cvelistv5 - cve-2025-0736

CVE-2025-0736 (GCVE-0-2025-0736)

Vulnerability from cvelistv5 – Published: 2025-01-28 09:12 – Updated: 2025-11-11 16:11

Summary

A flaw was found in Infinispan, when using JGroups with JDBC_PING. This issue occurs when an application inadvertently exposes sensitive information, such as configuration details or credentials, through logging mechanisms. This exposure can lead to unauthorized access and exploitation by malicious actors.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-532 - Insertion of Sensitive Information into Log File

Assigner

redhat

References

URL

Tags

	https://access.redhat.com/errata/RHSA-2025:2663	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2025-0736	vdb-entryx_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2342233	issue-trackingx_refsource_REDHAT

Impacted products

Vendor

Product

Version

Affected: 0 , < 15.1.5 (semver)
Affected: 0 , < 15.0.13 (semver)
Affected: 0 , < 14.0.34 (semver)

Red Hat

Red Hat Data Grid

cpe:/a:redhat:jboss_data_grid:8

Credits

Red Hat would like to thank Vika Vorkin for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-0736",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-28T14:38:23.466699Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-28T14:38:34.306Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://mvnrepository.com/artifact/org.infinispan/infinispan-parent",
          "defaultStatus": "unaffected",
          "packageName": "org.infinispan-infinispan-parent",
          "versions": [
            {
              "lessThan": "15.1.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "15.0.13",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.0.34",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.infinispan-infinispan-parent",
          "product": "Red Hat Data Grid",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Vika Vorkin for reporting this issue."
        }
      ],
      "datePublic": "2025-01-27T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Infinispan, when using JGroups with JDBC_PING. This issue occurs when an application inadvertently exposes sensitive information, such as configuration details or credentials, through logging mechanisms. This exposure can lead to unauthorized access and exploitation by malicious actors."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-11T16:11:27.773Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2025:2663",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:2663"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-0736"
        },
        {
          "name": "RHBZ#2342233",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2342233"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-01-27T11:14:12.725000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-01-27T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Org.infinispan-infinispan-parent: exposure of sensitive information in application logs",
      "x_redhatCweChain": "CWE-532: Insertion of Sensitive Information into Log File"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-0736",
    "datePublished": "2025-01-28T09:12:38.101Z",
    "dateReserved": "2025-01-27T11:46:29.978Z",
    "dateUpdated": "2025-11-11T16:11:27.773Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-0736\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2025-01-28T09:15:09.543\",\"lastModified\":\"2025-03-12T04:15:16.120\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in Infinispan, when using JGroups with JDBC_PING. This issue occurs when an application inadvertently exposes sensitive information, such as configuration details or credentials, through logging mechanisms. This exposure can lead to unauthorized access and exploitation by malicious actors.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una falla en Infinispan al usar JGroups con JDBC_PING. Este problema ocurre cuando una aplicaci\u00f3n expone inadvertidamente informaci\u00f3n confidencial, como detalles de configuraci\u00f3n o credenciales, a trav\u00e9s de mecanismos de registro. Esta exposici\u00f3n puede provocar acceso no autorizado y explotaci\u00f3n por parte de actores maliciosos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2025:2663\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2025-0736\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2342233\",\"source\":\"secalert@redhat.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-0736\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-28T14:38:23.466699Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-28T14:38:29.907Z\"}}], \"cna\": {\"title\": \"Org.infinispan-infinispan-parent: exposure of sensitive information in application logs\", \"credits\": [{\"lang\": \"en\", \"value\": \"Red Hat would like to thank Vika Vorkin for reporting this issue.\"}], \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Moderate\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"15.1.5\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"15.0.13\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"14.0.34\", \"versionType\": \"semver\"}], \"packageName\": \"org.infinispan-infinispan-parent\", \"collectionURL\": \"https://mvnrepository.com/artifact/org.infinispan/infinispan-parent\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:jboss_data_grid:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Data Grid\", \"packageName\": \"org.infinispan-infinispan-parent\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-01-27T11:14:12.725000+00:00\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2025-01-27T00:00:00+00:00\", \"value\": \"Made public.\"}], \"datePublic\": \"2025-01-27T00:00:00.000Z\", \"references\": [{\"url\": \"https://access.redhat.com/errata/RHSA-2025:2663\", \"name\": \"RHSA-2025:2663\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2025-0736\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2342233\", \"name\": \"RHBZ#2342233\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in Infinispan, when using JGroups with JDBC_PING. This issue occurs when an application inadvertently exposes sensitive information, such as configuration details or credentials, through logging mechanisms. This exposure can lead to unauthorized access and exploitation by malicious actors.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-532\", \"description\": \"Insertion of Sensitive Information into Log File\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2025-11-11T16:11:27.773Z\"}, \"x_redhatCweChain\": \"CWE-532: Insertion of Sensitive Information into Log File\"}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-0736\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-11T16:11:27.773Z\", \"dateReserved\": \"2025-01-27T11:46:29.978Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2025-01-28T09:12:38.101Z\", \"assignerShortName\": \"redhat\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2025-0736

Vulnerability from fkie_nvd - Published: 2025-01-28 09:15 - Updated: 2025-03-12 04:15

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	secalert@redhat.com	https://access.redhat.com/errata/RHSA-2025:2663
	secalert@redhat.com	https://access.redhat.com/security/cve/CVE-2025-0736
	secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=2342233

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Infinispan, when using JGroups with JDBC_PING. This issue occurs when an application inadvertently exposes sensitive information, such as configuration details or credentials, through logging mechanisms. This exposure can lead to unauthorized access and exploitation by malicious actors."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en Infinispan al usar JGroups con JDBC_PING. Este problema ocurre cuando una aplicaci\u00f3n expone inadvertidamente informaci\u00f3n confidencial, como detalles de configuraci\u00f3n o credenciales, a trav\u00e9s de mecanismos de registro. Esta exposici\u00f3n puede provocar acceso no autorizado y explotaci\u00f3n por parte de actores maliciosos."
    }
  ],
  "id": "CVE-2025-0736",
  "lastModified": "2025-03-12T04:15:16.120",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-28T09:15:09.543",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:2663"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/security/cve/CVE-2025-0736"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2342233"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-532"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    }
  ]
}

WID-SEC-W-2025-0463

Vulnerability from csaf_certbund - Published: 2025-02-27 23:00 - Updated: 2025-05-20 22:00

Summary

Keycloak (XStream und Infinispan): Multiple Vulnerabilities

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Keycloak ermöglicht Single Sign-On mit Identity and Access Management für moderne Anwendungen und Dienste.

Angriff

Ein entfernter, anonymer oder lokaler Angreifer kann mehrere Schwachstellen in Keycloak ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen und vertrauliche Informationen preiszugeben.

Betroffene Betriebssysteme

- UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Keycloak erm\u00f6glicht Single Sign-On mit Identity and Access Management f\u00fcr moderne Anwendungen und Dienste.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer oder lokaler Angreifer kann mehrere Schwachstellen in Keycloak ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen und vertrauliche Informationen preiszugeben.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0463 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0463.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0463 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0463"
      },
      {
        "category": "external",
        "summary": "Keycloak 26.1.3 release vom 2025-02-27",
        "url": "https://www.keycloak.org/2025/02/keycloak-2613-released"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7175916 vom 2025-02-28",
        "url": "https://www.ibm.com/support/pages/node/7175916"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:2218 vom 2025-03-04",
        "url": "https://access.redhat.com/errata/RHSA-2025:2218"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:2222 vom 2025-03-04",
        "url": "https://access.redhat.com/errata/RHSA-2025:2222"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:2221 vom 2025-03-04",
        "url": "https://access.redhat.com/errata/RHSA-2025:2221"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:2220 vom 2025-03-04",
        "url": "https://access.redhat.com/errata/RHSA-2025:2220"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:2223 vom 2025-03-04",
        "url": "https://access.redhat.com/errata/RHSA-2025:2223"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:2219 vom 2025-03-04",
        "url": "https://access.redhat.com/errata/RHSA-2025:2219"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:2663 vom 2025-03-11",
        "url": "https://access.redhat.com/errata/RHSA-2025:2663"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7185398 vom 2025-03-29",
        "url": "https://www.ibm.com/support/pages/node/7185398"
      },
      {
        "category": "external",
        "summary": "Atlassian Security Advisory",
        "url": "https://jira.atlassian.com/browse/CONFSERVER-99568"
      }
    ],
    "source_lang": "en-US",
    "title": "Keycloak (XStream und Infinispan): Multiple Vulnerabilities",
    "tracking": {
      "current_release_date": "2025-05-20T22:00:00.000+00:00",
      "generator": {
        "date": "2025-05-21T08:35:22.891+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-0463",
      "initial_release_date": "2025-02-27T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-02-27T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-03-02T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-03-04T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-03-11T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-03-30T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-05-20T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Atlassian aufgenommen"
        }
      ],
      "status": "final",
      "version": "6"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c9.2.2",
                "product": {
                  "name": "Atlassian Confluence \u003c9.2.2",
                  "product_id": "T042904"
                }
              },
              {
                "category": "product_version",
                "name": "9.2.2",
                "product": {
                  "name": "Atlassian Confluence 9.2.2",
                  "product_id": "T042904-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:data_center_and_server__9.2.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.3.2",
                "product": {
                  "name": "Atlassian Confluence \u003c9.3.2",
                  "product_id": "T042906"
                }
              },
              {
                "category": "product_version",
                "name": "9.3.2",
                "product": {
                  "name": "Atlassian Confluence 9.3.2",
                  "product_id": "T042906-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:data_center_and_server__9.3.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c8.5.21",
                "product": {
                  "name": "Atlassian Confluence \u003c8.5.21",
                  "product_id": "T042909"
                }
              },
              {
                "category": "product_version",
                "name": "8.5.21",
                "product": {
                  "name": "Atlassian Confluence 8.5.21",
                  "product_id": "T042909-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:data_center_and_server__8.5.21"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Confluence"
          }
        ],
        "category": "vendor",
        "name": "Atlassian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM FileNet Content Manager",
            "product": {
              "name": "IBM FileNet Content Manager",
              "product_id": "T025993",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:filenet_content_manager:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "11.7",
                "product": {
                  "name": "IBM InfoSphere Information Server 11.7",
                  "product_id": "444803",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:infosphere_information_server:11.7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "InfoSphere Information Server"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c26.1.3",
                "product": {
                  "name": "Open Source Keycloak \u003c26.1.3",
                  "product_id": "T041494"
                }
              },
              {
                "category": "product_version",
                "name": "26.1.3",
                "product": {
                  "name": "Open Source Keycloak 26.1.3",
                  "product_id": "T041494-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:keycloak:keycloak:26.1.3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Keycloak"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c8.5.3",
                "product": {
                  "name": "Red Hat JBoss Data Grid \u003c8.5.3",
                  "product_id": "T041746"
                }
              },
              {
                "category": "product_version",
                "name": "8.5.3",
                "product": {
                  "name": "Red Hat JBoss Data Grid 8.5.3",
                  "product_id": "T041746-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_data_grid:8.5.3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "JBoss Data Grid"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-47072",
      "product_status": {
        "known_affected": [
          "T042909",
          "T041494",
          "67646",
          "444803",
          "T041746",
          "T025993",
          "T042904",
          "T042906"
        ]
      },
      "release_date": "2025-02-27T23:00:00.000+00:00",
      "title": "CVE-2024-47072"
    },
    {
      "cve": "CVE-2025-0736",
      "product_status": {
        "known_affected": [
          "T042909",
          "T041494",
          "67646",
          "444803",
          "T041746",
          "T025993",
          "T042904",
          "T042906"
        ]
      },
      "release_date": "2025-02-27T23:00:00.000+00:00",
      "title": "CVE-2025-0736"
    }
  ]
}

GHSA-269M-C36J-R834

Vulnerability from github – Published: 2025-01-28 09:32 – Updated: 2025-03-12 14:45

Summary

Infinispan vulnerable to Insertion of Sensitive Information into Log File

Details

Severity ?

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.infinispan:infinispan-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "15.1.4.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-0736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-28T19:15:59Z",
    "nvd_published_at": "2025-01-28T09:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Infinispan, when using JGroups with JDBC_PING. This issue occurs when an application inadvertently exposes sensitive information, such as configuration details or credentials, through logging mechanisms. This exposure can lead to unauthorized access and exploitation by malicious actors.",
  "id": "GHSA-269m-c36j-r834",
  "modified": "2025-03-12T14:45:44Z",
  "published": "2025-01-28T09:32:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0736"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:2663"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-0736"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2342233"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/infinispan/infinispan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Infinispan vulnerable to Insertion of Sensitive Information into Log File"
}

RHSA-2025:2663

Vulnerability from csaf_redhat - Published: 2025-03-11 14:10 - Updated: 2025-11-21 19:32

Summary

Red Hat Security Advisory: Red Hat Data Grid 8.5.3 security update

Notes

Topic

An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.5.3 replaces Data Grid 8.5.2 and includes bug fixes and enhancements. Find out more about Data Grid 8.5.3 in the Release Notes[3]. Security Fix(es): * CVE-2025-24970 io.netty/netty-handler: SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine [jdg-8] (CVE-2025-24970) * CVE-2025-0736 org.infinispan-infinispan-parent: Exposure of Sensitive Information in Application Logs [jdg-8] (CVE-2025-0736) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Data Grid 8 is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 8.5.3 replaces Data Grid 8.5.2 and includes bug fixes and enhancements. Find out more about Data Grid 8.5.3 in the Release Notes[3].\n\nSecurity Fix(es):\n\n* CVE-2025-24970 io.netty/netty-handler: SslHandler doesn\u0027t correctly validate packets which can lead to native crash when using native SSLEngine [jdg-8] (CVE-2025-24970)\n\n* CVE-2025-0736 org.infinispan-infinispan-parent: Exposure of Sensitive Information in Application Logs [jdg-8] (CVE-2025-0736)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:2663",
        "url": "https://access.redhat.com/errata/RHSA-2025:2663"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2342233",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2342233"
      },
      {
        "category": "external",
        "summary": "2344787",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344787"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2663.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Data Grid 8.5.3 security update",
    "tracking": {
      "current_release_date": "2025-11-21T19:32:25+00:00",
      "generator": {
        "date": "2025-11-21T19:32:25+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2025:2663",
      "initial_release_date": "2025-03-11T14:10:03+00:00",
      "revision_history": [
        {
          "date": "2025-03-11T14:10:03+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-03-11T14:10:03+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T19:32:25+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Data Grid",
                "product": {
                  "name": "Red Hat Data Grid",
                  "product_id": "Red Hat Data Grid",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_data_grid:8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Data Grid"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Vika Vorkin"
          ]
        }
      ],
      "cve": "CVE-2025-0736",
      "cwe": {
        "id": "CWE-532",
        "name": "Insertion of Sensitive Information into Log File"
      },
      "discovery_date": "2025-01-27T11:14:12.725000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2342233"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Infinispan, when using JGroups with JDBC_PING. This issue occurs when an application inadvertently exposes sensitive information, such as configuration details or credentials, through logging mechanisms. This exposure can lead to unauthorized access and exploitation by malicious actors.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.infinispan-infinispan-parent: Exposure of Sensitive Information in Application Logs",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Data Grid"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-0736"
        },
        {
          "category": "external",
          "summary": "RHBZ#2342233",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2342233"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-0736",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-0736"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-0736",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0736"
        }
      ],
      "release_date": "2025-01-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-11T14:10:03+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Data Grid"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:2663"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Data Grid"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.infinispan-infinispan-parent: Exposure of Sensitive Information in Application Logs"
    },
    {
      "cve": "CVE-2025-24970",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2025-02-10T23:00:52.785132+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2344787"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty\u0027s SslHandler. This vulnerability allows a native crash via a specially crafted packet that bypasses proper validation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "io.netty:netty-handler: SslHandler doesn\u0027t correctly validate packets which can lead to native crash when using native SSLEngine",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability in Netty\u0027s SslHandler is of important severity rather than moderate because it directly impacts the stability and reliability of applications using native SSLEngine. By sending a specially crafted packet, an attacker can trigger a native crash, leading to a complete process termination. Unlike typical moderate vulnerabilities that might cause limited disruptions or require specific conditions, this flaw can be exploited remotely to induce a Denial of Service (DoS), affecting high-availability systems and mission-critical services.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Data Grid"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-24970"
        },
        {
          "category": "external",
          "summary": "RHBZ#2344787",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344787"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-24970",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-24970"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-24970",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24970"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4",
          "url": "https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw"
        }
      ],
      "release_date": "2025-02-10T21:57:28.730000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-03-11T14:10:03+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Data Grid"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:2663"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Data Grid"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Data Grid"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "io.netty:netty-handler: SslHandler doesn\u0027t correctly validate packets which can lead to native crash when using native SSLEngine"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-0736 (GCVE-0-2025-0736)

FKIE_CVE-2025-0736

WID-SEC-W-2025-0463

GHSA-269M-C36J-R834

RHSA-2025:2663

Tags

Sightings

Nomenclature