RHSA-2025:22404
Vulnerability from csaf_redhat - Published: 2025-12-01 09:19 - Updated: 2025-12-08 15:20Summary
Red Hat Security Advisory: Red Hat Developer Hub 1.7.3 release.
Notes
Topic
Red Hat Developer Hub 1.7.3 has been released.
Details
Red Hat Developer Hub (RHDH) is Red Hat's enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Developer Hub 1.7.3 has been released.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Developer Hub (RHDH) is Red Hat\u0027s enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:22404",
"url": "https://access.redhat.com/errata/RHSA-2025:22404"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-60542",
"url": "https://access.redhat.com/security/cve/CVE-2025-60542"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh",
"url": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh"
},
{
"category": "external",
"summary": "https://developers.redhat.com/rhdh/overview",
"url": "https://developers.redhat.com/rhdh/overview"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_developer_hub",
"url": "https://docs.redhat.com/en/documentation/red_hat_developer_hub"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHDHPLAN-367",
"url": "https://issues.redhat.com/browse/RHDHPLAN-367"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHIDP-9741",
"url": "https://issues.redhat.com/browse/RHIDP-9741"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_22404.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Developer Hub 1.7.3 release.",
"tracking": {
"current_release_date": "2025-12-08T15:20:07+00:00",
"generator": {
"date": "2025-12-08T15:20:07+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.13"
}
},
"id": "RHSA-2025:22404",
"initial_release_date": "2025-12-01T09:19:00+00:00",
"revision_history": [
{
"date": "2025-12-01T09:19:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-01T09:19:04+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-12-08T15:20:07+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Developer Hub 1.7",
"product": {
"name": "Red Hat Developer Hub 1.7",
"product_id": "Red Hat Developer Hub 1.7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhdh:1.7::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Developer Hub"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:bedacfa68d74fce1e9efe3a3fdb18963f4e648d7ab6ccf34b868d62d9f25304a_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:bedacfa68d74fce1e9efe3a3fdb18963f4e648d7ab6ccf34b868d62d9f25304a_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:bedacfa68d74fce1e9efe3a3fdb18963f4e648d7ab6ccf34b868d62d9f25304a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-hub-rhel9@sha256%3Abedacfa68d74fce1e9efe3a3fdb18963f4e648d7ab6ccf34b868d62d9f25304a?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.7.3-1764237628"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:f45ee5600c84c3d014c8bfb9a06e3b600acaa74ce8ff4bf12e5124d25cbe5bfe_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:f45ee5600c84c3d014c8bfb9a06e3b600acaa74ce8ff4bf12e5124d25cbe5bfe_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:f45ee5600c84c3d014c8bfb9a06e3b600acaa74ce8ff4bf12e5124d25cbe5bfe_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-rhel9-operator@sha256%3Af45ee5600c84c3d014c8bfb9a06e3b600acaa74ce8ff4bf12e5124d25cbe5bfe?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.7.3-1764235280"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:54c5cd2a4865a372ba9465908f73928382745e04ad446c97b28adde213d13309_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:54c5cd2a4865a372ba9465908f73928382745e04ad446c97b28adde213d13309_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:54c5cd2a4865a372ba9465908f73928382745e04ad446c97b28adde213d13309_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-operator-bundle@sha256%3A54c5cd2a4865a372ba9465908f73928382745e04ad446c97b28adde213d13309?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.7.3-1764255796"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:bedacfa68d74fce1e9efe3a3fdb18963f4e648d7ab6ccf34b868d62d9f25304a_amd64 as a component of Red Hat Developer Hub 1.7",
"product_id": "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:bedacfa68d74fce1e9efe3a3fdb18963f4e648d7ab6ccf34b868d62d9f25304a_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:bedacfa68d74fce1e9efe3a3fdb18963f4e648d7ab6ccf34b868d62d9f25304a_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:54c5cd2a4865a372ba9465908f73928382745e04ad446c97b28adde213d13309_amd64 as a component of Red Hat Developer Hub 1.7",
"product_id": "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:54c5cd2a4865a372ba9465908f73928382745e04ad446c97b28adde213d13309_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:54c5cd2a4865a372ba9465908f73928382745e04ad446c97b28adde213d13309_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:f45ee5600c84c3d014c8bfb9a06e3b600acaa74ce8ff4bf12e5124d25cbe5bfe_amd64 as a component of Red Hat Developer Hub 1.7",
"product_id": "Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:f45ee5600c84c3d014c8bfb9a06e3b600acaa74ce8ff4bf12e5124d25cbe5bfe_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:f45ee5600c84c3d014c8bfb9a06e3b600acaa74ce8ff4bf12e5124d25cbe5bfe_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-60542",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2025-10-29T16:01:34.709224+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:54c5cd2a4865a372ba9465908f73928382745e04ad446c97b28adde213d13309_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:f45ee5600c84c3d014c8bfb9a06e3b600acaa74ce8ff4bf12e5124d25cbe5bfe_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2407114"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in TypeORM. When used with MySQL/mysql2 drivers, the repository.save or repository.update methods incorrectly handle nested JSON objects. This is due to an underlying setting (stringifyObjects: false) that allows an attacker to craft a malicious JSON payload and cause a SQL injection flaw, leading to a bypass of field-level restrictions, modification of columns in the database and potentially to privilege escalation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "TypeORM: SQL Injection via crafted request to repository.save or repository.update",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "An attacker able to send a specially crafted JSON payload to an application using the repository.save or repository.update methods can exploit this vulnerability. Additionally, the stringifyObjects option used by TypeORM is set to false by default, increasing the exposure of this issue. Due to these reasons, this flaw has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:bedacfa68d74fce1e9efe3a3fdb18963f4e648d7ab6ccf34b868d62d9f25304a_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:54c5cd2a4865a372ba9465908f73928382745e04ad446c97b28adde213d13309_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:f45ee5600c84c3d014c8bfb9a06e3b600acaa74ce8ff4bf12e5124d25cbe5bfe_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-60542"
},
{
"category": "external",
"summary": "RHBZ#2407114",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407114"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-60542",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-60542"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-60542",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60542"
},
{
"category": "external",
"summary": "https://github.com/typeorm/typeorm/pull/11574",
"url": "https://github.com/typeorm/typeorm/pull/11574"
},
{
"category": "external",
"summary": "https://github.com/typeorm/typeorm/releases/tag/0.3.26",
"url": "https://github.com/typeorm/typeorm/releases/tag/0.3.26"
},
{
"category": "external",
"summary": "https://github.com/typeorm/typeorm/releases?q=security\u0026expanded=true",
"url": "https://github.com/typeorm/typeorm/releases?q=security\u0026expanded=true"
},
{
"category": "external",
"summary": "https://medium.com/@alizada.cavad/cve-2025-60542-typeorm-mysql-sqli-0-3-25-a1b32bc60453",
"url": "https://medium.com/@alizada.cavad/cve-2025-60542-typeorm-mysql-sqli-0-3-25-a1b32bc60453"
}
],
"release_date": "2025-10-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-01T09:19:00+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:bedacfa68d74fce1e9efe3a3fdb18963f4e648d7ab6ccf34b868d62d9f25304a_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22404"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:bedacfa68d74fce1e9efe3a3fdb18963f4e648d7ab6ccf34b868d62d9f25304a_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:54c5cd2a4865a372ba9465908f73928382745e04ad446c97b28adde213d13309_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:f45ee5600c84c3d014c8bfb9a06e3b600acaa74ce8ff4bf12e5124d25cbe5bfe_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:bedacfa68d74fce1e9efe3a3fdb18963f4e648d7ab6ccf34b868d62d9f25304a_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:54c5cd2a4865a372ba9465908f73928382745e04ad446c97b28adde213d13309_amd64",
"Red Hat Developer Hub 1.7:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:f45ee5600c84c3d014c8bfb9a06e3b600acaa74ce8ff4bf12e5124d25cbe5bfe_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "TypeORM: SQL Injection via crafted request to repository.save or repository.update"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…