RHSA-2025:3959
Vulnerability from csaf_redhat - Published: 2025-04-16 21:10 - Updated: 2025-12-27 16:38Summary
Red Hat Security Advisory: VolSync 0.11.2 security fixes and enhancements for RHEL 9
Notes
Topic
VolSync v0.11.2 general availability release images, which provide
enhancements, security fixes, and updated container images.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.
Details
VolSync v0.11.2 is a Kubernetes operator that enables asynchronous replication
of persistent volumes within a cluster, or across clusters. After deploying
the VolSync operator, it can create and maintain copies of your persistent
data.
For more information about VolSync, see:
https://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/business_continuity/business-cont-overview#volsync
or the VolSync open source community website at:
https://volsync.readthedocs.io/en/stable/
This advisory contains enhancements and updates to the VolSync
container images.
Security fix(es):
* golang.org/x/oauth2: Unexpected memory consumption during token parsing in
golang.org/x/oauth2 (CVE-2025-22868)
* golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of
golang.org/x/crypto/ssh (CVE-2025-22869)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "VolSync v0.11.2 general availability release images, which provide\nenhancements, security fixes, and updated container images.\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "VolSync v0.11.2 is a Kubernetes operator that enables asynchronous replication\nof persistent volumes within a cluster, or across clusters. After deploying\nthe VolSync operator, it can create and maintain copies of your persistent\ndata.\n\nFor more information about VolSync, see:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/business_continuity/business-cont-overview#volsync\n\nor the VolSync open source community website at:\nhttps://volsync.readthedocs.io/en/stable/\n\nThis advisory contains enhancements and updates to the VolSync\ncontainer images.\n\nSecurity fix(es):\n\n* golang.org/x/oauth2: Unexpected memory consumption during token parsing in\ngolang.org/x/oauth2 (CVE-2025-22868)\n* golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of\ngolang.org/x/crypto/ssh (CVE-2025-22869)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:3959",
"url": "https://access.redhat.com/errata/RHSA-2025:3959"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2348366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
},
{
"category": "external",
"summary": "2348367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
},
{
"category": "external",
"summary": "ACM-19031",
"url": "https://issues.redhat.com/browse/ACM-19031"
},
{
"category": "external",
"summary": "HYPBLD-618",
"url": "https://issues.redhat.com/browse/HYPBLD-618"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3959.json"
}
],
"title": "Red Hat Security Advisory: VolSync 0.11.2 security fixes and enhancements for RHEL 9",
"tracking": {
"current_release_date": "2025-12-27T16:38:42+00:00",
"generator": {
"date": "2025-12-27T16:38:42+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.14"
}
},
"id": "RHSA-2025:3959",
"initial_release_date": "2025-04-16T21:10:52+00:00",
"revision_history": [
{
"date": "2025-04-16T21:10:52+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-04-16T21:10:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-12-27T16:38:42+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9",
"product": {
"name": "Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9",
"product_id": "9Base-RHACM-2.12",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:acm:2.12::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat ACM"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64",
"product": {
"name": "rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64",
"product_id": "rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.11.2-9"
}
}
},
{
"category": "product_version",
"name": "rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"product": {
"name": "rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"product_id": "rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"product_identification_helper": {
"purl": "pkg:oci/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2/volsync-operator-bundle\u0026tag=v0.11.2-8"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"product": {
"name": "rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"product_id": "rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8?arch=s390x\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.11.2-9"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"product": {
"name": "rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"product_id": "rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d?arch=arm64\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.11.2-9"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"product": {
"name": "rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"product_id": "rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2?arch=ppc64le\u0026repository_url=registry.redhat.io/rhacm2/volsync-rhel9\u0026tag=v0.11.2-9"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9",
"product_id": "9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64"
},
"product_reference": "rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"relates_to_product_reference": "9Base-RHACM-2.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9",
"product_id": "9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64"
},
"product_reference": "rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"relates_to_product_reference": "9Base-RHACM-2.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9",
"product_id": "9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x"
},
"product_reference": "rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"relates_to_product_reference": "9Base-RHACM-2.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9",
"product_id": "9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le"
},
"product_reference": "rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"relates_to_product_reference": "9Base-RHACM-2.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9",
"product_id": "9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
},
"product_reference": "rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64",
"relates_to_product_reference": "9Base-RHACM-2.12"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"jub0bs"
]
}
],
"cve": "CVE-2025-22868",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2025-02-26T04:00:44.350024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348366"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, \".\")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22868"
},
{
"category": "external",
"summary": "RHBZ#2348366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348366"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22868",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22868"
},
{
"category": "external",
"summary": "https://go.dev/cl/652155",
"url": "https://go.dev/cl/652155"
},
{
"category": "external",
"summary": "https://go.dev/issue/71490",
"url": "https://go.dev/issue/71490"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3488",
"url": "https://pkg.go.dev/vuln/GO-2025-3488"
}
],
"release_date": "2025-02-26T03:07:49.012000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-04-16T21:10:52+00:00",
"details": "For more details, see the Red Hat Advanced Cluster Management for Kubernetes\ndocumentation:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync",
"product_ids": [
"9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:3959"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, it is recommended to pre-validate any payloads passed to `go-jose` to check that they do not contain an excessive amount of `.` characters.",
"product_ids": [
"9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws"
},
{
"cve": "CVE-2025-22869",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-02-26T04:00:47.683125+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2348367"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While this flaw affects both SSH clients and servers implemented with golang.org/x/crypto/ssh, realistically the flaw will only lead to a DoS when transferring large files, greatly reducing the likelihood of exploitation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-22869"
},
{
"category": "external",
"summary": "RHBZ#2348367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348367"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-22869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22869"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22869"
},
{
"category": "external",
"summary": "https://go.dev/cl/652135",
"url": "https://go.dev/cl/652135"
},
{
"category": "external",
"summary": "https://go.dev/issue/71931",
"url": "https://go.dev/issue/71931"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3487",
"url": "https://pkg.go.dev/vuln/GO-2025-3487"
}
],
"release_date": "2025-02-26T03:07:48.855000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-04-16T21:10:52+00:00",
"details": "For more details, see the Red Hat Advanced Cluster Management for Kubernetes\ndocumentation:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.12/html/business_continuity/business-cont-overview#volsync",
"product_ids": [
"9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:3959"
},
{
"category": "workaround",
"details": "This flaw can be mitigated when using the client only connecting to trusted servers.",
"product_ids": [
"9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHACM-2.12:rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le",
"9Base-RHACM-2.12:rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…