cvelistv5 - cve-2025-0509

CVE-2025-0509 (GCVE-0-2025-0509)

Vulnerability from cvelistv5 – Published: 2025-02-04 20:01 – Updated: 2025-02-17 12:03

Summary

A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.

Severity ?

7.3 (High)


                        
                          CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-552 - Files or Directories Accessible to External Parties

Assigner

fedora

References

URL

Tags

	https://github.com/sparkle-project/Sparkle/pull/2550
	https://sparkle-project.org/documentation/securit…

Impacted products

	Vendor	Product	Version
	sparkle-project	Sparkle	Affected: 0 , < 2.6.4 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-02-04T20:02:51.557Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250124-0008/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-0509",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T20:29:02.431803Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:51:29.701Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "MacOS"
          ],
          "product": "Sparkle",
          "repo": "https://github.com/sparkle-project/Sparkle/",
          "vendor": "sparkle-project",
          "versions": [
            {
              "lessThan": "2.6.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eA security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle\u2019s (Ed)DSA signing checks.\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle\u2019s (Ed)DSA signing checks."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-184",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-184 Software Integrity Attack"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-552",
              "description": "CWE-552 Files or Directories Accessible to External Parties",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-17T12:03:46.428Z",
        "orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
        "shortName": "fedora"
      },
      "references": [
        {
          "url": "https://github.com/sparkle-project/Sparkle/pull/2550"
        },
        {
          "url": "https://sparkle-project.org/documentation/security-and-reliability/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Signing Checks Bypass",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
    "assignerShortName": "fedora",
    "cveId": "CVE-2025-0509",
    "datePublished": "2025-02-04T20:01:08.865Z",
    "dateReserved": "2025-01-15T21:25:14.312Z",
    "dateUpdated": "2025-02-17T12:03:46.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-0509\",\"sourceIdentifier\":\"patrick@puiterwijk.org\",\"published\":\"2025-02-04T20:15:49.763\",\"lastModified\":\"2025-08-05T14:35:15.903\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle\u2019s (Ed)DSA signing checks.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 un problema de seguridad en Sparkle antes de la versi\u00f3n 2.64. Un atacante puede reemplazar una actualizaci\u00f3n firmada existente con otro payload, omitiendo las comprobaciones de firma de Sparkle (Ed)DSA.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"patrick@puiterwijk.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.7,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"patrick@puiterwijk.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-552\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sparkle-project:sparkle:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.6.4\",\"matchCriteriaId\":\"338ED490-33A3-4531-B18F-23466B3E5DAD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:hci_compute_node:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AFE5CAF-ACA7-4F82-BEC1-69562D75E66E\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5735E553-9731-4AAC-BCFF-989377F817B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:hci_compute_node:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AFE5CAF-ACA7-4F82-BEC1-69562D75E66E\"}]}]}],\"references\":[{\"url\":\"https://github.com/sparkle-project/Sparkle/pull/2550\",\"source\":\"patrick@puiterwijk.org\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://sparkle-project.org/documentation/security-and-reliability/\",\"source\":\"patrick@puiterwijk.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20250124-0008/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://security.netapp.com/advisory/ntap-20250124-0008/\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-02-04T20:02:51.557Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-0509\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-04T20:29:02.431803Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-12T20:42:58.685Z\"}}], \"cna\": {\"title\": \"Signing Checks Bypass\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-184\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-184 Software Integrity Attack\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/sparkle-project/Sparkle/\", \"vendor\": \"sparkle-project\", \"product\": \"Sparkle\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.6.4\", \"versionType\": \"semver\"}], \"platforms\": [\"MacOS\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/sparkle-project/Sparkle/pull/2550\"}, {\"url\": \"https://sparkle-project.org/documentation/security-and-reliability/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle\\u2019s (Ed)DSA signing checks.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003eA security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle\\u2019s (Ed)DSA signing checks.\u003cbr\u003e\u003c/div\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-552\", \"description\": \"CWE-552 Files or Directories Accessible to External Parties\"}]}], \"providerMetadata\": {\"orgId\": \"92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5\", \"shortName\": \"fedora\", \"dateUpdated\": \"2025-02-17T12:03:46.428Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-0509\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-17T12:03:46.428Z\", \"dateReserved\": \"2025-01-15T21:25:14.312Z\", \"assignerOrgId\": \"92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5\", \"datePublished\": \"2025-02-04T20:01:08.865Z\", \"assignerShortName\": \"fedora\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2025-AVI-0053

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Oracle Java SE. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Oracle	Java SE	Oracle Java SE version :8u431
Oracle	Java SE	Oracle Java SE version :8u431-perf
Oracle	Java SE	Oracle Java SE version :23.0.1
Oracle	Java SE	Oracle Java SE version :17.0.13
Oracle	Java SE	Oracle Java SE version :21.0.5
Oracle	Java SE	Oracle Java SE version Oracle GraalVM for JDK:17.0.13
Oracle	Java SE	Oracle Java SE version :11.0.25
Oracle	Java SE	Oracle Java SE version Oracle GraalVM Enterprise Edition:20.3.16
Oracle	Java SE	Oracle Java SE version Oracle GraalVM Enterprise Edition:21.3.12
Oracle	Java SE	Oracle Java SE version Oracle GraalVM for JDK:21.0.5
Oracle	Java SE	Oracle Java SE version Oracle GraalVM for JDK:23.0.1

References

Title

Publication Time

Tags

Bulletin de sécurité Oracle Java SE cpujan2025

2025-01-21

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Oracle Java SE version :8u431",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version :8u431-perf",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version :23.0.1",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version :17.0.13",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version :21.0.5",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version Oracle GraalVM for JDK:17.0.13",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version :11.0.25",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version Oracle GraalVM Enterprise Edition:20.3.16",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version Oracle GraalVM Enterprise Edition:21.3.12",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version Oracle GraalVM for JDK:21.0.5",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version Oracle GraalVM for JDK:23.0.1",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-0509",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0509"
    },
    {
      "name": "CVE-2025-21502",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-21502"
    }
  ],
  "links": [],
  "reference": "CERTFR-2025-AVI-0053",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-01-22T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle Java SE. Elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Java SE",
  "vendor_advisories": [
    {
      "published_at": "2025-01-21",
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle Java SE cpujan2025",
      "url": "https://www.oracle.com/security-alerts/cpujan2025.html"
    }
  ]
}

CERTFR-2025-AVI-0053

Vulnerability from certfr_avis - Published: - Updated:

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Oracle	Java SE	Oracle Java SE version :8u431
Oracle	Java SE	Oracle Java SE version :8u431-perf
Oracle	Java SE	Oracle Java SE version :23.0.1
Oracle	Java SE	Oracle Java SE version :17.0.13
Oracle	Java SE	Oracle Java SE version :21.0.5
Oracle	Java SE	Oracle Java SE version Oracle GraalVM for JDK:17.0.13
Oracle	Java SE	Oracle Java SE version :11.0.25
Oracle	Java SE	Oracle Java SE version Oracle GraalVM Enterprise Edition:20.3.16
Oracle	Java SE	Oracle Java SE version Oracle GraalVM Enterprise Edition:21.3.12
Oracle	Java SE	Oracle Java SE version Oracle GraalVM for JDK:21.0.5
Oracle	Java SE	Oracle Java SE version Oracle GraalVM for JDK:23.0.1

References

Title

Publication Time

Tags

Bulletin de sécurité Oracle Java SE cpujan2025

2025-01-21

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Oracle Java SE version :8u431",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version :8u431-perf",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version :23.0.1",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version :17.0.13",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version :21.0.5",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version Oracle GraalVM for JDK:17.0.13",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version :11.0.25",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version Oracle GraalVM Enterprise Edition:20.3.16",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version Oracle GraalVM Enterprise Edition:21.3.12",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version Oracle GraalVM for JDK:21.0.5",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java SE version Oracle GraalVM for JDK:23.0.1",
      "product": {
        "name": "Java SE",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-0509",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0509"
    },
    {
      "name": "CVE-2025-21502",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-21502"
    }
  ],
  "links": [],
  "reference": "CERTFR-2025-AVI-0053",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-01-22T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle Java SE. Elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Java SE",
  "vendor_advisories": [
    {
      "published_at": "2025-01-21",
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle Java SE cpujan2025",
      "url": "https://www.oracle.com/security-alerts/cpujan2025.html"
    }
  ]
}

FKIE_CVE-2025-0509

Vulnerability from fkie_nvd - Published: 2025-02-04 20:15 - Updated: 2025-08-05 14:35

Severity ?

7.3 (High) - CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
6.8 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.

References

URL	Tags
patrick@puiterwijk.org	https://github.com/sparkle-project/Sparkle/pull/2550	Issue Tracking, Patch
patrick@puiterwijk.org	https://sparkle-project.org/documentation/security-and-reliability/	Patch
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20250124-0008/	Vendor Advisory

Impacted products

Vendor	Product	Version
sparkle-project	sparkle	*
netapp	hci_compute_node	-
netapp	oncommand_workflow_automation	-
netapp	hci_compute_node	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sparkle-project:sparkle:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "338ED490-33A3-4531-B18F-23466B3E5DAD",
              "versionEndExcluding": "2.6.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:netapp:hci_compute_node:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4AFE5CAF-ACA7-4F82-BEC1-69562D75E66E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:netapp:hci_compute_node:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4AFE5CAF-ACA7-4F82-BEC1-69562D75E66E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle\u2019s (Ed)DSA signing checks."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un problema de seguridad en Sparkle antes de la versi\u00f3n 2.64. Un atacante puede reemplazar una actualizaci\u00f3n firmada existente con otro payload, omitiendo las comprobaciones de firma de Sparkle (Ed)DSA."
    }
  ],
  "id": "CVE-2025-0509",
  "lastModified": "2025-08-05T14:35:15.903",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.7,
        "impactScore": 6.0,
        "source": "patrick@puiterwijk.org",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-02-04T20:15:49.763",
  "references": [
    {
      "source": "patrick@puiterwijk.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/sparkle-project/Sparkle/pull/2550"
    },
    {
      "source": "patrick@puiterwijk.org",
      "tags": [
        "Patch"
      ],
      "url": "https://sparkle-project.org/documentation/security-and-reliability/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20250124-0008/"
    }
  ],
  "sourceIdentifier": "patrick@puiterwijk.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-552"
        }
      ],
      "source": "patrick@puiterwijk.org",
      "type": "Secondary"
    }
  ]
}

WID-SEC-W-2025-0140

Vulnerability from csaf_certbund - Published: 2025-01-21 23:00 - Updated: 2025-06-02 22:00

Summary

Oracle Java SE: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Die Java Platform, Standard Edition (SE) ist eine Sammlung von Java-APIs (JDK) und der Java Laufzeit Umgebung (JRE).

Angriff

Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Java SE ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.

Betroffene Betriebssysteme

- Linux - MacOS X - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Die Java Platform, Standard Edition (SE) ist eine Sammlung von Java-APIs (JDK) und der Java Laufzeit Umgebung (JRE).",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Java SE ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0140 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0140.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0140 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0140"
      },
      {
        "category": "external",
        "summary": "Oracle Critical Patch Update Advisory - January 2025 - Appendix Oracle Java SE vom 2025-01-21",
        "url": "https://www.oracle.com/security-alerts/cpujan2025.html#AppendixJAVA"
      },
      {
        "category": "external",
        "summary": "Azul Zulu builds of OpenJDK vom 2025-01-21",
        "url": "https://docs.azul.com/core/pdfs/january-2025/azul-zulu-ca-release-notes-january-2025-rev1.0.pdf"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:0421 vom 2025-01-22",
        "url": "https://access.redhat.com/errata/RHSA-2025:0421"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:0422 vom 2025-01-22",
        "url": "https://access.redhat.com/errata/RHSA-2025:0422"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:0423 vom 2025-01-22",
        "url": "https://access.redhat.com/errata/RHSA-2025:0423"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:0429 vom 2025-01-22",
        "url": "https://access.redhat.com/errata/RHSA-2025:0429"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:0425 vom 2025-01-22",
        "url": "https://access.redhat.com/errata/RHSA-2025:0425"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:0424 vom 2025-01-22",
        "url": "https://access.redhat.com/errata/RHSA-2025:0424"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:0427 vom 2025-01-22",
        "url": "https://access.redhat.com/errata/RHSA-2025:0427"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:0426 vom 2025-01-22",
        "url": "https://access.redhat.com/errata/RHSA-2025:0426"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:0428 vom 2025-01-22",
        "url": "https://access.redhat.com/errata/RHSA-2025:0428"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2025-0422 vom 2025-01-23",
        "url": "https://linux.oracle.com/errata/ELSA-2025-0422.html"
      },
      {
        "category": "external",
        "summary": "Azul Zulu builds of OpenJDK January 2025 Quarterly Update vom 2025-01-23",
        "url": "https://docs.azul.com/core/pdfs/january-2025/azul-zulu-ca-release-notes-january-2025-rev1.1.pdf"
      },
      {
        "category": "external",
        "summary": "OpenJDK Vulnerability Advisory vom 2025-01-23",
        "url": "https://openjdk.org/groups/vulnerability/advisories/2025-01-21"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:0235-1 vom 2025-01-24",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020198.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2025-0426 vom 2025-01-24",
        "url": "https://linux.oracle.com/errata/ELSA-2025-0426.html"
      },
      {
        "category": "external",
        "summary": "NetApp Security Advisory NTAP-20250124-0009 vom 2025-01-24",
        "url": "https://security.netapp.com/advisory/ntap-20250124-0009/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:0279-1 vom 2025-01-29",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/DB5O3YINIJCFD7QG2XWMMPJ5H4BQKLIA/"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:0782 vom 2025-01-28",
        "url": "https://access.redhat.com/errata/RHSA-2025:0782"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4037 vom 2025-01-31",
        "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00031.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5857 vom 2025-02-03",
        "url": "https://lists.debian.org/debian-security-announce/2025/msg00019.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:0338-1 vom 2025-02-03",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/EC4FA6VN4EGPE4KWYLPMGJ64XQFZWDHD/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:0339-1 vom 2025-02-03",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/GNTTJS5C4PQRSAZ6PPMASXKOCRDQMZ27/"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7255-1 vom 2025-02-05",
        "url": "https://ubuntu.com/security/notices/USN-7255-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7253-1 vom 2025-02-05",
        "url": "https://ubuntu.com/security/notices/USN-7253-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7252-1 vom 2025-02-05",
        "url": "https://ubuntu.com/security/notices/USN-7252-1"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2025-2740 vom 2025-02-04",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2025-2740.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2025-2741 vom 2025-02-04",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2025-2741.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7254-1 vom 2025-02-05",
        "url": "https://ubuntu.com/security/notices/USN-7254-1"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:1154 vom 2025-02-06",
        "url": "https://access.redhat.com/errata/RHSA-2025:1154"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4043 vom 2025-02-07",
        "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00004.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:14755-1 vom 2025-02-10",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T7KZSNPFAS32QHPRWSJGI2D4QTO3KWTH/"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2025:0426 vom 2025-02-13",
        "url": "https://errata.build.resf.org/RLSA-2025:0426"
      },
      {
        "category": "external",
        "summary": "Azul Zulu builds of OpenJDK vom 2025-02-19",
        "url": "https://docs.azul.com/core/pdfs/january-2025/azul-zulu-ca-release-notes-january-2025-rev1.2.pdf"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:0066-1 vom 2025-02-18",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/GS63GCBRVH7N4JEIZNQAPVFNNVB2OGSU/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:0067-1 vom 2025-02-20",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/XA5CCGSPUXUTQHDG25O5DM4G37BLRUMN/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:14824-1 vom 2025-02-21",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/SEZ7TDWKNAHFBSUJ6EKTGNZH73T5RDFR/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:0674-1 vom 2025-02-24",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-February/020421.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:0675-1 vom 2025-02-24",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-February/020420.html"
      },
      {
        "category": "external",
        "summary": "Hitachi Vulnerability Information HITACHI-SEC-2025-109 vom 2025-02-27",
        "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-109/index.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:2615 vom 2025-03-11",
        "url": "https://access.redhat.com/errata/RHSA-2025:2615"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7338-1 vom 2025-03-11",
        "url": "https://ubuntu.com/security/notices/USN-7338-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7339-1 vom 2025-03-11",
        "url": "https://ubuntu.com/security/notices/USN-7339-1"
      },
      {
        "category": "external",
        "summary": "Dell Security Advisory DSA-2025-213 vom 2025-05-30",
        "url": "https://www.dell.com/support/kbdoc/de-de/000326299/dsa-2025-213-security-update-for-dell-avamar-dell-networker-virtual-edition-nve-and-dell-powerprotect-dp-series-appliance-dell-integrated-data-protection-appliance-idpa-multiple-third-party-vulnerabilities"
      },
      {
        "category": "external",
        "summary": "XEROX Security Advisory XRX25-012 vom 2025-06-02",
        "url": "https://security.business.xerox.com/wp-content/uploads/2025/06/Xerox-Security-Bulletin-XRX25-012-for-Xerox-FreeFlow-Print-Server-v9.pdf"
      }
    ],
    "source_lang": "en-US",
    "title": "Oracle Java SE: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-06-02T22:00:00.000+00:00",
      "generator": {
        "date": "2025-06-03T09:27:39.130+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-0140",
      "initial_release_date": "2025-01-21T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-01-21T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-01-22T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-01-23T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2025-01-26T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE, Oracle Linux und NetApp aufgenommen"
        },
        {
          "date": "2025-01-28T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von SUSE und Red Hat aufgenommen"
        },
        {
          "date": "2025-02-02T23:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2025-02-03T23:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Debian und SUSE aufgenommen"
        },
        {
          "date": "2025-02-04T23:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Ubuntu und Amazon aufgenommen"
        },
        {
          "date": "2025-02-06T23:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-02-10T23:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2025-02-13T23:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Rocky Enterprise Software Foundation aufgenommen"
        },
        {
          "date": "2025-02-18T23:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2025-02-19T23:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2025-02-23T23:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2025-02-24T23:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2025-02-26T23:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von HITACHI aufgenommen"
        },
        {
          "date": "2025-03-10T23:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von Red Hat und Ubuntu aufgenommen"
        },
        {
          "date": "2025-05-29T22:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates von Dell aufgenommen"
        },
        {
          "date": "2025-06-02T22:00:00.000+00:00",
          "number": "19",
          "summary": "Neue Updates von XEROX aufgenommen"
        }
      ],
      "status": "final",
      "version": "19"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Azul Zulu",
                "product": {
                  "name": "Azul Zulu",
                  "product_id": "T034269",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:azul:zulu:-"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Azul Zulu",
                "product": {
                  "name": "Azul Zulu",
                  "product_id": "T036273",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:azul:zulu:-"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Zulu"
          }
        ],
        "category": "vendor",
        "name": "Azul"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Dell Avamar",
            "product": {
              "name": "Dell Avamar",
              "product_id": "T039664",
              "product_identification_helper": {
                "cpe": "cpe:/a:dell:avamar:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Dell NetWorker",
            "product": {
              "name": "Dell NetWorker",
              "product_id": "T034583",
              "product_identification_helper": {
                "cpe": "cpe:/a:dell:networker:virtual"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Dell"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Hitachi Command Suite",
            "product": {
              "name": "Hitachi Command Suite",
              "product_id": "T038839",
              "product_identification_helper": {
                "cpe": "cpe:/a:hitachi:command_suite:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Hitachi Configuration Manager",
            "product": {
              "name": "Hitachi Configuration Manager",
              "product_id": "T020304",
              "product_identification_helper": {
                "cpe": "cpe:/a:hitachi:configuration_manager:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Hitachi Ops Center",
            "product": {
              "name": "Hitachi Ops Center",
              "product_id": "T038840",
              "product_identification_helper": {
                "cpe": "cpe:/a:hitachi:ops_center:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Hitachi"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "NetApp ActiveIQ Unified Manager",
            "product": {
              "name": "NetApp ActiveIQ Unified Manager",
              "product_id": "T032260",
              "product_identification_helper": {
                "cpe": "cpe:/a:netapp:active_iq_unified_manager:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "NetApp"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source OpenJDK",
            "product": {
              "name": "Open Source OpenJDK",
              "product_id": "580789",
              "product_identification_helper": {
                "cpe": "cpe:/a:oracle:openjdk:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "for JDK 17.0.13",
                "product": {
                  "name": "Oracle GraalVM for JDK 17.0.13",
                  "product_id": "T040511",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:graalvm:17.0.13::for_jdk"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "for JDK 21.0.5",
                "product": {
                  "name": "Oracle GraalVM for JDK 21.0.5",
                  "product_id": "T040512",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:graalvm:21.0.5::for_jdk"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "for JDK 23.0.1",
                "product": {
                  "name": "Oracle GraalVM for JDK 23.0.1",
                  "product_id": "T040513",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:graalvm:23.0.1::for_jdk"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Enterprise Edition 20.3.16",
                "product": {
                  "name": "Oracle GraalVM Enterprise Edition 20.3.16",
                  "product_id": "T040514",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:graalvm:20.3.16::enterprise_edition"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Enterprise Edition 21.3.12",
                "product": {
                  "name": "Oracle GraalVM Enterprise Edition 21.3.12",
                  "product_id": "T040515",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:graalvm:21.3.12::enterprise_edition"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "GraalVM"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "11.0.25",
                "product": {
                  "name": "Oracle Java SE 11.0.25",
                  "product_id": "T040470",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:java_se:11.0.25"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "17.0.13",
                "product": {
                  "name": "Oracle Java SE 17.0.13",
                  "product_id": "T040471",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:java_se:17.0.13"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8u431",
                "product": {
                  "name": "Oracle Java SE 8u431",
                  "product_id": "T040508",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:java_se:8u431-perf"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "21.0.5",
                "product": {
                  "name": "Oracle Java SE 21.0.5",
                  "product_id": "T040509",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:java_se:21.0.5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "23.0.1",
                "product": {
                  "name": "Oracle Java SE 23.0.1",
                  "product_id": "T040510",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:java_se:23.0.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Java SE"
          },
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "RESF Rocky Linux",
            "product": {
              "name": "RESF Rocky Linux",
              "product_id": "T032255",
              "product_identification_helper": {
                "cpe": "cpe:/o:resf:rocky_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "RESF"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "9",
                "product": {
                  "name": "Xerox FreeFlow Print Server 9",
                  "product_id": "T002977",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:xerox:freeflow_print_server:9"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "FreeFlow Print Server"
          }
        ],
        "category": "vendor",
        "name": "Xerox"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-0509",
      "product_status": {
        "known_affected": [
          "T040509",
          "T040508",
          "T034269",
          "67646",
          "T034583",
          "T002977",
          "T032260",
          "T004914",
          "T038840",
          "T040471",
          "T040470",
          "T020304",
          "T040513",
          "T040512",
          "398363",
          "T040511",
          "T040510",
          "T038839",
          "T040515",
          "T040514",
          "T032255",
          "T039664",
          "T036273",
          "2951",
          "T002207",
          "T000126",
          "580789",
          "T027843"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2025-0509"
    },
    {
      "cve": "CVE-2025-21502",
      "product_status": {
        "known_affected": [
          "T040509",
          "T040508",
          "T034269",
          "67646",
          "T034583",
          "T002977",
          "T032260",
          "T004914",
          "T038840",
          "T040471",
          "T040470",
          "T020304",
          "T040513",
          "T040512",
          "398363",
          "T040511",
          "T040510",
          "T038839",
          "T040515",
          "T040514",
          "T032255",
          "T039664",
          "T036273",
          "2951",
          "T002207",
          "T000126",
          "580789",
          "T027843"
        ]
      },
      "release_date": "2025-01-21T23:00:00.000+00:00",
      "title": "CVE-2025-21502"
    }
  ]
}

GHSA-WC9M-R3V6-9P5H

Vulnerability from github – Published: 2025-02-04 21:32 – Updated: 2025-02-04 23:18

Summary

Sparkle Signing Checks Bypass

Details

A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.

Severity ?

7.3 (High)


                  
                    CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.6.3"
      },
      "package": {
        "ecosystem": "SwiftURL",
        "name": "github.com/sparkle-project/Sparkle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-0509"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-04T23:18:58Z",
    "nvd_published_at": "2025-02-04T20:15:49Z",
    "severity": "HIGH"
  },
  "details": "A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle\u2019s (Ed)DSA signing checks.",
  "id": "GHSA-wc9m-r3v6-9p5h",
  "modified": "2025-02-04T23:18:58Z",
  "published": "2025-02-04T21:32:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0509"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparkle-project/Sparkle/pull/2550"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sparkle-project/Sparkle"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250124-0008"
    },
    {
      "type": "WEB",
      "url": "https://sparkle-project.org/documentation/security-and-reliability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sparkle Signing Checks Bypass"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-0509 (GCVE-0-2025-0509)

CERTFR-2025-AVI-0053

Solutions

CERTFR-2025-AVI-0053

Solutions

FKIE_CVE-2025-0509

WID-SEC-W-2025-0140

GHSA-WC9M-R3V6-9P5H

Tags

Sightings

Nomenclature