due to unsafe environment file reading and flaws in various APIs and components.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle BI Publisher		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Intelligence Enterprise Edition		vers:unknown/*

CVE-2025-48795

5.6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle BI Publisher		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Intelligence Enterprise Edition		vers:unknown/*

CVE-2025-48976

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle BI Publisher		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Intelligence Enterprise Edition		vers:unknown/*

CVE-2025-53049

A vulnerability in Oracle Business Intelligence Enterprise Edition (versions 7.6.0.0.0 and 8.2.0.0.0) allows high-privileged attackers to potentially take over the system, with a CVSS score of 8.4.

8.4 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CWE-284 - Improper Access Control

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle BI Publisher		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Intelligence Enterprise Edition		vers:unknown/*

CVE-2025-61754

A vulnerability in Oracle BI Publisher (versions 7.6.0.0.0 and 8.2.0.0.0) allows low privileged attackers to exploit the Web Service API, potentially leading to unauthorized access to critical data, with a CVSS score of 6.5.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-267 - Privilege Defined With Unsafe Actions

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Oracle BI Publisher		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Intelligence Enterprise Edition		vers:unknown/*

References

9 references

URL	Category
https://www.oracle.com/security-alerts/cpuoct2025.html	external
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Oracle heeft meerdere kwetsbaarheden verholpen in Oracle Analytics producten.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden kunnen de vertrouwelijkheid, integriteit en beschikbaarheid in gevaar brengen, met een maximale impactscore van \u0027HOOG\u0027. Aanvallers kunnen deze kwetsbaarheden misbruiken om ongeautoriseerde toegang te verkrijgen of Denial-of-Service (DoS) aanvallen uit te voeren. Specifieke versies van subcomponenten als Oracle Communications Cloud Native Core Binding Support Function en DBTier zijn getroffen, evenals Oracle Business Intelligence Enterprise Edition, die kwetsbaarheden bevatten die ongeautoriseerde toegang en gedeeltelijke Denial-of-Service mogelijk maken.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Input Validation",
        "title": "CWE-20"
      },
      {
        "category": "general",
        "text": "Exposure of Sensitive Information to an Unauthorized Actor",
        "title": "CWE-200"
      },
      {
        "category": "general",
        "text": "Privilege Defined With Unsafe Actions",
        "title": "CWE-267"
      },
      {
        "category": "general",
        "text": "Improper Access Control",
        "title": "CWE-284"
      },
      {
        "category": "general",
        "text": "Improper Certificate Validation",
        "title": "CWE-295"
      },
      {
        "category": "general",
        "text": "Missing Report of Error Condition",
        "title": "CWE-392"
      },
      {
        "category": "general",
        "text": "Uncontrolled Resource Consumption",
        "title": "CWE-400"
      },
      {
        "category": "general",
        "text": "Improper Resource Shutdown or Release",
        "title": "CWE-404"
      },
      {
        "category": "general",
        "text": "Uncontrolled Recursion",
        "title": "CWE-674"
      },
      {
        "category": "general",
        "text": "Allocation of Resources Without Limits or Throttling",
        "title": "CWE-770"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Write",
        "title": "CWE-787"
      },
      {
        "category": "general",
        "text": "Dependency on Vulnerable Third-Party Component",
        "title": "CWE-1395"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://www.oracle.com/security-alerts/cpuoct2025.html"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Oracle Analytics",
    "tracking": {
      "current_release_date": "2025-10-23T13:45:06.747933Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2025-0335",
      "initial_release_date": "2025-10-23T13:45:06.747933Z",
      "revision_history": [
        {
          "date": "2025-10-23T13:45:06.747933Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle BI Publisher"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-2"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Business Intelligence Enterprise Edition"
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-7254",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "other",
          "text": "Out-of-bounds Write",
          "title": "CWE-787"
        },
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across various Oracle, IBM, and Protobuf products could lead to Denial of Service and unauthorized access, with significant risks identified in versions of Oracle Communications, MySQL Connector/J, and IBM WebSphere.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-7254 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-7254.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2024-7254"
    },
    {
      "cve": "CVE-2024-12797",
      "cwe": {
        "id": "CWE-392",
        "name": "Missing Report of Error Condition"
      },
      "notes": [
        {
          "category": "other",
          "text": "Missing Report of Error Condition",
          "title": "CWE-392"
        },
        {
          "category": "other",
          "text": "Dependency on Vulnerable Third-Party Component",
          "title": "CWE-1395"
        },
        {
          "category": "other",
          "text": "Improper Certificate Validation",
          "title": "CWE-295"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across OpenSSL and Oracle products expose clients to man-in-the-middle attacks, unauthorized access, and partial denial of service, particularly affecting RFC7250 Raw Public Keys and specific versions of Oracle Communications and Business Intelligence software.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-12797 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-12797.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2024-12797"
    },
    {
      "cve": "CVE-2024-47554",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle Middleware, Documaker, and Apache Commons IO components allow unauthenticated attackers to exploit denial of service risks, with CVSS scores ranging from 4.3 to 7.5.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-47554 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-47554.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2024-47554"
    },
    {
      "cve": "CVE-2025-25193",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "description",
          "text": "Recent updates to Netty and Oracle products address critical vulnerabilities, including denial of service risks due to unsafe environment file reading and flaws in various APIs and components.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-25193 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-25193.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2025-25193"
    },
    {
      "cve": "CVE-2025-48795",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "other",
          "text": "Exposure of Sensitive Information to an Unauthorized Actor",
          "title": "CWE-200"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle WebCenter Forms Recognition and Apache CXF expose systems to data compromise and denial of service risks, with CVSS scores indicating significant impacts on confidentiality, integrity, and availability.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48795 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48795.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2025-48795"
    },
    {
      "cve": "CVE-2025-48976",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities affecting Oracle Application Testing Suite and Apache Commons FileUpload, including DoS risks due to insufficient multipart header limits, have been identified, with CVSS scores reaching 7.5.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48976 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2025-48976"
    },
    {
      "cve": "CVE-2025-53049",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Access Control",
          "title": "CWE-284"
        },
        {
          "category": "description",
          "text": "A vulnerability in Oracle Business Intelligence Enterprise Edition (versions 7.6.0.0.0 and 8.2.0.0.0) allows high-privileged attackers to potentially take over the system, with a CVSS score of 8.4.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-53049 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53049.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2025-53049"
    },
    {
      "cve": "CVE-2025-61754",
      "cwe": {
        "id": "CWE-267",
        "name": "Privilege Defined With Unsafe Actions"
      },
      "notes": [
        {
          "category": "other",
          "text": "Privilege Defined With Unsafe Actions",
          "title": "CWE-267"
        },
        {
          "category": "description",
          "text": "A vulnerability in Oracle BI Publisher (versions 7.6.0.0.0 and 8.2.0.0.0) allows low privileged attackers to exploit the Web Service API, potentially leading to unauthorized access to critical data, with a CVSS score of 6.5.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-61754 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-61754.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2"
          ]
        }
      ],
      "title": "CVE-2025-61754"
    }
  ]
}

NCSC-2026-0027

Vulnerability from csaf_ncscnl - Published: 2026-01-21 10:08 - Updated: 2026-01-21 10:08

Summary

Kwetsbaarheden verholpen in Oracle Fusion Middleware

Notes

Feiten: Oracle heeft kwetsbaarheden verholpen in verschillende producten, waaronder Oracle HTTP Server, Oracle WebLogic Server, en Oracle Fusion Middleware.

Interpretaties: De kwetsbaarheden in de Oracle producten stellen ongeauthenticeerde aanvallers in staat om toegang te krijgen tot gevoelige gegevens, Denial-of-Service (DoS) aanvallen uit te voeren, en de integriteit van systemen te compromitteren. Specifieke kwetsbaarheden omvatten onjuist beheer van HTTP-headers, ongecontroleerde recursie, en onvoldoende bufferbeperkingen, wat kan leiden tot systeemcrashes en gegevensverlies.

Oplossingen: Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans: medium

Schade: high

CWE-20: Improper Input Validation

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CWE-117: Improper Output Neutralization for Logs

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-122: Heap-based Buffer Overflow

CWE-125: Out-of-bounds Read

CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences

CWE-209: Generation of Error Message Containing Sensitive Information

CWE-252: Unchecked Return Value

CWE-284: Improper Access Control

CWE-285: Improper Authorization

CWE-289: Authentication Bypass by Alternate Name

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-400: Uncontrolled Resource Consumption

CWE-404: Improper Resource Shutdown or Release

CWE-457: Use of Uninitialized Variable

CWE-476: NULL Pointer Dereference

CWE-611: Improper Restriction of XML External Entity Reference

CWE-674: Uncontrolled Recursion

CWE-770: Allocation of Resources Without Limits or Throttling

CWE-787: Out-of-bounds Write

CWE-827: Improper Control of Document Type Definition

CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

CWE-863: Incorrect Authorization

CWE-918: Server-Side Request Forgery (SSRF)

CWE-937: CWE-937

CWE-1035: CWE-1035

CVE-2021-45105

Multiple vulnerabilities across Apache Log4j, Oracle products, and various dependencies expose systems to denial-of-service and remote code execution risks, necessitating updates to secure versions.

10.0 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2022-41342

Recent vulnerabilities in Oracle products, including the Oracle HTTP Server and Database, allow for potential privilege escalation, remote code execution, and denial of service, with varying CVSS scores indicating significant risk.

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-13009

Recent vulnerabilities in Oracle JD Edwards, Oracle Middleware, Eclipse Jetty, HPE Telco IP Mediation, and SAP Commerce Cloud expose systems to unauthorized access and data corruption, with CVSS scores reaching 7.2.

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE-404 - Improper Resource Shutdown or Release

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-42516

Multiple vulnerabilities in Apache HTTP Server and Oracle HTTP Server, including CVE-2023-38709 and CVE-2024-42516, expose systems to risks such as HTTP response splitting, SSRF, and unauthorized access.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-20 - Improper Input Validation

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-43204

Apache HTTP Server versions prior to 2.4.64 are vulnerable to multiple security issues, including SSRF and HTTP response splitting, affecting mod_proxy and mod_headers configurations, with critical vulnerabilities also identified in Oracle HTTP Server.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-918 - Server-Side Request Forgery (SSRF)

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-47252

Multiple vulnerabilities in Apache HTTP Server versions 2.4.63 and earlier, including insufficient escaping in mod_ssl, allow untrusted clients to compromise log integrity and potentially lead to unauthorized access and denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-47554

Multiple vulnerabilities across Oracle Middleware, Documaker, and Apache Commons IO allow for denial of service attacks, with CVSS scores ranging from 4.3 to 7.5, affecting various versions of these products.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2024-56406

Multiple vulnerabilities in Oracle Fusion Middleware and Perl, including heap buffer overflows and denial of service risks, affect various versions, with CVSS scores indicating significant severity.

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE-787 - Out-of-bounds Write

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-4949

Multiple vulnerabilities across Oracle Database Server, Oracle Fusion Middleware, and Eclipse JGit expose systems to unauthorized access, severe impacts, and information disclosure through various attack vectors.

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-5115

Multiple vulnerabilities, including the 'MadeYouReset' attack in HTTP/2 and unauthenticated issues in Oracle products, can lead to denial of service across various platforms such as Eclipse Jetty and SAP Commerce Cloud.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-12383

Oracle Database Server versions 23.4.0-23.26.0 have a vulnerability in the Fleet Patching and Provisioning component, while Eclipse Jersey versions 2.45, 3.0.16, and 3.1.9 may ignore critical SSL configurations due to a race condition.

8.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-23048

Multiple vulnerabilities in Apache HTTP Server versions 2.4.35 to 2.4.63 and Oracle HTTP Server allow unauthorized access, data modification, and denial of service, particularly through TLS session resumption and other exploit vectors.

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-284 - Improper Access Control

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-26333

Oracle Database Server and Oracle GoldenGate have Security-in-Depth issues related to Dell BSAFE Crypto-J, which cannot be exploited within their respective contexts, although error messages may expose sensitive information.

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-209 - Generation of Error Message Containing Sensitive Information

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-31672

Multiple vulnerabilities have been identified across various Oracle and Apache POI products, including improper input validation and unauthorized data access, affecting versions 5.4.0 and earlier, with CVSS scores of 5.3.

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE-20 - Improper Input Validation

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-41248

Recent vulnerabilities in Oracle Financial Services Model Management and Spring Framework versions expose critical data and may lead to authorization bypass, with significant confidentiality impacts.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-289 - Authentication Bypass by Alternate Name

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-41249

Multiple vulnerabilities have been identified in Oracle Financial Services and Retail products, as well as the Spring Framework, allowing unauthorized access to sensitive data and potentially leading to information disclosure.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-285 - Improper Authorization

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-43967

Oracle Hyperion Financial Reporting (version 11.2.23) has a denial of service vulnerability (CVSS 7.5), while libheif library versions prior to 1.19.6 have a NULL pointer dereference issue in the ImageItem_Grid::get_decoder function.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-476 - NULL Pointer Dereference

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-48924

Multiple vulnerabilities have been identified in Oracle WebLogic Server and Oracle Communications ASAP, both allowing unauthenticated partial denial of service, alongside an uncontrolled recursion issue in Apache Commons Lang leading to potential application crashes.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-48976

Multiple denial-of-service vulnerabilities have been identified in Oracle Application Testing Suite, Oracle Agile PLM, Apache Commons FileUpload, and HPE IceWall Identity Manager, with CVSS scores of 7.5 for some products.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-49796

Multiple vulnerabilities across Oracle Banking Branch and Oracle Communications Cloud Native Core Certificate Management products, as well as libxml2, could lead to critical data compromise and denial of service, with CVSS scores reaching 9.1.

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE-125 - Out-of-bounds Read

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-53864

Multiple vulnerabilities across Oracle WebLogic Server, Oracle GoldenGate, and Connect2id Nimbus JOSE + JWT allow unauthenticated attackers to exploit denial of service conditions, affecting various versions with CVSS scores of 5.8.

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-54571

Recent vulnerabilities in Oracle HTTP Server and ModSecurity allow for denial of service and potential XSS attacks, affecting specific versions with significant severity scores.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-252 - Unchecked Return Value

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-54874

Oracle Fusion Middleware has a critical vulnerability (CVSS 9.8) allowing unauthenticated access, while OpenJPEG versions 2.5.1 to 2.5.3 contain a flaw leading to out-of-bounds heap memory writes.

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-457 - Use of Uninitialized Variable

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-54988

Apache Tika versions 1.13 to 3.2.1 have a critical XXE vulnerability, while Oracle PeopleSoft's OpenSearch component in versions 8.60 to 8.62 is also affected by an easily exploitable vulnerability.

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-55163

Recent updates to Netty and Oracle Communications products address critical vulnerabilities, including the 'MadeYouReset' attack in HTTP/2, which can lead to denial of service and resource exhaustion.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-59375

Multiple vulnerabilities, including a memory amplification issue in libexpat and a DoS vulnerability in Oracle Communications Network Analytics, can lead to denial-of-service attacks without enabling arbitrary code execution.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2025-66516

Apache Tika has a critical XML External Entity (XXE) injection vulnerability affecting multiple modules, particularly in PDF parsing, allowing remote attackers to exploit crafted files for sensitive information disclosure or remote code execution.

10.0 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

CVE-2026-21962

A critical vulnerability in Oracle HTTP Server and Oracle Weblogic Server Proxy Plug-in allows unauthenticated attackers to compromise systems, affecting specific versions with a CVSS score of 10.0.

10.0 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Affected products

Known affected 20 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Data Integrator		vers:unknown/*
vers:unknown/* Oracle / Fusion Middleware		vers:unknown/*
vers:unknown/* Oracle / Identity Manager Connector		vers:unknown/*
vers:unknown/* Oracle / Managed File Transfer		vers:unknown/*
vers:unknown/* Oracle / Oracle Business Process Management Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Coherence		vers:unknown/*
vers:unknown/* Oracle / Oracle Global Lifecycle Management NextGen OUI Framework		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server		vers:unknown/*
vers:unknown/* Oracle / Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Oracle Identity Manager		vers:unknown/*
vers:unknown/* Oracle / Oracle Outside In Technology		vers:unknown/*
vers:unknown/* Oracle / Oracle SOA Suite		vers:unknown/*
vers:unknown/* Oracle / Oracle Security Service		vers:unknown/*
vers:unknown/* Oracle / Oracle Service Bus		vers:unknown/*
vers:unknown/* Oracle / Oracle Unified Directory		vers:unknown/*
vers:unknown/* Oracle / Oracle WebCenter Enterprise Capture		vers:unknown/*
vers:unknown/* Oracle / Oracle WebLogic Server		vers:unknown/*
vers:unknown/* Oracle / Oracle Weblogic Server Proxy Plug-in		vers:unknown/*
vers:unknown/* Oracle / Service Delivery Platform		vers:unknown/*
vers:unknown/* Oracle / WebCenter Sites		vers:unknown/*

References

29 references

URL	Category
https://www.oracle.com/security-alerts/cpujan2026.html	external
https://vulnerabilities.ncsc.nl/csaf/v2/2021/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Oracle heeft kwetsbaarheden verholpen in verschillende producten, waaronder Oracle HTTP Server, Oracle WebLogic Server, en Oracle Fusion Middleware.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden in de Oracle producten stellen ongeauthenticeerde aanvallers in staat om toegang te krijgen tot gevoelige gegevens, Denial-of-Service (DoS) aanvallen uit te voeren, en de integriteit van systemen te compromitteren. Specifieke kwetsbaarheden omvatten onjuist beheer van HTTP-headers, ongecontroleerde recursie, en onvoldoende bufferbeperkingen, wat kan leiden tot systeemcrashes en gegevensverlies.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Input Validation",
        "title": "CWE-20"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
        "title": "CWE-79"
      },
      {
        "category": "general",
        "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
        "title": "CWE-94"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
        "title": "CWE-113"
      },
      {
        "category": "general",
        "text": "Improper Output Neutralization for Logs",
        "title": "CWE-117"
      },
      {
        "category": "general",
        "text": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
        "title": "CWE-119"
      },
      {
        "category": "general",
        "text": "Heap-based Buffer Overflow",
        "title": "CWE-122"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Read",
        "title": "CWE-125"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Escape, Meta, or Control Sequences",
        "title": "CWE-150"
      },
      {
        "category": "general",
        "text": "Generation of Error Message Containing Sensitive Information",
        "title": "CWE-209"
      },
      {
        "category": "general",
        "text": "Unchecked Return Value",
        "title": "CWE-252"
      },
      {
        "category": "general",
        "text": "Improper Access Control",
        "title": "CWE-284"
      },
      {
        "category": "general",
        "text": "Improper Authorization",
        "title": "CWE-285"
      },
      {
        "category": "general",
        "text": "Authentication Bypass by Alternate Name",
        "title": "CWE-289"
      },
      {
        "category": "general",
        "text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
        "title": "CWE-362"
      },
      {
        "category": "general",
        "text": "Uncontrolled Resource Consumption",
        "title": "CWE-400"
      },
      {
        "category": "general",
        "text": "Improper Resource Shutdown or Release",
        "title": "CWE-404"
      },
      {
        "category": "general",
        "text": "Use of Uninitialized Variable",
        "title": "CWE-457"
      },
      {
        "category": "general",
        "text": "NULL Pointer Dereference",
        "title": "CWE-476"
      },
      {
        "category": "general",
        "text": "Improper Restriction of XML External Entity Reference",
        "title": "CWE-611"
      },
      {
        "category": "general",
        "text": "Uncontrolled Recursion",
        "title": "CWE-674"
      },
      {
        "category": "general",
        "text": "Allocation of Resources Without Limits or Throttling",
        "title": "CWE-770"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Write",
        "title": "CWE-787"
      },
      {
        "category": "general",
        "text": "Improper Control of Document Type Definition",
        "title": "CWE-827"
      },
      {
        "category": "general",
        "text": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
        "title": "CWE-843"
      },
      {
        "category": "general",
        "text": "Incorrect Authorization",
        "title": "CWE-863"
      },
      {
        "category": "general",
        "text": "Server-Side Request Forgery (SSRF)",
        "title": "CWE-918"
      },
      {
        "category": "general",
        "text": "CWE-937",
        "title": "CWE-937"
      },
      {
        "category": "general",
        "text": "CWE-1035",
        "title": "CWE-1035"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://www.oracle.com/security-alerts/cpujan2026.html"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Oracle Fusion Middleware",
    "tracking": {
      "current_release_date": "2026-01-21T10:08:59.379774Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2026-0027",
      "initial_release_date": "2026-01-21T10:08:59.379774Z",
      "revision_history": [
        {
          "date": "2026-01-21T10:08:59.379774Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "Data Integrator"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-2"
                }
              }
            ],
            "category": "product_name",
            "name": "Fusion Middleware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-3"
                }
              }
            ],
            "category": "product_name",
            "name": "Identity Manager Connector"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-4"
                }
              }
            ],
            "category": "product_name",
            "name": "Managed File Transfer"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-5"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Business Process Management Suite"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-6"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Coherence"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-7"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Global Lifecycle Management NextGen OUI Framework"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-8"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle HTTP Server"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-9"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-10"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Identity Manager"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-11"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Outside In Technology"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-12"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle SOA Suite"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-13"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Security Service"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-14"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Service Bus"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-15"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Unified Directory"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-16"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle WebCenter Enterprise Capture"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-17"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle WebLogic Server"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-18"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Weblogic Server Proxy Plug-in"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-19"
                }
              }
            ],
            "category": "product_name",
            "name": "Service Delivery Platform"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-20"
                }
              }
            ],
            "category": "product_name",
            "name": "WebCenter Sites"
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-45105",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "other",
          "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
          "title": "CWE-94"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Apache Log4j, Oracle products, and various dependencies expose systems to denial-of-service and remote code execution risks, necessitating updates to secure versions.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2021-45105 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2021/cve-2021-45105.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2021-45105"
    },
    {
      "cve": "CVE-2022-41342",
      "notes": [
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle products, including the Oracle HTTP Server and Database, allow for potential privilege escalation, remote code execution, and denial of service, with varying CVSS scores indicating significant risk.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-41342 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2022/cve-2022-41342.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2022-41342"
    },
    {
      "cve": "CVE-2024-13009",
      "cwe": {
        "id": "CWE-404",
        "name": "Improper Resource Shutdown or Release"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Resource Shutdown or Release",
          "title": "CWE-404"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle JD Edwards, Oracle Middleware, Eclipse Jetty, HPE Telco IP Mediation, and SAP Commerce Cloud expose systems to unauthorized access and data corruption, with CVSS scores reaching 7.2.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-13009 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-13009.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-13009"
    },
    {
      "cve": "CVE-2024-42516",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "other",
          "text": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
          "title": "CWE-113"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in Apache HTTP Server and Oracle HTTP Server, including CVE-2023-38709 and CVE-2024-42516, expose systems to risks such as HTTP response splitting, SSRF, and unauthorized access.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-42516 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-42516.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-42516"
    },
    {
      "cve": "CVE-2024-43204",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Server-Side Request Forgery (SSRF)",
          "title": "CWE-918"
        },
        {
          "category": "description",
          "text": "Apache HTTP Server versions prior to 2.4.64 are vulnerable to multiple security issues, including SSRF and HTTP response splitting, affecting mod_proxy and mod_headers configurations, with critical vulnerabilities also identified in Oracle HTTP Server.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-43204 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-43204.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-43204"
    },
    {
      "cve": "CVE-2024-47252",
      "cwe": {
        "id": "CWE-150",
        "name": "Improper Neutralization of Escape, Meta, or Control Sequences"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Escape, Meta, or Control Sequences",
          "title": "CWE-150"
        },
        {
          "category": "other",
          "text": "Improper Output Neutralization for Logs",
          "title": "CWE-117"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in Apache HTTP Server versions 2.4.63 and earlier, including insufficient escaping in mod_ssl, allow untrusted clients to compromise log integrity and potentially lead to unauthorized access and denial of service.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-47252 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-47252.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-47252"
    },
    {
      "cve": "CVE-2024-47554",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle Middleware, Documaker, and Apache Commons IO allow for denial of service attacks, with CVSS scores ranging from 4.3 to 7.5, affecting various versions of these products.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-47554 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-47554.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-47554"
    },
    {
      "cve": "CVE-2024-56406",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "notes": [
        {
          "category": "other",
          "text": "Out-of-bounds Write",
          "title": "CWE-787"
        },
        {
          "category": "other",
          "text": "Heap-based Buffer Overflow",
          "title": "CWE-122"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in Oracle Fusion Middleware and Perl, including heap buffer overflows and denial of service risks, affect various versions, with CVSS scores indicating significant severity.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-56406 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-56406.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2024-56406"
    },
    {
      "cve": "CVE-2025-4949",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        },
        {
          "category": "other",
          "text": "Improper Control of Document Type Definition",
          "title": "CWE-827"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle Database Server, Oracle Fusion Middleware, and Eclipse JGit expose systems to unauthorized access, severe impacts, and information disclosure through various attack vectors.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-4949 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-4949.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-4949"
    },
    {
      "cve": "CVE-2025-5115",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities, including the \u0027MadeYouReset\u0027 attack in HTTP/2 and unauthenticated issues in Oracle products, can lead to denial of service across various platforms such as Eclipse Jetty and SAP Commerce Cloud.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-5115 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-5115.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-5115"
    },
    {
      "cve": "CVE-2025-12383",
      "cwe": {
        "id": "CWE-362",
        "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
          "title": "CWE-362"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Oracle Database Server versions 23.4.0-23.26.0 have a vulnerability in the Fleet Patching and Provisioning component, while Eclipse Jersey versions 2.45, 3.0.16, and 3.1.9 may ignore critical SSL configurations due to a race condition.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-12383 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-12383.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-12383"
    },
    {
      "cve": "CVE-2025-23048",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Access Control",
          "title": "CWE-284"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in Apache HTTP Server versions 2.4.35 to 2.4.63 and Oracle HTTP Server allow unauthorized access, data modification, and denial of service, particularly through TLS session resumption and other exploit vectors.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-23048 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-23048.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-23048"
    },
    {
      "cve": "CVE-2025-26333",
      "cwe": {
        "id": "CWE-209",
        "name": "Generation of Error Message Containing Sensitive Information"
      },
      "notes": [
        {
          "category": "other",
          "text": "Generation of Error Message Containing Sensitive Information",
          "title": "CWE-209"
        },
        {
          "category": "description",
          "text": "Oracle Database Server and Oracle GoldenGate have Security-in-Depth issues related to Dell BSAFE Crypto-J, which cannot be exploited within their respective contexts, although error messages may expose sensitive information.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-26333 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-26333.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-26333"
    },
    {
      "cve": "CVE-2025-31672",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified across various Oracle and Apache POI products, including improper input validation and unauthorized data access, affecting versions 5.4.0 and earlier, with CVSS scores of 5.3.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-31672 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-31672.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-31672"
    },
    {
      "cve": "CVE-2025-41248",
      "cwe": {
        "id": "CWE-289",
        "name": "Authentication Bypass by Alternate Name"
      },
      "notes": [
        {
          "category": "other",
          "text": "Authentication Bypass by Alternate Name",
          "title": "CWE-289"
        },
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle Financial Services Model Management and Spring Framework versions expose critical data and may lead to authorization bypass, with significant confidentiality impacts.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-41248 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-41248.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-41248"
    },
    {
      "cve": "CVE-2025-41249",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Authorization",
          "title": "CWE-285"
        },
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified in Oracle Financial Services and Retail products, as well as the Spring Framework, allowing unauthorized access to sensitive data and potentially leading to information disclosure.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-41249 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-41249.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-41249"
    },
    {
      "cve": "CVE-2025-43967",
      "cwe": {
        "id": "CWE-476",
        "name": "NULL Pointer Dereference"
      },
      "notes": [
        {
          "category": "other",
          "text": "NULL Pointer Dereference",
          "title": "CWE-476"
        },
        {
          "category": "description",
          "text": "Oracle Hyperion Financial Reporting (version 11.2.23) has a denial of service vulnerability (CVSS 7.5), while libheif library versions prior to 1.19.6 have a NULL pointer dereference issue in the ImageItem_Grid::get_decoder function.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-43967 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-43967.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-43967"
    },
    {
      "cve": "CVE-2025-48924",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified in Oracle WebLogic Server and Oracle Communications ASAP, both allowing unauthenticated partial denial of service, alongside an uncontrolled recursion issue in Apache Commons Lang leading to potential application crashes.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48924 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48924.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-48924"
    },
    {
      "cve": "CVE-2025-48976",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple denial-of-service vulnerabilities have been identified in Oracle Application Testing Suite, Oracle Agile PLM, Apache Commons FileUpload, and HPE IceWall Identity Manager, with CVSS scores of 7.5 for some products.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48976 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-48976"
    },
    {
      "cve": "CVE-2025-49796",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "other",
          "text": "Out-of-bounds Read",
          "title": "CWE-125"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle Banking Branch and Oracle Communications Cloud Native Core Certificate Management products, as well as libxml2, could lead to critical data compromise and denial of service, with CVSS scores reaching 9.1.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49796 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-49796.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-49796"
    },
    {
      "cve": "CVE-2025-53864",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Oracle WebLogic Server, Oracle GoldenGate, and Connect2id Nimbus JOSE + JWT allow unauthenticated attackers to exploit denial of service conditions, affecting various versions with CVSS scores of 5.8.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-53864 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53864.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-53864"
    },
    {
      "cve": "CVE-2025-54571",
      "cwe": {
        "id": "CWE-252",
        "name": "Unchecked Return Value"
      },
      "notes": [
        {
          "category": "other",
          "text": "Unchecked Return Value",
          "title": "CWE-252"
        },
        {
          "category": "other",
          "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "title": "CWE-79"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle HTTP Server and ModSecurity allow for denial of service and potential XSS attacks, affecting specific versions with significant severity scores.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-54571 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-54571.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-54571"
    },
    {
      "cve": "CVE-2025-54874",
      "cwe": {
        "id": "CWE-457",
        "name": "Use of Uninitialized Variable"
      },
      "notes": [
        {
          "category": "other",
          "text": "Use of Uninitialized Variable",
          "title": "CWE-457"
        },
        {
          "category": "description",
          "text": "Oracle Fusion Middleware has a critical vulnerability (CVSS 9.8) allowing unauthenticated access, while OpenJPEG versions 2.5.1 to 2.5.3 contain a flaw leading to out-of-bounds heap memory writes.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-54874 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-54874.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-54874"
    },
    {
      "cve": "CVE-2025-54988",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Apache Tika versions 1.13 to 3.2.1 have a critical XXE vulnerability, while Oracle PeopleSoft\u0027s OpenSearch component in versions 8.60 to 8.62 is also affected by an easily exploitable vulnerability.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-54988 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-54988.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-54988"
    },
    {
      "cve": "CVE-2025-55163",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Recent updates to Netty and Oracle Communications products address critical vulnerabilities, including the \u0027MadeYouReset\u0027 attack in HTTP/2, which can lead to denial of service and resource exhaustion.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-55163 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55163.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-55163"
    },
    {
      "cve": "CVE-2025-59375",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities, including a memory amplification issue in libexpat and a DoS vulnerability in Oracle Communications Network Analytics, can lead to denial-of-service attacks without enabling arbitrary code execution.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-59375 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-59375.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-59375"
    },
    {
      "cve": "CVE-2025-66516",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Apache Tika has a critical XML External Entity (XXE) injection vulnerability affecting multiple modules, particularly in PDF parsing, allowing remote attackers to exploit crafted files for sensitive information disclosure or remote code execution.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-66516 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-66516.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2025-66516"
    },
    {
      "cve": "CVE-2026-21962",
      "notes": [
        {
          "category": "description",
          "text": "A critical vulnerability in Oracle HTTP Server and Oracle Weblogic Server Proxy Plug-in allows unauthenticated attackers to compromise systems, affecting specific versions with a CVSS score of 10.0.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16",
          "CSAFPID-17",
          "CSAFPID-18",
          "CSAFPID-19",
          "CSAFPID-20"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-21962 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21962.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16",
            "CSAFPID-17",
            "CSAFPID-18",
            "CSAFPID-19",
            "CSAFPID-20"
          ]
        }
      ],
      "title": "CVE-2026-21962"
    }
  ]
}

OPENSUSE-SU-2024:14387-1

Vulnerability from csaf_opensuse - Published: 2024-10-08 00:00 - Updated: 2024-10-08 00:00

Summary

apache-commons-io-2.17.0-2.1 on GA media

Severity

Moderate

Notes

Title of the patch: apache-commons-io-2.17.0-2.1 on GA media

Description of the patch: These are all security issues fixed in the apache-commons-io-2.17.0-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-14387

CVE-2024-47554

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

7 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://www.suse.com/security/cve/CVE-2024-47554/	self
https://www.suse.com/security/cve/CVE-2024-47554	external
https://bugzilla.suse.com/1231298	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "apache-commons-io-2.17.0-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the apache-commons-io-2.17.0-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-14387",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14387-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2024:14387-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JRY5QEEISAVBMYG363PQWMMY2EMLEE5E/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2024:14387-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JRY5QEEISAVBMYG363PQWMMY2EMLEE5E/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-47554 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-47554/"
      }
    ],
    "title": "apache-commons-io-2.17.0-2.1 on GA media",
    "tracking": {
      "current_release_date": "2024-10-08T00:00:00Z",
      "generator": {
        "date": "2024-10-08T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:14387-1",
      "initial_release_date": "2024-10-08T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-10-08T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache-commons-io-2.17.0-2.1.aarch64",
                "product": {
                  "name": "apache-commons-io-2.17.0-2.1.aarch64",
                  "product_id": "apache-commons-io-2.17.0-2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "apache-commons-io-javadoc-2.17.0-2.1.aarch64",
                "product": {
                  "name": "apache-commons-io-javadoc-2.17.0-2.1.aarch64",
                  "product_id": "apache-commons-io-javadoc-2.17.0-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache-commons-io-2.17.0-2.1.ppc64le",
                "product": {
                  "name": "apache-commons-io-2.17.0-2.1.ppc64le",
                  "product_id": "apache-commons-io-2.17.0-2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "apache-commons-io-javadoc-2.17.0-2.1.ppc64le",
                "product": {
                  "name": "apache-commons-io-javadoc-2.17.0-2.1.ppc64le",
                  "product_id": "apache-commons-io-javadoc-2.17.0-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache-commons-io-2.17.0-2.1.s390x",
                "product": {
                  "name": "apache-commons-io-2.17.0-2.1.s390x",
                  "product_id": "apache-commons-io-2.17.0-2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "apache-commons-io-javadoc-2.17.0-2.1.s390x",
                "product": {
                  "name": "apache-commons-io-javadoc-2.17.0-2.1.s390x",
                  "product_id": "apache-commons-io-javadoc-2.17.0-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache-commons-io-2.17.0-2.1.x86_64",
                "product": {
                  "name": "apache-commons-io-2.17.0-2.1.x86_64",
                  "product_id": "apache-commons-io-2.17.0-2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "apache-commons-io-javadoc-2.17.0-2.1.x86_64",
                "product": {
                  "name": "apache-commons-io-javadoc-2.17.0-2.1.x86_64",
                  "product_id": "apache-commons-io-javadoc-2.17.0-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.17.0-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.aarch64"
        },
        "product_reference": "apache-commons-io-2.17.0-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.17.0-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.ppc64le"
        },
        "product_reference": "apache-commons-io-2.17.0-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.17.0-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.s390x"
        },
        "product_reference": "apache-commons-io-2.17.0-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-2.17.0-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.x86_64"
        },
        "product_reference": "apache-commons-io-2.17.0-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-javadoc-2.17.0-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.aarch64"
        },
        "product_reference": "apache-commons-io-javadoc-2.17.0-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-javadoc-2.17.0-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.ppc64le"
        },
        "product_reference": "apache-commons-io-javadoc-2.17.0-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-javadoc-2.17.0-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.s390x"
        },
        "product_reference": "apache-commons-io-javadoc-2.17.0-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache-commons-io-javadoc-2.17.0-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.x86_64"
        },
        "product_reference": "apache-commons-io-javadoc-2.17.0-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-47554",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-47554"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\n\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\n\n\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\n\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.aarch64",
          "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.ppc64le",
          "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.s390x",
          "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.x86_64",
          "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.aarch64",
          "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.ppc64le",
          "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.s390x",
          "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-47554",
          "url": "https://www.suse.com/security/cve/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1231298 for CVE-2024-47554",
          "url": "https://bugzilla.suse.com/1231298"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.aarch64",
            "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.ppc64le",
            "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.s390x",
            "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.x86_64",
            "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.aarch64",
            "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.ppc64le",
            "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.s390x",
            "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.aarch64",
            "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.ppc64le",
            "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.s390x",
            "openSUSE Tumbleweed:apache-commons-io-2.17.0-2.1.x86_64",
            "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.aarch64",
            "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.ppc64le",
            "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.s390x",
            "openSUSE Tumbleweed:apache-commons-io-javadoc-2.17.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-10-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-47554"
    }
  ]
}

RHSA-2024:8826

Vulnerability from csaf_redhat - Published: 2024-11-04 20:56 - Updated: 2026-06-01 17:18

Summary

Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.0.4 Security update

Severity

Important

Notes

Topic: A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 8.0.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 8.0.3, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 8.0.4 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * org.apache.cxf/cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients [eap-8.0.z] (CVE-2024-41172) * com.nimbusds/nimbus-jose-jwt: large JWE p2c header value causes Denial of Service [eap-8.0.z] (CVE-2023-52428) * wildfly-domain-http: wildfly: No timeout for EAP management interface may lead to Denial of Service (DoS) [eap-8.0.z] (CVE-2024-4029) * xalan: OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407) [eap-8.0.z] (CVE-2022-34169) * org.keycloak/keycloak-services: Vulnerable Redirect URI Validation Results in Open Redirec [eap-8.0.z] (CVE-2024-8883) * org.keycloak/keycloak-saml-core-public: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak [eap-8.0.z] (CVE-2024-8698) * org.keycloak/keycloak-saml-core: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak [eap-8.0.z] (CVE-2024-8698) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2022-34169

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-192 - Integer Coercion Error

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Enterprise Application Platform 8 Red Hat / Red Hat JBoss Enterprise Application Platform	`cpe:/a:redhat:jboss_enterprise_application_platform:8.0`	—	Vendor Fix fix

Threats

Impact Important

CVE-2023-52428

A vulnerability was found in the Nimbus Jose JWT package. By crafting a JWE with an excessively large p2c value, an attacker can trigger significant resource consumption during decryption, potentially leading to application slowdown or unavailability.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Enterprise Application Platform 8 Red Hat / Red Hat JBoss Enterprise Application Platform	`cpe:/a:redhat:jboss_enterprise_application_platform:8.0`	—	Vendor Fix fix

Threats

Impact Important

CVE-2024-4029

A vulnerability was found in Wildfly’s management interface. Due to the lack of limitation of sockets for the management interface, it may be possible to cause a denial of service hitting the nofile limit as there is no possibility to configure or set a maximum number of connections.

4.1 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Enterprise Application Platform 8 Red Hat / Red Hat JBoss Enterprise Application Platform	`cpe:/a:redhat:jboss_enterprise_application_platform:8.0`	—	Vendor Fix fix Workaround

Threats

Impact Low

CVE-2024-8698

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

7.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

CWE-347 - Improper Verification of Cryptographic Signature

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Enterprise Application Platform 8 Red Hat / Red Hat JBoss Enterprise Application Platform	`cpe:/a:redhat:jboss_enterprise_application_platform:8.0`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2024-8883

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Enterprise Application Platform 8 Red Hat / Red Hat JBoss Enterprise Application Platform	`cpe:/a:redhat:jboss_enterprise_application_platform:8.0`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-41172

A memory consumption flaw was found in Apache CXF. This issue may allow a CXF HTTP client conduit to prevent HTTPClient instances from being garbage collected, eventually causing the application to run out of memory.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-401 - Missing Release of Memory after Effective Lifetime

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Enterprise Application Platform 8 Red Hat / Red Hat JBoss Enterprise Application Platform	`cpe:/a:redhat:jboss_enterprise_application_platform:8.0`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2024-47554

A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Enterprise Application Platform 8 Red Hat / Red Hat JBoss Enterprise Application Platform	`cpe:/a:redhat:jboss_enterprise_application_platform:8.0`	—	Vendor Fix fix

Threats

Impact Moderate

References

60 references

URL	Category
https://access.redhat.com/errata/RHSA-2024:8826	self
https://access.redhat.com/security/updates/classi…	external
https://docs.redhat.com/en/documentation/red_hat_…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2108554	external
https://bugzilla.redhat.com/show_bug.cgi?id=2278615	external
https://bugzilla.redhat.com/show_bug.cgi?id=2298829	external
https://bugzilla.redhat.com/show_bug.cgi?id=2309764	external
https://bugzilla.redhat.com/show_bug.cgi?id=2311641	external
https://bugzilla.redhat.com/show_bug.cgi?id=2312511	external
https://issues.redhat.com/browse/JBEAP-24945	external
https://issues.redhat.com/browse/JBEAP-25035	external
https://issues.redhat.com/browse/JBEAP-27002	external
https://issues.redhat.com/browse/JBEAP-27194	external
https://issues.redhat.com/browse/JBEAP-27276	external
https://issues.redhat.com/browse/JBEAP-27293	external
https://issues.redhat.com/browse/JBEAP-27392	external
https://issues.redhat.com/browse/JBEAP-27543	external
https://issues.redhat.com/browse/JBEAP-27585	external
https://issues.redhat.com/browse/JBEAP-27643	external
https://issues.redhat.com/browse/JBEAP-27659	external
https://issues.redhat.com/browse/JBEAP-27688	external
https://issues.redhat.com/browse/JBEAP-27694	external
https://issues.redhat.com/browse/JBEAP-27957	external
https://issues.redhat.com/browse/JBEAP-28057	external
https://issues.redhat.com/browse/JBEAP-28278	external
https://issues.redhat.com/browse/JBEAP-28289	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2022-34169	self
https://bugzilla.redhat.com/show_bug.cgi?id=2108554	external
https://www.cve.org/CVERecord?id=CVE-2022-34169	external
https://nvd.nist.gov/vuln/detail/CVE-2022-34169	external
https://access.redhat.com/security/cve/CVE-2023-52428	self
https://bugzilla.redhat.com/show_bug.cgi?id=2309764	external
https://www.cve.org/CVERecord?id=CVE-2023-52428	external
https://nvd.nist.gov/vuln/detail/CVE-2023-52428	external
https://access.redhat.com/security/cve/CVE-2024-4029	self
https://bugzilla.redhat.com/show_bug.cgi?id=2278615	external
https://www.cve.org/CVERecord?id=CVE-2024-4029	external
https://nvd.nist.gov/vuln/detail/CVE-2024-4029	external
https://access.redhat.com/security/cve/CVE-2024-8698	self
https://bugzilla.redhat.com/show_bug.cgi?id=2311641	external
https://www.cve.org/CVERecord?id=CVE-2024-8698	external
https://nvd.nist.gov/vuln/detail/CVE-2024-8698	external
https://access.redhat.com/security/cve/CVE-2024-8883	self
https://bugzilla.redhat.com/show_bug.cgi?id=2312511	external
https://www.cve.org/CVERecord?id=CVE-2024-8883	external
https://nvd.nist.gov/vuln/detail/CVE-2024-8883	external
https://github.com/keycloak/keycloak/blob/main/se…	external
https://access.redhat.com/security/cve/CVE-2024-41172	self
https://bugzilla.redhat.com/show_bug.cgi?id=2298829	external
https://www.cve.org/CVERecord?id=CVE-2024-41172	external
https://nvd.nist.gov/vuln/detail/CVE-2024-41172	external
https://github.com/advisories/GHSA-4mgg-fqfq-64hg	external
https://lists.apache.org/thread/n2hvbrgwpdtcqdcco…	external
https://osv.dev/vulnerability/GHSA-4mgg-fqfq-64hg	external
https://access.redhat.com/security/cve/CVE-2024-47554	self
https://bugzilla.redhat.com/show_bug.cgi?id=2316271	external
https://www.cve.org/CVERecord?id=CVE-2024-47554	external
https://nvd.nist.gov/vuln/detail/CVE-2024-47554	external
https://lists.apache.org/thread/6ozr91rr9cj5lm0zy…	external

Acknowledgments

Tanner Emek

Niklas Conrad Karsten Meyer zu Selhausen

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Red Hat Product Security has rated\nthis update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 8.0.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 8.0.3, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 8.0.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* org.apache.cxf/cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients [eap-8.0.z] (CVE-2024-41172)\n\n* com.nimbusds/nimbus-jose-jwt: large JWE p2c header value causes Denial of Service [eap-8.0.z] (CVE-2023-52428)\n\n* wildfly-domain-http: wildfly: No timeout for EAP management interface may lead to Denial of Service (DoS) [eap-8.0.z] (CVE-2024-4029)\n\n* xalan: OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407) [eap-8.0.z] (CVE-2022-34169)\n\n* org.keycloak/keycloak-services: Vulnerable Redirect URI Validation Results in Open Redirec [eap-8.0.z] (CVE-2024-8883)\n\n* org.keycloak/keycloak-saml-core-public: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak [eap-8.0.z] (CVE-2024-8698)\n\n* org.keycloak/keycloak-saml-core: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak [eap-8.0.z] (CVE-2024-8698)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:8826",
        "url": "https://access.redhat.com/errata/RHSA-2024:8826"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0",
        "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0"
      },
      {
        "category": "external",
        "summary": "2108554",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2108554"
      },
      {
        "category": "external",
        "summary": "2278615",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278615"
      },
      {
        "category": "external",
        "summary": "2298829",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298829"
      },
      {
        "category": "external",
        "summary": "2309764",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309764"
      },
      {
        "category": "external",
        "summary": "2311641",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311641"
      },
      {
        "category": "external",
        "summary": "2312511",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312511"
      },
      {
        "category": "external",
        "summary": "JBEAP-24945",
        "url": "https://issues.redhat.com/browse/JBEAP-24945"
      },
      {
        "category": "external",
        "summary": "JBEAP-25035",
        "url": "https://issues.redhat.com/browse/JBEAP-25035"
      },
      {
        "category": "external",
        "summary": "JBEAP-27002",
        "url": "https://issues.redhat.com/browse/JBEAP-27002"
      },
      {
        "category": "external",
        "summary": "JBEAP-27194",
        "url": "https://issues.redhat.com/browse/JBEAP-27194"
      },
      {
        "category": "external",
        "summary": "JBEAP-27276",
        "url": "https://issues.redhat.com/browse/JBEAP-27276"
      },
      {
        "category": "external",
        "summary": "JBEAP-27293",
        "url": "https://issues.redhat.com/browse/JBEAP-27293"
      },
      {
        "category": "external",
        "summary": "JBEAP-27392",
        "url": "https://issues.redhat.com/browse/JBEAP-27392"
      },
      {
        "category": "external",
        "summary": "JBEAP-27543",
        "url": "https://issues.redhat.com/browse/JBEAP-27543"
      },
      {
        "category": "external",
        "summary": "JBEAP-27585",
        "url": "https://issues.redhat.com/browse/JBEAP-27585"
      },
      {
        "category": "external",
        "summary": "JBEAP-27643",
        "url": "https://issues.redhat.com/browse/JBEAP-27643"
      },
      {
        "category": "external",
        "summary": "JBEAP-27659",
        "url": "https://issues.redhat.com/browse/JBEAP-27659"
      },
      {
        "category": "external",
        "summary": "JBEAP-27688",
        "url": "https://issues.redhat.com/browse/JBEAP-27688"
      },
      {
        "category": "external",
        "summary": "JBEAP-27694",
        "url": "https://issues.redhat.com/browse/JBEAP-27694"
      },
      {
        "category": "external",
        "summary": "JBEAP-27957",
        "url": "https://issues.redhat.com/browse/JBEAP-27957"
      },
      {
        "category": "external",
        "summary": "JBEAP-28057",
        "url": "https://issues.redhat.com/browse/JBEAP-28057"
      },
      {
        "category": "external",
        "summary": "JBEAP-28278",
        "url": "https://issues.redhat.com/browse/JBEAP-28278"
      },
      {
        "category": "external",
        "summary": "JBEAP-28289",
        "url": "https://issues.redhat.com/browse/JBEAP-28289"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8826.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.0.4 Security update",
    "tracking": {
      "current_release_date": "2026-06-01T17:18:25+00:00",
      "generator": {
        "date": "2026-06-01T17:18:25+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.1"
        }
      },
      "id": "RHSA-2024:8826",
      "initial_release_date": "2024-11-04T20:56:02+00:00",
      "revision_history": [
        {
          "date": "2024-11-04T20:56:02+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-11-04T20:56:02+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-01T17:18:25+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Enterprise Application Platform 8",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 8",
                  "product_id": "Red Hat JBoss Enterprise Application Platform 8",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-34169",
      "cwe": {
        "id": "CWE-192",
        "name": "Integer Coercion Error"
      },
      "discovery_date": "2022-07-12T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2108554"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-34169"
        },
        {
          "category": "external",
          "summary": "RHBZ#2108554",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2108554"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-34169",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-34169"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-34169",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34169"
        }
      ],
      "release_date": "2022-07-19T20:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-04T20:56:02+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8826"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)"
    },
    {
      "cve": "CVE-2023-52428",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-09-04T17:02:58.468000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2309764"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in the Nimbus Jose JWT package. By crafting a JWE with an excessively large p2c value, an attacker can trigger significant resource consumption during decryption, potentially leading to application slowdown or unavailability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "nimbus-jose-jwt: large JWE p2c header value causes Denial of Service",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-52428"
        },
        {
          "category": "external",
          "summary": "RHBZ#2309764",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309764"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-52428",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-52428"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-52428",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52428"
        }
      ],
      "release_date": "2024-02-11T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-04T20:56:02+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8826"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "nimbus-jose-jwt: large JWE p2c header value causes Denial of Service"
    },
    {
      "cve": "CVE-2024-4029",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2024-04-22T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2278615"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Wildfly\u2019s management interface. Due to the lack of limitation of sockets for the management interface, it may be possible to cause a denial of service hitting the nofile limit as there is no possibility to configure or set a maximum number of connections.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "wildfly: No timeout for EAP management interface may lead to Denial of Service (DoS)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat rates this as a Low impact since this requires high privileges to jeopardize the system. The management interface is normally internal/local only and not exposed externally.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-4029"
        },
        {
          "category": "external",
          "summary": "RHBZ#2278615",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278615"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-4029",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-4029"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-4029",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4029"
        }
      ],
      "release_date": "2024-05-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-04T20:56:02+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8826"
        },
        {
          "category": "workaround",
          "details": "Currently there is no available mitigation for this vulnerability. Please make sure to perform updates as they become available.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "wildfly: No timeout for EAP management interface may lead to Denial of Service (DoS)"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Tanner Emek"
          ]
        }
      ],
      "cve": "CVE-2024-8698",
      "cwe": {
        "id": "CWE-347",
        "name": "Improper Verification of Cryptographic Signature"
      },
      "discovery_date": "2024-09-10T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2311641"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "keycloak-saml-core: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is of high severity due to its potential to facilitate privilege escalation and user impersonation in systems using SAML for authentication. The core issue stems from improper validation logic in Keycloak\u0027s signature validation method, which relies on the position of signatures rather than explicitly checking the referenced elements. By manipulating the XML structure, an attacker can bypass signature validation and inject an unsigned assertion while retaining a valid signed one. This allows unauthorized access to high-privileged accounts, leading to significant security risks in SAML-based identity providers and service providers.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-8698"
        },
        {
          "category": "external",
          "summary": "RHBZ#2311641",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311641"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-8698",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8698"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8698",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8698"
        }
      ],
      "release_date": "2024-09-19T15:12:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-04T20:56:02+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8826"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "keycloak-saml-core: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Niklas Conrad",
            "Karsten Meyer zu Selhausen"
          ]
        }
      ],
      "cve": "CVE-2024-8883",
      "cwe": {
        "id": "CWE-601",
        "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
      },
      "discovery_date": "2024-09-16T06:17:01.573000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2312511"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a \u0027Valid Redirect URI\u0027 is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Keycloak: Vulnerable Redirect URI Validation Results in Open Redirec",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-8883"
        },
        {
          "category": "external",
          "summary": "RHBZ#2312511",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312511"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-8883",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8883"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8883",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8883"
        },
        {
          "category": "external",
          "summary": "https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java",
          "url": "https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java"
        }
      ],
      "release_date": "2024-09-19T15:13:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-04T20:56:02+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8826"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Keycloak: Vulnerable Redirect URI Validation Results in Open Redirec"
    },
    {
      "cve": "CVE-2024-41172",
      "cwe": {
        "id": "CWE-401",
        "name": "Missing Release of Memory after Effective Lifetime"
      },
      "discovery_date": "2024-07-19T09:20:34+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2298829"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A memory consumption flaw was found in Apache CXF. This issue may allow a CXF HTTP client conduit to prevent HTTPClient instances from being garbage collected, eventually causing the application to run out of memory.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache: cxf: org.apache.cxf:cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-41172"
        },
        {
          "category": "external",
          "summary": "RHBZ#2298829",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298829"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-41172",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-41172"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-41172",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41172"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-4mgg-fqfq-64hg",
          "url": "https://github.com/advisories/GHSA-4mgg-fqfq-64hg"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6",
          "url": "https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6"
        },
        {
          "category": "external",
          "summary": "https://osv.dev/vulnerability/GHSA-4mgg-fqfq-64hg",
          "url": "https://osv.dev/vulnerability/GHSA-4mgg-fqfq-64hg"
        }
      ],
      "release_date": "2024-07-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-04T20:56:02+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8826"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache: cxf: org.apache.cxf:cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients"
    },
    {
      "cve": "CVE-2024-47554",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-03T12:00:40.921058+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2316271"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "RHBZ#2316271",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47554",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1",
          "url": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1"
        }
      ],
      "release_date": "2024-10-03T11:32:48.936000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-04T20:56:02+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:8826"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader"
    }
  ]
}

RHSA-2024:9571

Vulnerability from csaf_redhat - Published: 2024-11-13 16:21 - Updated: 2026-06-10 08:37

Summary

Red Hat Security Advisory: Streams for Apache Kafka 2.8.0 release and security update

Severity

Moderate

Notes

Topic: Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat AMQ Streams 2.7.0, and includes security and bug fixes, and enhancements. Security Fix(es): * Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] "(CVE-2024-8184)" * Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] "(CVE-2024-9823)" * Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader "(CVE-2024-47554)" * Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users "(CVE-2024-7254)" "Drain Cleaner: Awaiting Analysis(CVE-2024-29025)" * Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. "(CVE-2024-8285)"

CVE-2024-7254

A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2024-8184

A flaw was found in Jetty's ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-8285

A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE-297 - Improper Validation of Certificate with Host Mismatch

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-9823

A flaw was found in Jetty. The DosFilter can be exploited remotely by unauthorized users to trigger an out-of-memory condition by repeatedly sending specially crafted requests. This issue may cause a crash, leading to a denial of service.

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-29025

A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-47554

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix

Threats

Impact Moderate

References

69 references

URL	Category
https://access.redhat.com/errata/RHSA-2024:9571	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2272907	external
https://bugzilla.redhat.com/show_bug.cgi?id=2308606	external
https://bugzilla.redhat.com/show_bug.cgi?id=2313454	external
https://bugzilla.redhat.com/show_bug.cgi?id=2316271	external
https://bugzilla.redhat.com/show_bug.cgi?id=2318564	external
https://bugzilla.redhat.com/show_bug.cgi?id=2318565	external
https://issues.redhat.com/browse/ASUI-91	external
https://issues.redhat.com/browse/ENTMQST-2632	external
https://issues.redhat.com/browse/ENTMQST-3288	external
https://issues.redhat.com/browse/ENTMQST-4019	external
https://issues.redhat.com/browse/ENTMQST-5199	external
https://issues.redhat.com/browse/ENTMQST-5669	external
https://issues.redhat.com/browse/ENTMQST-5674	external
https://issues.redhat.com/browse/ENTMQST-5740	external
https://issues.redhat.com/browse/ENTMQST-5789	external
https://issues.redhat.com/browse/ENTMQST-5843	external
https://issues.redhat.com/browse/ENTMQST-5850	external
https://issues.redhat.com/browse/ENTMQST-5863	external
https://issues.redhat.com/browse/ENTMQST-5865	external
https://issues.redhat.com/browse/ENTMQST-5915	external
https://issues.redhat.com/browse/ENTMQST-6028	external
https://issues.redhat.com/browse/ENTMQST-6032	external
https://issues.redhat.com/browse/ENTMQST-6129	external
https://issues.redhat.com/browse/ENTMQST-6183	external
https://issues.redhat.com/browse/ENTMQST-6205	external
https://issues.redhat.com/browse/ENTMQST-6225	external
https://issues.redhat.com/browse/ENTMQST-6341	external
https://issues.redhat.com/browse/ENTMQST-6421	external
https://issues.redhat.com/browse/ENTMQST-6422	external
https://issues.redhat.com/browse/ENTMQSTPR-43	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2024-7254	self
https://bugzilla.redhat.com/show_bug.cgi?id=2313454	external
https://www.cve.org/CVERecord?id=CVE-2024-7254	external
https://nvd.nist.gov/vuln/detail/CVE-2024-7254	external
https://github.com/protocolbuffers/protobuf/commi…	external
https://access.redhat.com/security/cve/CVE-2024-8184	self
https://bugzilla.redhat.com/show_bug.cgi?id=2318564	external
https://www.cve.org/CVERecord?id=CVE-2024-8184	external
https://nvd.nist.gov/vuln/detail/CVE-2024-8184	external
https://github.com/jetty/jetty.project/pull/11723	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assigneme…	external
https://access.redhat.com/security/cve/CVE-2024-8285	self
https://bugzilla.redhat.com/show_bug.cgi?id=2308606	external
https://www.cve.org/CVERecord?id=CVE-2024-8285	external
https://nvd.nist.gov/vuln/detail/CVE-2024-8285	external
https://access.redhat.com/security/cve/CVE-2024-9823	self
https://bugzilla.redhat.com/show_bug.cgi?id=2318565	external
https://www.cve.org/CVERecord?id=CVE-2024-9823	external
https://nvd.nist.gov/vuln/detail/CVE-2024-9823	external
https://github.com/jetty/jetty.project/issues/1256	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assigneme…	external
https://access.redhat.com/security/cve/CVE-2024-29025	self
https://bugzilla.redhat.com/show_bug.cgi?id=2272907	external
https://www.cve.org/CVERecord?id=CVE-2024-29025	external
https://nvd.nist.gov/vuln/detail/CVE-2024-29025	external
https://gist.github.com/vietj/f558b8ea81ec6505f1e…	external
https://github.com/netty/netty/commit/0d0c6ed782d…	external
https://github.com/netty/netty/security/advisorie…	external
https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812	external
https://access.redhat.com/security/cve/CVE-2024-47554	self
https://bugzilla.redhat.com/show_bug.cgi?id=2316271	external
https://www.cve.org/CVERecord?id=CVE-2024-47554	external
https://nvd.nist.gov/vuln/detail/CVE-2024-47554	external
https://lists.apache.org/thread/6ozr91rr9cj5lm0zy…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat\nAMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] \n\"(CVE-2024-8184)\"\n\n* Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] \"(CVE-2024-9823)\"\n\n* Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader \"(CVE-2024-47554)\"\n\n* Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users \"(CVE-2024-7254)\"\n\n\"Drain Cleaner: Awaiting Analysis(CVE-2024-29025)\"\n\n* Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server\u0027s hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. \"(CVE-2024-8285)\"",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:9571",
        "url": "https://access.redhat.com/errata/RHSA-2024:9571"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "2272907",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272907"
      },
      {
        "category": "external",
        "summary": "2308606",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2308606"
      },
      {
        "category": "external",
        "summary": "2313454",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
      },
      {
        "category": "external",
        "summary": "2316271",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
      },
      {
        "category": "external",
        "summary": "2318564",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"
      },
      {
        "category": "external",
        "summary": "2318565",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318565"
      },
      {
        "category": "external",
        "summary": "ASUI-91",
        "url": "https://issues.redhat.com/browse/ASUI-91"
      },
      {
        "category": "external",
        "summary": "ENTMQST-2632",
        "url": "https://issues.redhat.com/browse/ENTMQST-2632"
      },
      {
        "category": "external",
        "summary": "ENTMQST-3288",
        "url": "https://issues.redhat.com/browse/ENTMQST-3288"
      },
      {
        "category": "external",
        "summary": "ENTMQST-4019",
        "url": "https://issues.redhat.com/browse/ENTMQST-4019"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5199",
        "url": "https://issues.redhat.com/browse/ENTMQST-5199"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5669",
        "url": "https://issues.redhat.com/browse/ENTMQST-5669"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5674",
        "url": "https://issues.redhat.com/browse/ENTMQST-5674"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5740",
        "url": "https://issues.redhat.com/browse/ENTMQST-5740"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5789",
        "url": "https://issues.redhat.com/browse/ENTMQST-5789"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5843",
        "url": "https://issues.redhat.com/browse/ENTMQST-5843"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5850",
        "url": "https://issues.redhat.com/browse/ENTMQST-5850"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5863",
        "url": "https://issues.redhat.com/browse/ENTMQST-5863"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5865",
        "url": "https://issues.redhat.com/browse/ENTMQST-5865"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5915",
        "url": "https://issues.redhat.com/browse/ENTMQST-5915"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6028",
        "url": "https://issues.redhat.com/browse/ENTMQST-6028"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6032",
        "url": "https://issues.redhat.com/browse/ENTMQST-6032"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6129",
        "url": "https://issues.redhat.com/browse/ENTMQST-6129"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6183",
        "url": "https://issues.redhat.com/browse/ENTMQST-6183"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6205",
        "url": "https://issues.redhat.com/browse/ENTMQST-6205"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6225",
        "url": "https://issues.redhat.com/browse/ENTMQST-6225"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6341",
        "url": "https://issues.redhat.com/browse/ENTMQST-6341"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6421",
        "url": "https://issues.redhat.com/browse/ENTMQST-6421"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6422",
        "url": "https://issues.redhat.com/browse/ENTMQST-6422"
      },
      {
        "category": "external",
        "summary": "ENTMQSTPR-43",
        "url": "https://issues.redhat.com/browse/ENTMQSTPR-43"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9571.json"
      }
    ],
    "title": "Red Hat Security Advisory: Streams for Apache Kafka 2.8.0 release and security update",
    "tracking": {
      "current_release_date": "2026-06-10T08:37:11+00:00",
      "generator": {
        "date": "2026-06-10T08:37:11+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.2"
        }
      },
      "id": "RHSA-2024:9571",
      "initial_release_date": "2024-11-13T16:21:03+00:00",
      "revision_history": [
        {
          "date": "2024-11-13T16:21:03+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-11-13T16:21:03+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-10T08:37:11+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Streams for Apache Kafka 2.8.0",
                "product": {
                  "name": "Streams for Apache Kafka 2.8.0",
                  "product_id": "Streams for Apache Kafka 2.8.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:amq_streams:2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Streams for Apache Kafka"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-7254",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2024-09-19T01:20:29.981665+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2313454"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "protobuf: StackOverflow vulnerability in Protocol Buffers",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue represents a significant severity risk because unbounded recursion in Protocol Buffers parsing can be exploited to trigger stack overflows, leading to Denial of Service (DoS). When parsers, such as `DiscardUnknownFieldsParser` or the Java Protobuf Lite parser, encounter arbitrarily nested groups or deeply recursive map fields, the lack of recursion depth limits can result in uncontrolled stack growth. Attackers can craft malicious protobuf messages that deliberately exceed the stack\u0027s capacity, causing the application to crash or become unresponsive.\n\nThe protobuf package as shipped in RHEL does not include the affected java or kotlin bindings, therefore RHEL is Not Affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-7254"
        },
        {
          "category": "external",
          "summary": "RHBZ#2313454",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-7254",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254"
        },
        {
          "category": "external",
          "summary": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
          "url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
        }
      ],
      "release_date": "2024-09-19T01:15:10.963000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "protobuf: StackOverflow vulnerability in Protocol Buffers"
    },
    {
      "cve": "CVE-2024-8184",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-14T16:01:01.239238+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2318564"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jetty\u0027s ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "RHBZ#2318564",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-8184",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/pull/11723",
          "url": "https://github.com/jetty/jetty.project/pull/11723"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30"
        }
      ],
      "release_date": "2024-10-14T15:09:37.861000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks"
    },
    {
      "cve": "CVE-2024-8285",
      "cwe": {
        "id": "CWE-297",
        "name": "Improper Validation of Certificate with Host Mismatch"
      },
      "discovery_date": "2024-08-29T22:39:10.882000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2308606"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server\u0027s hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "kroxylicious: Missing upstream Kafka TLS hostname verification",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat have considered this vulnerability as a \u0027Moderate\u0027 severity given the complexity and the permission level required to perform a successful attacker.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-8285"
        },
        {
          "category": "external",
          "summary": "RHBZ#2308606",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2308606"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-8285",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8285"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8285",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8285"
        }
      ],
      "release_date": "2024-08-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "kroxylicious: Missing upstream Kafka TLS hostname verification"
    },
    {
      "cve": "CVE-2024-9823",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-14T16:01:06.545771+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2318565"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jetty. The DosFilter can be exploited remotely by unauthorized users to trigger an out-of-memory condition by repeatedly sending specially crafted requests. This issue may cause a crash, leading to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-9823"
        },
        {
          "category": "external",
          "summary": "RHBZ#2318565",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318565"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-9823",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-9823"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9823",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9823"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/issues/1256",
          "url": "https://github.com/jetty/jetty.project/issues/1256"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39"
        }
      ],
      "release_date": "2024-10-14T15:03:02.293000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter"
    },
    {
      "cve": "CVE-2024-29025",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2024-04-03T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2272907"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty-codec-http: Allocation of Resources Without Limits or Throttling",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The vulnerability in io.netty:netty-codec-http, allowing for Allocation of Resources Without Limits or Throttling issues, is assessed as moderate severity due to its potential impact on system availability and performance. By exploiting the flaw in HttpPostRequestDecoder, an attacker can craft chunked POST requests with numerous small fields, causing excessive accumulation of data in memory buffers. This unrestricted accumulation can lead to significant memory consumption on the server, potentially exhausting available resources and resulting in denial of service (DoS) conditions.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-29025"
        },
        {
          "category": "external",
          "summary": "RHBZ#2272907",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272907"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-29025",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-29025"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29025",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29025"
        },
        {
          "category": "external",
          "summary": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3",
          "url": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c",
          "url": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v"
        },
        {
          "category": "external",
          "summary": "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812",
          "url": "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812"
        }
      ],
      "release_date": "2024-03-25T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "netty-codec-http: Allocation of Resources Without Limits or Throttling"
    },
    {
      "cve": "CVE-2024-47554",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-03T12:00:40.921058+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2316271"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "RHBZ#2316271",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47554",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1",
          "url": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1"
        }
      ],
      "release_date": "2024-10-03T11:32:48.936000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader"
    }
  ]
}

RHSA-2024_9571

Vulnerability from csaf_redhat - Published: 2024-11-13 16:21 - Updated: 2024-12-17 08:38

Summary

Red Hat Security Advisory: Streams for Apache Kafka 2.8.0 release and security update

Severity

Moderate

Notes

CVE-2024-7254

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-20 - Improper Input Validation

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2024-8184

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-8285

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE-297 - Improper Validation of Certificate with Host Mismatch

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-9823

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-29025

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-47554

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.8.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix

Threats

Impact Moderate

References

69 references

URL	Category
https://access.redhat.com/errata/RHSA-2024:9571	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2272907	external
https://bugzilla.redhat.com/show_bug.cgi?id=2308606	external
https://bugzilla.redhat.com/show_bug.cgi?id=2313454	external
https://bugzilla.redhat.com/show_bug.cgi?id=2316271	external
https://bugzilla.redhat.com/show_bug.cgi?id=2318564	external
https://bugzilla.redhat.com/show_bug.cgi?id=2318565	external
https://issues.redhat.com/browse/ASUI-91	external
https://issues.redhat.com/browse/ENTMQST-2632	external
https://issues.redhat.com/browse/ENTMQST-3288	external
https://issues.redhat.com/browse/ENTMQST-4019	external
https://issues.redhat.com/browse/ENTMQST-5199	external
https://issues.redhat.com/browse/ENTMQST-5669	external
https://issues.redhat.com/browse/ENTMQST-5674	external
https://issues.redhat.com/browse/ENTMQST-5740	external
https://issues.redhat.com/browse/ENTMQST-5789	external
https://issues.redhat.com/browse/ENTMQST-5843	external
https://issues.redhat.com/browse/ENTMQST-5850	external
https://issues.redhat.com/browse/ENTMQST-5863	external
https://issues.redhat.com/browse/ENTMQST-5865	external
https://issues.redhat.com/browse/ENTMQST-5915	external
https://issues.redhat.com/browse/ENTMQST-6028	external
https://issues.redhat.com/browse/ENTMQST-6032	external
https://issues.redhat.com/browse/ENTMQST-6129	external
https://issues.redhat.com/browse/ENTMQST-6183	external
https://issues.redhat.com/browse/ENTMQST-6205	external
https://issues.redhat.com/browse/ENTMQST-6225	external
https://issues.redhat.com/browse/ENTMQST-6341	external
https://issues.redhat.com/browse/ENTMQST-6421	external
https://issues.redhat.com/browse/ENTMQST-6422	external
https://issues.redhat.com/browse/ENTMQSTPR-43	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2024-7254	self
https://bugzilla.redhat.com/show_bug.cgi?id=2313454	external
https://www.cve.org/CVERecord?id=CVE-2024-7254	external
https://nvd.nist.gov/vuln/detail/CVE-2024-7254	external
https://github.com/protocolbuffers/protobuf/commi…	external
https://access.redhat.com/security/cve/CVE-2024-8184	self
https://bugzilla.redhat.com/show_bug.cgi?id=2318564	external
https://www.cve.org/CVERecord?id=CVE-2024-8184	external
https://nvd.nist.gov/vuln/detail/CVE-2024-8184	external
https://github.com/jetty/jetty.project/pull/11723	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assigneme…	external
https://access.redhat.com/security/cve/CVE-2024-8285	self
https://bugzilla.redhat.com/show_bug.cgi?id=2308606	external
https://www.cve.org/CVERecord?id=CVE-2024-8285	external
https://nvd.nist.gov/vuln/detail/CVE-2024-8285	external
https://access.redhat.com/security/cve/CVE-2024-9823	self
https://bugzilla.redhat.com/show_bug.cgi?id=2318565	external
https://www.cve.org/CVERecord?id=CVE-2024-9823	external
https://nvd.nist.gov/vuln/detail/CVE-2024-9823	external
https://github.com/jetty/jetty.project/issues/1256	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assigneme…	external
https://access.redhat.com/security/cve/CVE-2024-29025	self
https://bugzilla.redhat.com/show_bug.cgi?id=2272907	external
https://www.cve.org/CVERecord?id=CVE-2024-29025	external
https://nvd.nist.gov/vuln/detail/CVE-2024-29025	external
https://gist.github.com/vietj/f558b8ea81ec6505f1e…	external
https://github.com/netty/netty/commit/0d0c6ed782d…	external
https://github.com/netty/netty/security/advisorie…	external
https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812	external
https://access.redhat.com/security/cve/CVE-2024-47554	self
https://bugzilla.redhat.com/show_bug.cgi?id=2316271	external
https://www.cve.org/CVERecord?id=CVE-2024-47554	external
https://nvd.nist.gov/vuln/detail/CVE-2024-47554	external
https://lists.apache.org/thread/6ozr91rr9cj5lm0zy…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat\nAMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] \n\"(CVE-2024-8184)\"\n\n* Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] \"(CVE-2024-9823)\"\n\n* Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader \"(CVE-2024-47554)\"\n\n* Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users \"(CVE-2024-7254)\"\n\n\"Drain Cleaner: Awaiting Analysis(CVE-2024-29025)\"\n\n* Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server\u0027s hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. \"(CVE-2024-8285)\"",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:9571",
        "url": "https://access.redhat.com/errata/RHSA-2024:9571"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "2272907",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272907"
      },
      {
        "category": "external",
        "summary": "2308606",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2308606"
      },
      {
        "category": "external",
        "summary": "2313454",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
      },
      {
        "category": "external",
        "summary": "2316271",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
      },
      {
        "category": "external",
        "summary": "2318564",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"
      },
      {
        "category": "external",
        "summary": "2318565",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318565"
      },
      {
        "category": "external",
        "summary": "ASUI-91",
        "url": "https://issues.redhat.com/browse/ASUI-91"
      },
      {
        "category": "external",
        "summary": "ENTMQST-2632",
        "url": "https://issues.redhat.com/browse/ENTMQST-2632"
      },
      {
        "category": "external",
        "summary": "ENTMQST-3288",
        "url": "https://issues.redhat.com/browse/ENTMQST-3288"
      },
      {
        "category": "external",
        "summary": "ENTMQST-4019",
        "url": "https://issues.redhat.com/browse/ENTMQST-4019"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5199",
        "url": "https://issues.redhat.com/browse/ENTMQST-5199"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5669",
        "url": "https://issues.redhat.com/browse/ENTMQST-5669"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5674",
        "url": "https://issues.redhat.com/browse/ENTMQST-5674"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5740",
        "url": "https://issues.redhat.com/browse/ENTMQST-5740"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5789",
        "url": "https://issues.redhat.com/browse/ENTMQST-5789"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5843",
        "url": "https://issues.redhat.com/browse/ENTMQST-5843"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5850",
        "url": "https://issues.redhat.com/browse/ENTMQST-5850"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5863",
        "url": "https://issues.redhat.com/browse/ENTMQST-5863"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5865",
        "url": "https://issues.redhat.com/browse/ENTMQST-5865"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5915",
        "url": "https://issues.redhat.com/browse/ENTMQST-5915"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6028",
        "url": "https://issues.redhat.com/browse/ENTMQST-6028"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6032",
        "url": "https://issues.redhat.com/browse/ENTMQST-6032"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6129",
        "url": "https://issues.redhat.com/browse/ENTMQST-6129"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6183",
        "url": "https://issues.redhat.com/browse/ENTMQST-6183"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6205",
        "url": "https://issues.redhat.com/browse/ENTMQST-6205"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6225",
        "url": "https://issues.redhat.com/browse/ENTMQST-6225"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6341",
        "url": "https://issues.redhat.com/browse/ENTMQST-6341"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6421",
        "url": "https://issues.redhat.com/browse/ENTMQST-6421"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6422",
        "url": "https://issues.redhat.com/browse/ENTMQST-6422"
      },
      {
        "category": "external",
        "summary": "ENTMQSTPR-43",
        "url": "https://issues.redhat.com/browse/ENTMQSTPR-43"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9571.json"
      }
    ],
    "title": "Red Hat Security Advisory: Streams for Apache Kafka 2.8.0 release and security update",
    "tracking": {
      "current_release_date": "2024-12-17T08:38:18+00:00",
      "generator": {
        "date": "2024-12-17T08:38:18+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.3"
        }
      },
      "id": "RHSA-2024:9571",
      "initial_release_date": "2024-11-13T16:21:03+00:00",
      "revision_history": [
        {
          "date": "2024-11-13T16:21:03+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-11-13T16:21:03+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-12-17T08:38:18+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Streams for Apache Kafka 2.8.0",
                "product": {
                  "name": "Streams for Apache Kafka 2.8.0",
                  "product_id": "Streams for Apache Kafka 2.8.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:amq_streams:2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Streams for Apache Kafka"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-7254",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2024-09-19T01:20:29.981665+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2313454"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "protobuf: StackOverflow vulnerability in Protocol Buffers",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue represents a significant severity risk because unbounded recursion in Protocol Buffers parsing can be exploited to trigger stack overflows, leading to Denial of Service (DoS). When parsers, such as `DiscardUnknownFieldsParser` or the Java Protobuf Lite parser, encounter arbitrarily nested groups or deeply recursive map fields, the lack of recursion depth limits can result in uncontrolled stack growth. Attackers can craft malicious protobuf messages that deliberately exceed the stack\u0027s capacity, causing the application to crash or become unresponsive.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-7254"
        },
        {
          "category": "external",
          "summary": "RHBZ#2313454",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-7254",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254"
        },
        {
          "category": "external",
          "summary": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
          "url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
        }
      ],
      "release_date": "2024-09-19T01:15:10.963000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "protobuf: StackOverflow vulnerability in Protocol Buffers"
    },
    {
      "cve": "CVE-2024-8184",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-14T16:01:01.239238+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2318564"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jetty\u0027s ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "RHBZ#2318564",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-8184",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/pull/11723",
          "url": "https://github.com/jetty/jetty.project/pull/11723"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30"
        }
      ],
      "release_date": "2024-10-14T15:09:37.861000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks"
    },
    {
      "cve": "CVE-2024-8285",
      "cwe": {
        "id": "CWE-297",
        "name": "Improper Validation of Certificate with Host Mismatch"
      },
      "discovery_date": "2024-08-29T22:39:10.882000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2308606"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server\u0027s hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "kroxylicious: Missing upstream Kafka TLS hostname verification",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat have considered this vulnerability as a \u0027Moderate\u0027 severity given the complexity and the permission level required to perform a successful attacker.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-8285"
        },
        {
          "category": "external",
          "summary": "RHBZ#2308606",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2308606"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-8285",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8285"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8285",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8285"
        }
      ],
      "release_date": "2024-08-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "kroxylicious: Missing upstream Kafka TLS hostname verification"
    },
    {
      "cve": "CVE-2024-9823",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-14T16:01:06.545771+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2318565"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jetty. The DosFilter can be exploited remotely by unauthorized users to trigger an out-of-memory condition by repeatedly sending specially crafted requests. This issue may cause a crash, leading to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-9823"
        },
        {
          "category": "external",
          "summary": "RHBZ#2318565",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318565"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-9823",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-9823"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9823",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9823"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/issues/1256",
          "url": "https://github.com/jetty/jetty.project/issues/1256"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39"
        }
      ],
      "release_date": "2024-10-14T15:03:02.293000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter"
    },
    {
      "cve": "CVE-2024-29025",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2024-04-03T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2272907"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty-codec-http: Allocation of Resources Without Limits or Throttling",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The vulnerability in io.netty:netty-codec-http, allowing for Allocation of Resources Without Limits or Throttling issues, is assessed as moderate severity due to its potential impact on system availability and performance. By exploiting the flaw in HttpPostRequestDecoder, an attacker can craft chunked POST requests with numerous small fields, causing excessive accumulation of data in memory buffers. This unrestricted accumulation can lead to significant memory consumption on the server, potentially exhausting available resources and resulting in denial of service (DoS) conditions.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-29025"
        },
        {
          "category": "external",
          "summary": "RHBZ#2272907",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272907"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-29025",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-29025"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29025",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29025"
        },
        {
          "category": "external",
          "summary": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3",
          "url": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c",
          "url": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v"
        },
        {
          "category": "external",
          "summary": "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812",
          "url": "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812"
        }
      ],
      "release_date": "2024-03-25T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "netty-codec-http: Allocation of Resources Without Limits or Throttling"
    },
    {
      "cve": "CVE-2024-47554",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-03T12:00:40.921058+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2316271"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "RHBZ#2316271",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47554",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1",
          "url": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1"
        }
      ],
      "release_date": "2024-10-03T11:32:48.936000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader"
    }
  ]
}

RHSA-2025:2416

Vulnerability from csaf_redhat - Published: 2025-03-05 20:59 - Updated: 2026-06-18 08:35

Summary

Red Hat Security Advisory: Streams for Apache Kafka 2.9.0 release and security update

Severity

Important

Notes

Topic: Streams for Apache Kafka 2.9.0 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat Streams for Apache Kafka 2.9.0 serves as a replacement for Red Hat Streams for Apache Kafka 2.8.0, and includes security and bug fixes, and enhancements. Security Fix(es): * Cruise Control:cio.netty:netty-common:4.1.115.Final-redhat [amq-st-2] "(CVE-2023-52428)" * Cruise Control:com.nimbusds:nimbus-jose-jwt:9.37.2.redhat [amq-st-2] "(CVE-2024-47535)" * Cruise Control:org.apache.kafka:kafka-clients:3.5.2.redhat+ [amq-st-2] "(CVE-2024-31141)" * Cruise Control:io:commons-io:2.15.1.redhat+ [amq-st-2] "(CVE-2024-47554)" * Cruise Control:org.eclipse.jetty:jetty-server:9.4.56.v20240826-redhat+ [amq-st-2] "(CVE-2024-8184)" * Cruise Control:org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] "(CVE-2024-8184)" * Kafka Exporter:golang-github-danielqsj-kafka_exporter: Golang FIPS zeroed buffer [amq-st-2] "(CVE-2024-9355)" * Kafka Exporter:golang-github-danielqsj-kafka_exporter: net/http: Denial of service due to improper 100-continue handling in net/http [amq-st-2] "(CVE-2024-24791)"

CVE-2023-52428

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.9.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix

Threats

Impact Important

CVE-2024-8184

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.9.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-9355

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.

6.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE-457 - Use of Uninitialized Variable

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.9.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-24791

A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-20 - Improper Input Validation

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.9.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2024-31141

A flaw was found in Apache Kafka Clients. Apache Kafka Clients accepts configuration data for customizing behavior and includes ConfigProvider plugins to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations, which include the ability to read from disk or environment variables. In applications where an untrusted party can specify Apache Kafka Clients configurations, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables.

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-73 - External Control of File Name or Path

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.9.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2024-47535

A flaw was found in Netty. An unsafe reading of the environment file could potentially cause a denial of service. When loaded on a Windows application, Netty attempts to load a file that does not exist. If an attacker creates a large file, the Netty application crashes.

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.9.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2024-47554

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Streams for Apache Kafka 2.9.0 Red Hat / Streams for Apache Kafka	`cpe:/a:redhat:amq_streams:2`	—	Vendor Fix fix

Threats

Impact Moderate

References

49 references

URL	Category
https://access.redhat.com/errata/RHSA-2025:2416	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2295310	external
https://bugzilla.redhat.com/show_bug.cgi?id=2309764	external
https://bugzilla.redhat.com/show_bug.cgi?id=2315719	external
https://bugzilla.redhat.com/show_bug.cgi?id=2316271	external
https://bugzilla.redhat.com/show_bug.cgi?id=2318564	external
https://bugzilla.redhat.com/show_bug.cgi?id=2325538	external
https://bugzilla.redhat.com/show_bug.cgi?id=2327264	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2023-52428	self
https://bugzilla.redhat.com/show_bug.cgi?id=2309764	external
https://www.cve.org/CVERecord?id=CVE-2023-52428	external
https://nvd.nist.gov/vuln/detail/CVE-2023-52428	external
https://access.redhat.com/security/cve/CVE-2024-8184	self
https://bugzilla.redhat.com/show_bug.cgi?id=2318564	external
https://www.cve.org/CVERecord?id=CVE-2024-8184	external
https://nvd.nist.gov/vuln/detail/CVE-2024-8184	external
https://github.com/jetty/jetty.project/pull/11723	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assigneme…	external
https://access.redhat.com/security/cve/CVE-2024-9355	self
https://bugzilla.redhat.com/show_bug.cgi?id=2315719	external
https://www.cve.org/CVERecord?id=CVE-2024-9355	external
https://nvd.nist.gov/vuln/detail/CVE-2024-9355	external
https://github.com/golang-fips/openssl/pull/198	external
https://access.redhat.com/security/cve/CVE-2024-24791	self
https://bugzilla.redhat.com/show_bug.cgi?id=2295310	external
https://www.cve.org/CVERecord?id=CVE-2024-24791	external
https://nvd.nist.gov/vuln/detail/CVE-2024-24791	external
https://go.dev/cl/591255	external
https://go.dev/issue/67555	external
https://groups.google.com/g/golang-dev/c/t0rK-qHB…	external
https://access.redhat.com/security/cve/CVE-2024-31141	self
https://bugzilla.redhat.com/show_bug.cgi?id=2327264	external
https://www.cve.org/CVERecord?id=CVE-2024-31141	external
https://nvd.nist.gov/vuln/detail/CVE-2024-31141	external
https://lists.apache.org/thread/9whdzfr0zwdhr3646…	external
https://access.redhat.com/security/cve/CVE-2024-47535	self
https://bugzilla.redhat.com/show_bug.cgi?id=2325538	external
https://www.cve.org/CVERecord?id=CVE-2024-47535	external
https://nvd.nist.gov/vuln/detail/CVE-2024-47535	external
https://github.com/netty/netty/commit/fbf7a704a82…	external
https://github.com/netty/netty/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2024-47554	self
https://bugzilla.redhat.com/show_bug.cgi?id=2316271	external
https://www.cve.org/CVERecord?id=CVE-2024-47554	external
https://nvd.nist.gov/vuln/detail/CVE-2024-47554	external
https://lists.apache.org/thread/6ozr91rr9cj5lm0zy…	external

Acknowledgments

Red Hat David Benoit

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Streams for Apache Kafka 2.9.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat Streams for Apache Kafka 2.9.0 serves as a replacement for Red Hat Streams for Apache Kafka 2.8.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Cruise Control:cio.netty:netty-common:4.1.115.Final-redhat [amq-st-2] \"(CVE-2023-52428)\"\n\n* Cruise Control:com.nimbusds:nimbus-jose-jwt:9.37.2.redhat [amq-st-2] \"(CVE-2024-47535)\"\n\n* Cruise Control:org.apache.kafka:kafka-clients:3.5.2.redhat+ [amq-st-2] \"(CVE-2024-31141)\"\n\n* Cruise Control:io:commons-io:2.15.1.redhat+ [amq-st-2] \"(CVE-2024-47554)\"\n\n* Cruise Control:org.eclipse.jetty:jetty-server:9.4.56.v20240826-redhat+ [amq-st-2] \"(CVE-2024-8184)\"\n\n* Cruise Control:org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] \"(CVE-2024-8184)\"\n\n* Kafka Exporter:golang-github-danielqsj-kafka_exporter: Golang FIPS zeroed buffer [amq-st-2] \"(CVE-2024-9355)\"\n\n* Kafka Exporter:golang-github-danielqsj-kafka_exporter: net/http: Denial of service due to improper 100-continue handling in net/http [amq-st-2] \"(CVE-2024-24791)\"",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:2416",
        "url": "https://access.redhat.com/errata/RHSA-2025:2416"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2295310",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295310"
      },
      {
        "category": "external",
        "summary": "2309764",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309764"
      },
      {
        "category": "external",
        "summary": "2315719",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
      },
      {
        "category": "external",
        "summary": "2316271",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
      },
      {
        "category": "external",
        "summary": "2318564",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"
      },
      {
        "category": "external",
        "summary": "2325538",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2325538"
      },
      {
        "category": "external",
        "summary": "2327264",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2327264"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2416.json"
      }
    ],
    "title": "Red Hat Security Advisory: Streams for Apache Kafka 2.9.0 release and security update",
    "tracking": {
      "current_release_date": "2026-06-18T08:35:49+00:00",
      "generator": {
        "date": "2026-06-18T08:35:49+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.0.0"
        }
      },
      "id": "RHSA-2025:2416",
      "initial_release_date": "2025-03-05T20:59:06+00:00",
      "revision_history": [
        {
          "date": "2025-03-05T20:59:06+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-03-05T20:59:06+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-18T08:35:49+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Streams for Apache Kafka 2.9.0",
                "product": {
                  "name": "Streams for Apache Kafka 2.9.0",
                  "product_id": "Streams for Apache Kafka 2.9.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:amq_streams:2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Streams for Apache Kafka"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-52428",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-09-04T17:02:58.468000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2309764"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in the Nimbus Jose JWT package. By crafting a JWE with an excessively large p2c value, an attacker can trigger significant resource consumption during decryption, potentially leading to application slowdown or unavailability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "nimbus-jose-jwt: large JWE p2c header value causes Denial of Service",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.9.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-52428"
        },
        {
          "category": "external",
          "summary": "RHBZ#2309764",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309764"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-52428",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-52428"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-52428",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52428"
        }
      ],
      "release_date": "2024-02-11T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-05T20:59:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:2416"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "nimbus-jose-jwt: large JWE p2c header value causes Denial of Service"
    },
    {
      "cve": "CVE-2024-8184",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-14T16:01:01.239238+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2318564"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jetty\u0027s ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.9.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "RHBZ#2318564",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-8184",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/pull/11723",
          "url": "https://github.com/jetty/jetty.project/pull/11723"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30"
        }
      ],
      "release_date": "2024-10-14T15:09:37.861000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-05T20:59:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:2416"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "David Benoit"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2024-9355",
      "cwe": {
        "id": "CWE-457",
        "name": "Use of Uninitialized Variable"
      },
      "discovery_date": "2024-09-30T17:51:17.811000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2315719"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang-fips: Golang FIPS zeroed buffer",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue is specific to the Go language and only affects the test code in cri-o and conmon, not the production code. Since both projects use Go exclusively for testing purposes, this issue does not impact their production environment. Therefore, cri-o and conmon are not affected by this vulnerability.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.9.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-9355"
        },
        {
          "category": "external",
          "summary": "RHBZ#2315719",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-9355",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-9355"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
        },
        {
          "category": "external",
          "summary": "https://github.com/golang-fips/openssl/pull/198",
          "url": "https://github.com/golang-fips/openssl/pull/198"
        }
      ],
      "release_date": "2024-09-30T20:53:42.833000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-05T20:59:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:2416"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang-fips: Golang FIPS zeroed buffer"
    },
    {
      "cve": "CVE-2024-24791",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2024-07-02T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2295310"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "net/http: Denial of service due to improper 100-continue handling in net/http",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "An attacker would need to control a malicious server and induce a client to connect to it, requiring some amount of preparation outside of the attacker\u0027s control. This reduces the severity score of this flaw to Moderate.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.9.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-24791"
        },
        {
          "category": "external",
          "summary": "RHBZ#2295310",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295310"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-24791",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-24791"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-24791",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24791"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/591255",
          "url": "https://go.dev/cl/591255"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/67555",
          "url": "https://go.dev/issue/67555"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ",
          "url": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ"
        }
      ],
      "release_date": "2024-07-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-05T20:59:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:2416"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "net/http: Denial of service due to improper 100-continue handling in net/http"
    },
    {
      "cve": "CVE-2024-31141",
      "cwe": {
        "id": "CWE-73",
        "name": "External Control of File Name or Path"
      },
      "discovery_date": "2024-11-19T09:00:35.857468+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2327264"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache Kafka Clients. Apache Kafka Clients accepts configuration data for customizing behavior and includes ConfigProvider plugins to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations, which include the ability to read from disk or environment variables. In applications where an untrusted party can specify Apache Kafka Clients configurations, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "kafka-clients: privilege escalation to filesystem read-access via automatic ConfigProvider",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.9.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-31141"
        },
        {
          "category": "external",
          "summary": "RHBZ#2327264",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2327264"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-31141",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-31141"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-31141",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31141"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/9whdzfr0zwdhr364604w5ssnzmg4v2lv",
          "url": "https://lists.apache.org/thread/9whdzfr0zwdhr364604w5ssnzmg4v2lv"
        }
      ],
      "release_date": "2024-11-19T08:40:50.695000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-05T20:59:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:2416"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "kafka-clients: privilege escalation to filesystem read-access via automatic ConfigProvider"
    },
    {
      "cve": "CVE-2024-47535",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-11-12T16:01:18.772613+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2325538"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty. An unsafe reading of the environment file could potentially cause a denial of service. When loaded on a Windows application, Netty attempts to load a file that does not exist. If an attacker creates a large file, the Netty application crashes.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: Denial of Service attack on windows app using Netty",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.9.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-47535"
        },
        {
          "category": "external",
          "summary": "RHBZ#2325538",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2325538"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47535",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-47535"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47535",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47535"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3",
          "url": "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv"
        }
      ],
      "release_date": "2024-11-12T15:50:08.334000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-05T20:59:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:2416"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "netty: Denial of Service attack on windows app using Netty"
    },
    {
      "cve": "CVE-2024-47554",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-03T12:00:40.921058+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2316271"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.9.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "RHBZ#2316271",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47554",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1",
          "url": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1"
        }
      ],
      "release_date": "2024-10-03T11:32:48.936000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-05T20:59:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.9.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:2416"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.9.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-47554 (GCVE-0-2024-47554)

Tags

Sightings

Nomenclature