Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-66566 (GCVE-0-2025-66566)
Vulnerability from cvelistv5 – Published: 2025-12-05 18:10 – Updated: 2025-12-05 18:27
VLAI?
EPSS
Title
yawkat LZ4 Java has a possible information leak in Java safe decompressor
Summary
yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1.
Severity ?
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66566",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T18:27:10.782475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T18:27:32.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lz4-java",
"vendor": "yawkat",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T18:10:16.470Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q"
},
{
"name": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840"
}
],
"source": {
"advisory": "GHSA-cmp6-m4wj-q63q",
"discovery": "UNKNOWN"
},
"title": "yawkat LZ4 Java has a possible information leak in Java safe decompressor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66566",
"datePublished": "2025-12-05T18:10:16.470Z",
"dateReserved": "2025-12-04T16:17:35.385Z",
"dateUpdated": "2025-12-05T18:27:32.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-66566\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-05T18:15:59.580\",\"lastModified\":\"2025-12-08T18:26:49.133\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-201\"}]}],\"references\":[{\"url\":\"https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-66566\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-05T18:27:10.782475Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-05T18:27:22.958Z\"}}], \"cna\": {\"title\": \"yawkat LZ4 Java has a possible information leak in Java safe decompressor\", \"source\": {\"advisory\": \"GHSA-cmp6-m4wj-q63q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"yawkat\", \"product\": \"lz4-java\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.10.1\"}]}], \"references\": [{\"url\": \"https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q\", \"name\": \"https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840\", \"name\": \"https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-201\", \"description\": \"CWE-201: Insertion of Sensitive Information Into Sent Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-05T18:10:16.470Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-66566\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-05T18:27:32.797Z\", \"dateReserved\": \"2025-12-04T16:17:35.385Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-05T18:10:16.470Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2026:0761
Vulnerability from csaf_redhat - Published: 2026-01-19 03:34 - Updated: 2026-01-22 19:42Summary
Red Hat Security Advisory: Red Hat build of Cryostat security update
Notes
Topic
An update is now available for the Red Hat build of Cryostat 4 on RHEL 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
An update is now available for the Red Hat build of Cryostat 4 on RHEL 9.
Security Fix(es):
* lz4-java: Information Disclosure via Insufficient Output Buffer Clearing (CVE-2025-66566)
* qs: Denial of Service via improper input validation in array parsing (CVE-2025-15284)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for the Red Hat build of Cryostat 4 on RHEL 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "An update is now available for the Red Hat build of Cryostat 4 on RHEL 9.\n\nSecurity Fix(es):\n\n* lz4-java: Information Disclosure via Insufficient Output Buffer Clearing (CVE-2025-66566)\n* qs: Denial of Service via improper input validation in array parsing (CVE-2025-15284)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:0761",
"url": "https://access.redhat.com/errata/RHSA-2026:0761"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "external",
"summary": "2425946",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2425946"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_0761.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Cryostat security update",
"tracking": {
"current_release_date": "2026-01-22T19:42:47+00:00",
"generator": {
"date": "2026-01-22T19:42:47+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.15"
}
},
"id": "RHSA-2026:0761",
"initial_release_date": "2026-01-19T03:34:11+00:00",
"revision_history": [
{
"date": "2026-01-19T03:34:11+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-01-19T03:34:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-01-22T19:42:47+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Cryostat 4 on RHEL 9",
"product": {
"name": "Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cryostat:4::el9"
}
}
}
],
"category": "product_family",
"name": "Cryostat"
},
{
"branches": [
{
"category": "product_version",
"name": "cryostat/cryostat-agent-init-rhel9@sha256:47f169436c4a6e40c8e829af7e753e481b5e672ca24b59971a2914807e968bc7_amd64",
"product": {
"name": "cryostat/cryostat-agent-init-rhel9@sha256:47f169436c4a6e40c8e829af7e753e481b5e672ca24b59971a2914807e968bc7_amd64",
"product_id": "cryostat/cryostat-agent-init-rhel9@sha256:47f169436c4a6e40c8e829af7e753e481b5e672ca24b59971a2914807e968bc7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-agent-init-rhel9@sha256:47f169436c4a6e40c8e829af7e753e481b5e672ca24b59971a2914807e968bc7?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-agent-init-rhel9\u0026tag=0.6.0-16"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-db-rhel9@sha256:58a80ea179c75c8cfba9c1171930c647f8b1da4f6720925166ba88debb562f68_amd64",
"product": {
"name": "cryostat/cryostat-db-rhel9@sha256:58a80ea179c75c8cfba9c1171930c647f8b1da4f6720925166ba88debb562f68_amd64",
"product_id": "cryostat/cryostat-db-rhel9@sha256:58a80ea179c75c8cfba9c1171930c647f8b1da4f6720925166ba88debb562f68_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-db-rhel9@sha256:58a80ea179c75c8cfba9c1171930c647f8b1da4f6720925166ba88debb562f68?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-db-rhel9\u0026tag=4.1.0-21"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:449cdba9e4b8d185a14530cb4877532a6e8dccbd9892862f03caffd3255e7d4d_amd64",
"product": {
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:449cdba9e4b8d185a14530cb4877532a6e8dccbd9892862f03caffd3255e7d4d_amd64",
"product_id": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:449cdba9e4b8d185a14530cb4877532a6e8dccbd9892862f03caffd3255e7d4d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-grafana-dashboard-rhel9@sha256:449cdba9e4b8d185a14530cb4877532a6e8dccbd9892862f03caffd3255e7d4d?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-grafana-dashboard-rhel9\u0026tag=4.1.0-16"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d5052b06326f477548bc4e5d0b941040dd8263e5f1d431dca86cc1d19cdfb227_amd64",
"product": {
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d5052b06326f477548bc4e5d0b941040dd8263e5f1d431dca86cc1d19cdfb227_amd64",
"product_id": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d5052b06326f477548bc4e5d0b941040dd8263e5f1d431dca86cc1d19cdfb227_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-openshift-console-plugin-rhel9@sha256:d5052b06326f477548bc4e5d0b941040dd8263e5f1d431dca86cc1d19cdfb227?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-openshift-console-plugin-rhel9\u0026tag=4.1.0-16"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-reports-rhel9@sha256:3ba64d19551ff3ebfe9fd9939e0fd338135addb278c29f32c6d3dbdfba72c682_amd64",
"product": {
"name": "cryostat/cryostat-reports-rhel9@sha256:3ba64d19551ff3ebfe9fd9939e0fd338135addb278c29f32c6d3dbdfba72c682_amd64",
"product_id": "cryostat/cryostat-reports-rhel9@sha256:3ba64d19551ff3ebfe9fd9939e0fd338135addb278c29f32c6d3dbdfba72c682_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-reports-rhel9@sha256:3ba64d19551ff3ebfe9fd9939e0fd338135addb278c29f32c6d3dbdfba72c682?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-reports-rhel9\u0026tag=4.1.0-16"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-rhel9@sha256:89580204b1fb3c1df3fcccb6b22cf47f4b5a7f76cc779984274c72b24c9d0f37_amd64",
"product": {
"name": "cryostat/cryostat-rhel9@sha256:89580204b1fb3c1df3fcccb6b22cf47f4b5a7f76cc779984274c72b24c9d0f37_amd64",
"product_id": "cryostat/cryostat-rhel9@sha256:89580204b1fb3c1df3fcccb6b22cf47f4b5a7f76cc779984274c72b24c9d0f37_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-rhel9@sha256:89580204b1fb3c1df3fcccb6b22cf47f4b5a7f76cc779984274c72b24c9d0f37?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-rhel9\u0026tag=4.1.0-16"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-operator-bundle@sha256:3990bc1d5cdbba8a52bfd6e22811d056b122e3d0e423eb9fd6480ac02f56a8bc_amd64",
"product": {
"name": "cryostat/cryostat-operator-bundle@sha256:3990bc1d5cdbba8a52bfd6e22811d056b122e3d0e423eb9fd6480ac02f56a8bc_amd64",
"product_id": "cryostat/cryostat-operator-bundle@sha256:3990bc1d5cdbba8a52bfd6e22811d056b122e3d0e423eb9fd6480ac02f56a8bc_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-operator-bundle@sha256:3990bc1d5cdbba8a52bfd6e22811d056b122e3d0e423eb9fd6480ac02f56a8bc?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-operator-bundle\u0026tag=4.1.0-16"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-rhel9-operator@sha256:9e066a2c850468e029b0b0c78857a96d71f4ed005a1b29b903f47dcd74e308ce_amd64",
"product": {
"name": "cryostat/cryostat-rhel9-operator@sha256:9e066a2c850468e029b0b0c78857a96d71f4ed005a1b29b903f47dcd74e308ce_amd64",
"product_id": "cryostat/cryostat-rhel9-operator@sha256:9e066a2c850468e029b0b0c78857a96d71f4ed005a1b29b903f47dcd74e308ce_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-rhel9-operator@sha256:9e066a2c850468e029b0b0c78857a96d71f4ed005a1b29b903f47dcd74e308ce?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-rhel9-operator\u0026tag=4.1.0-21"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-storage-rhel9@sha256:e421d42889a7f26d7023c6d13cf24f299a76967fa3c89bf7a7aaa226fe5fd5fb_amd64",
"product": {
"name": "cryostat/cryostat-storage-rhel9@sha256:e421d42889a7f26d7023c6d13cf24f299a76967fa3c89bf7a7aaa226fe5fd5fb_amd64",
"product_id": "cryostat/cryostat-storage-rhel9@sha256:e421d42889a7f26d7023c6d13cf24f299a76967fa3c89bf7a7aaa226fe5fd5fb_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-storage-rhel9@sha256:e421d42889a7f26d7023c6d13cf24f299a76967fa3c89bf7a7aaa226fe5fd5fb?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/cryostat-storage-rhel9\u0026tag=4.1.0-21"
}
}
},
{
"category": "product_version",
"name": "cryostat/jfr-datasource-rhel9@sha256:3ba904612846ada1e6fc3d48e35c33642b93030a41dd148e7fac998ba59ab960_amd64",
"product": {
"name": "cryostat/jfr-datasource-rhel9@sha256:3ba904612846ada1e6fc3d48e35c33642b93030a41dd148e7fac998ba59ab960_amd64",
"product_id": "cryostat/jfr-datasource-rhel9@sha256:3ba904612846ada1e6fc3d48e35c33642b93030a41dd148e7fac998ba59ab960_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jfr-datasource-rhel9@sha256:3ba904612846ada1e6fc3d48e35c33642b93030a41dd148e7fac998ba59ab960?arch=amd64\u0026repository_url=registry.redhat.io/cryostat/jfr-datasource-rhel9\u0026tag=4.1.0-16"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "cryostat/cryostat-agent-init-rhel9@sha256:85f9a6db86ade5099c06d162d6affcd65f117f8449e3f18df628a89ba90e7eb1_arm64",
"product": {
"name": "cryostat/cryostat-agent-init-rhel9@sha256:85f9a6db86ade5099c06d162d6affcd65f117f8449e3f18df628a89ba90e7eb1_arm64",
"product_id": "cryostat/cryostat-agent-init-rhel9@sha256:85f9a6db86ade5099c06d162d6affcd65f117f8449e3f18df628a89ba90e7eb1_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-agent-init-rhel9@sha256:85f9a6db86ade5099c06d162d6affcd65f117f8449e3f18df628a89ba90e7eb1?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-agent-init-rhel9\u0026tag=0.6.0-16"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-db-rhel9@sha256:5abe74e5e4e6c0272cb013786441d99f3c182f56e120f8db68bfa2288a2b0741_arm64",
"product": {
"name": "cryostat/cryostat-db-rhel9@sha256:5abe74e5e4e6c0272cb013786441d99f3c182f56e120f8db68bfa2288a2b0741_arm64",
"product_id": "cryostat/cryostat-db-rhel9@sha256:5abe74e5e4e6c0272cb013786441d99f3c182f56e120f8db68bfa2288a2b0741_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-db-rhel9@sha256:5abe74e5e4e6c0272cb013786441d99f3c182f56e120f8db68bfa2288a2b0741?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-db-rhel9\u0026tag=4.1.0-21"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:30742c883d8b607beace385e79829d3e954b222e973ebda2ebbe80d05b89df4a_arm64",
"product": {
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:30742c883d8b607beace385e79829d3e954b222e973ebda2ebbe80d05b89df4a_arm64",
"product_id": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:30742c883d8b607beace385e79829d3e954b222e973ebda2ebbe80d05b89df4a_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-grafana-dashboard-rhel9@sha256:30742c883d8b607beace385e79829d3e954b222e973ebda2ebbe80d05b89df4a?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-grafana-dashboard-rhel9\u0026tag=4.1.0-16"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:42ad2b45f4837a3a7145bb5465193c0fbd0f9a19cd084319ae3cec2c044d7749_arm64",
"product": {
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:42ad2b45f4837a3a7145bb5465193c0fbd0f9a19cd084319ae3cec2c044d7749_arm64",
"product_id": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:42ad2b45f4837a3a7145bb5465193c0fbd0f9a19cd084319ae3cec2c044d7749_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-openshift-console-plugin-rhel9@sha256:42ad2b45f4837a3a7145bb5465193c0fbd0f9a19cd084319ae3cec2c044d7749?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-openshift-console-plugin-rhel9\u0026tag=4.1.0-16"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-reports-rhel9@sha256:0dc529cfd1c5b62bab2b45a002029260ee1add496bf771ddf430d7f2388a3a3c_arm64",
"product": {
"name": "cryostat/cryostat-reports-rhel9@sha256:0dc529cfd1c5b62bab2b45a002029260ee1add496bf771ddf430d7f2388a3a3c_arm64",
"product_id": "cryostat/cryostat-reports-rhel9@sha256:0dc529cfd1c5b62bab2b45a002029260ee1add496bf771ddf430d7f2388a3a3c_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-reports-rhel9@sha256:0dc529cfd1c5b62bab2b45a002029260ee1add496bf771ddf430d7f2388a3a3c?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-reports-rhel9\u0026tag=4.1.0-16"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-rhel9@sha256:b15d84cdd4f637461f3776b3170f80f330da4fffede49aec08bae13031e3d89a_arm64",
"product": {
"name": "cryostat/cryostat-rhel9@sha256:b15d84cdd4f637461f3776b3170f80f330da4fffede49aec08bae13031e3d89a_arm64",
"product_id": "cryostat/cryostat-rhel9@sha256:b15d84cdd4f637461f3776b3170f80f330da4fffede49aec08bae13031e3d89a_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-rhel9@sha256:b15d84cdd4f637461f3776b3170f80f330da4fffede49aec08bae13031e3d89a?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-rhel9\u0026tag=4.1.0-16"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-operator-bundle@sha256:bde9b20b5563b1f76e64adfd16325158dd4d6a3d7f5cc6bb114c11e6bdf8d863_arm64",
"product": {
"name": "cryostat/cryostat-operator-bundle@sha256:bde9b20b5563b1f76e64adfd16325158dd4d6a3d7f5cc6bb114c11e6bdf8d863_arm64",
"product_id": "cryostat/cryostat-operator-bundle@sha256:bde9b20b5563b1f76e64adfd16325158dd4d6a3d7f5cc6bb114c11e6bdf8d863_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-operator-bundle@sha256:bde9b20b5563b1f76e64adfd16325158dd4d6a3d7f5cc6bb114c11e6bdf8d863?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-operator-bundle\u0026tag=4.1.0-16"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-rhel9-operator@sha256:1faf17c23b013dff6ef9967fb12c35df9cb44c816ad2422ddf028006c35ee003_arm64",
"product": {
"name": "cryostat/cryostat-rhel9-operator@sha256:1faf17c23b013dff6ef9967fb12c35df9cb44c816ad2422ddf028006c35ee003_arm64",
"product_id": "cryostat/cryostat-rhel9-operator@sha256:1faf17c23b013dff6ef9967fb12c35df9cb44c816ad2422ddf028006c35ee003_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-rhel9-operator@sha256:1faf17c23b013dff6ef9967fb12c35df9cb44c816ad2422ddf028006c35ee003?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-rhel9-operator\u0026tag=4.1.0-21"
}
}
},
{
"category": "product_version",
"name": "cryostat/cryostat-storage-rhel9@sha256:2309b2886630d23f88c169d53a0213547d1ad42d337c77332dcb279ee31c6c3f_arm64",
"product": {
"name": "cryostat/cryostat-storage-rhel9@sha256:2309b2886630d23f88c169d53a0213547d1ad42d337c77332dcb279ee31c6c3f_arm64",
"product_id": "cryostat/cryostat-storage-rhel9@sha256:2309b2886630d23f88c169d53a0213547d1ad42d337c77332dcb279ee31c6c3f_arm64",
"product_identification_helper": {
"purl": "pkg:oci/cryostat-storage-rhel9@sha256:2309b2886630d23f88c169d53a0213547d1ad42d337c77332dcb279ee31c6c3f?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/cryostat-storage-rhel9\u0026tag=4.1.0-21"
}
}
},
{
"category": "product_version",
"name": "cryostat/jfr-datasource-rhel9@sha256:3e9168fa43bfd9af8c55c73b45359c06ad65cd22d10770ba5c75fe83d0c5f948_arm64",
"product": {
"name": "cryostat/jfr-datasource-rhel9@sha256:3e9168fa43bfd9af8c55c73b45359c06ad65cd22d10770ba5c75fe83d0c5f948_arm64",
"product_id": "cryostat/jfr-datasource-rhel9@sha256:3e9168fa43bfd9af8c55c73b45359c06ad65cd22d10770ba5c75fe83d0c5f948_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jfr-datasource-rhel9@sha256:3e9168fa43bfd9af8c55c73b45359c06ad65cd22d10770ba5c75fe83d0c5f948?arch=arm64\u0026repository_url=registry.redhat.io/cryostat/jfr-datasource-rhel9\u0026tag=4.1.0-16"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-agent-init-rhel9@sha256:47f169436c4a6e40c8e829af7e753e481b5e672ca24b59971a2914807e968bc7_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:47f169436c4a6e40c8e829af7e753e481b5e672ca24b59971a2914807e968bc7_amd64"
},
"product_reference": "cryostat/cryostat-agent-init-rhel9@sha256:47f169436c4a6e40c8e829af7e753e481b5e672ca24b59971a2914807e968bc7_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-agent-init-rhel9@sha256:85f9a6db86ade5099c06d162d6affcd65f117f8449e3f18df628a89ba90e7eb1_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:85f9a6db86ade5099c06d162d6affcd65f117f8449e3f18df628a89ba90e7eb1_arm64"
},
"product_reference": "cryostat/cryostat-agent-init-rhel9@sha256:85f9a6db86ade5099c06d162d6affcd65f117f8449e3f18df628a89ba90e7eb1_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-db-rhel9@sha256:58a80ea179c75c8cfba9c1171930c647f8b1da4f6720925166ba88debb562f68_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:58a80ea179c75c8cfba9c1171930c647f8b1da4f6720925166ba88debb562f68_amd64"
},
"product_reference": "cryostat/cryostat-db-rhel9@sha256:58a80ea179c75c8cfba9c1171930c647f8b1da4f6720925166ba88debb562f68_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-db-rhel9@sha256:5abe74e5e4e6c0272cb013786441d99f3c182f56e120f8db68bfa2288a2b0741_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:5abe74e5e4e6c0272cb013786441d99f3c182f56e120f8db68bfa2288a2b0741_arm64"
},
"product_reference": "cryostat/cryostat-db-rhel9@sha256:5abe74e5e4e6c0272cb013786441d99f3c182f56e120f8db68bfa2288a2b0741_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:30742c883d8b607beace385e79829d3e954b222e973ebda2ebbe80d05b89df4a_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:30742c883d8b607beace385e79829d3e954b222e973ebda2ebbe80d05b89df4a_arm64"
},
"product_reference": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:30742c883d8b607beace385e79829d3e954b222e973ebda2ebbe80d05b89df4a_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:449cdba9e4b8d185a14530cb4877532a6e8dccbd9892862f03caffd3255e7d4d_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:449cdba9e4b8d185a14530cb4877532a6e8dccbd9892862f03caffd3255e7d4d_amd64"
},
"product_reference": "cryostat/cryostat-grafana-dashboard-rhel9@sha256:449cdba9e4b8d185a14530cb4877532a6e8dccbd9892862f03caffd3255e7d4d_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:42ad2b45f4837a3a7145bb5465193c0fbd0f9a19cd084319ae3cec2c044d7749_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:42ad2b45f4837a3a7145bb5465193c0fbd0f9a19cd084319ae3cec2c044d7749_arm64"
},
"product_reference": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:42ad2b45f4837a3a7145bb5465193c0fbd0f9a19cd084319ae3cec2c044d7749_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d5052b06326f477548bc4e5d0b941040dd8263e5f1d431dca86cc1d19cdfb227_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d5052b06326f477548bc4e5d0b941040dd8263e5f1d431dca86cc1d19cdfb227_amd64"
},
"product_reference": "cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d5052b06326f477548bc4e5d0b941040dd8263e5f1d431dca86cc1d19cdfb227_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-operator-bundle@sha256:3990bc1d5cdbba8a52bfd6e22811d056b122e3d0e423eb9fd6480ac02f56a8bc_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:3990bc1d5cdbba8a52bfd6e22811d056b122e3d0e423eb9fd6480ac02f56a8bc_amd64"
},
"product_reference": "cryostat/cryostat-operator-bundle@sha256:3990bc1d5cdbba8a52bfd6e22811d056b122e3d0e423eb9fd6480ac02f56a8bc_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-operator-bundle@sha256:bde9b20b5563b1f76e64adfd16325158dd4d6a3d7f5cc6bb114c11e6bdf8d863_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:bde9b20b5563b1f76e64adfd16325158dd4d6a3d7f5cc6bb114c11e6bdf8d863_arm64"
},
"product_reference": "cryostat/cryostat-operator-bundle@sha256:bde9b20b5563b1f76e64adfd16325158dd4d6a3d7f5cc6bb114c11e6bdf8d863_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-reports-rhel9@sha256:0dc529cfd1c5b62bab2b45a002029260ee1add496bf771ddf430d7f2388a3a3c_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:0dc529cfd1c5b62bab2b45a002029260ee1add496bf771ddf430d7f2388a3a3c_arm64"
},
"product_reference": "cryostat/cryostat-reports-rhel9@sha256:0dc529cfd1c5b62bab2b45a002029260ee1add496bf771ddf430d7f2388a3a3c_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-reports-rhel9@sha256:3ba64d19551ff3ebfe9fd9939e0fd338135addb278c29f32c6d3dbdfba72c682_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:3ba64d19551ff3ebfe9fd9939e0fd338135addb278c29f32c6d3dbdfba72c682_amd64"
},
"product_reference": "cryostat/cryostat-reports-rhel9@sha256:3ba64d19551ff3ebfe9fd9939e0fd338135addb278c29f32c6d3dbdfba72c682_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-rhel9-operator@sha256:1faf17c23b013dff6ef9967fb12c35df9cb44c816ad2422ddf028006c35ee003_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:1faf17c23b013dff6ef9967fb12c35df9cb44c816ad2422ddf028006c35ee003_arm64"
},
"product_reference": "cryostat/cryostat-rhel9-operator@sha256:1faf17c23b013dff6ef9967fb12c35df9cb44c816ad2422ddf028006c35ee003_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-rhel9-operator@sha256:9e066a2c850468e029b0b0c78857a96d71f4ed005a1b29b903f47dcd74e308ce_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:9e066a2c850468e029b0b0c78857a96d71f4ed005a1b29b903f47dcd74e308ce_amd64"
},
"product_reference": "cryostat/cryostat-rhel9-operator@sha256:9e066a2c850468e029b0b0c78857a96d71f4ed005a1b29b903f47dcd74e308ce_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-rhel9@sha256:89580204b1fb3c1df3fcccb6b22cf47f4b5a7f76cc779984274c72b24c9d0f37_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:89580204b1fb3c1df3fcccb6b22cf47f4b5a7f76cc779984274c72b24c9d0f37_amd64"
},
"product_reference": "cryostat/cryostat-rhel9@sha256:89580204b1fb3c1df3fcccb6b22cf47f4b5a7f76cc779984274c72b24c9d0f37_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-rhel9@sha256:b15d84cdd4f637461f3776b3170f80f330da4fffede49aec08bae13031e3d89a_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:b15d84cdd4f637461f3776b3170f80f330da4fffede49aec08bae13031e3d89a_arm64"
},
"product_reference": "cryostat/cryostat-rhel9@sha256:b15d84cdd4f637461f3776b3170f80f330da4fffede49aec08bae13031e3d89a_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-storage-rhel9@sha256:2309b2886630d23f88c169d53a0213547d1ad42d337c77332dcb279ee31c6c3f_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:2309b2886630d23f88c169d53a0213547d1ad42d337c77332dcb279ee31c6c3f_arm64"
},
"product_reference": "cryostat/cryostat-storage-rhel9@sha256:2309b2886630d23f88c169d53a0213547d1ad42d337c77332dcb279ee31c6c3f_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/cryostat-storage-rhel9@sha256:e421d42889a7f26d7023c6d13cf24f299a76967fa3c89bf7a7aaa226fe5fd5fb_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:e421d42889a7f26d7023c6d13cf24f299a76967fa3c89bf7a7aaa226fe5fd5fb_amd64"
},
"product_reference": "cryostat/cryostat-storage-rhel9@sha256:e421d42889a7f26d7023c6d13cf24f299a76967fa3c89bf7a7aaa226fe5fd5fb_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/jfr-datasource-rhel9@sha256:3ba904612846ada1e6fc3d48e35c33642b93030a41dd148e7fac998ba59ab960_amd64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3ba904612846ada1e6fc3d48e35c33642b93030a41dd148e7fac998ba59ab960_amd64"
},
"product_reference": "cryostat/jfr-datasource-rhel9@sha256:3ba904612846ada1e6fc3d48e35c33642b93030a41dd148e7fac998ba59ab960_amd64",
"relates_to_product_reference": "9Base-Cryostat-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cryostat/jfr-datasource-rhel9@sha256:3e9168fa43bfd9af8c55c73b45359c06ad65cd22d10770ba5c75fe83d0c5f948_arm64 as a component of Cryostat 4 on RHEL 9",
"product_id": "9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3e9168fa43bfd9af8c55c73b45359c06ad65cd22d10770ba5c75fe83d0c5f948_arm64"
},
"product_reference": "cryostat/jfr-datasource-rhel9@sha256:3e9168fa43bfd9af8c55c73b45359c06ad65cd22d10770ba5c75fe83d0c5f948_arm64",
"relates_to_product_reference": "9Base-Cryostat-4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-15284",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-12-29T23:00:58.541337+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:47f169436c4a6e40c8e829af7e753e481b5e672ca24b59971a2914807e968bc7_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:85f9a6db86ade5099c06d162d6affcd65f117f8449e3f18df628a89ba90e7eb1_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:58a80ea179c75c8cfba9c1171930c647f8b1da4f6720925166ba88debb562f68_amd64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:5abe74e5e4e6c0272cb013786441d99f3c182f56e120f8db68bfa2288a2b0741_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:30742c883d8b607beace385e79829d3e954b222e973ebda2ebbe80d05b89df4a_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:449cdba9e4b8d185a14530cb4877532a6e8dccbd9892862f03caffd3255e7d4d_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:3990bc1d5cdbba8a52bfd6e22811d056b122e3d0e423eb9fd6480ac02f56a8bc_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:bde9b20b5563b1f76e64adfd16325158dd4d6a3d7f5cc6bb114c11e6bdf8d863_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:0dc529cfd1c5b62bab2b45a002029260ee1add496bf771ddf430d7f2388a3a3c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:3ba64d19551ff3ebfe9fd9939e0fd338135addb278c29f32c6d3dbdfba72c682_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:1faf17c23b013dff6ef9967fb12c35df9cb44c816ad2422ddf028006c35ee003_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:9e066a2c850468e029b0b0c78857a96d71f4ed005a1b29b903f47dcd74e308ce_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:89580204b1fb3c1df3fcccb6b22cf47f4b5a7f76cc779984274c72b24c9d0f37_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:b15d84cdd4f637461f3776b3170f80f330da4fffede49aec08bae13031e3d89a_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:2309b2886630d23f88c169d53a0213547d1ad42d337c77332dcb279ee31c6c3f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:e421d42889a7f26d7023c6d13cf24f299a76967fa3c89bf7a7aaa226fe5fd5fb_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3ba904612846ada1e6fc3d48e35c33642b93030a41dd148e7fac998ba59ab960_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3e9168fa43bfd9af8c55c73b45359c06ad65cd22d10770ba5c75fe83d0c5f948_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2425946"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in qs, a module used for parsing query strings. A remote attacker can exploit an improper input validation vulnerability by sending specially crafted HTTP requests that use bracket notation (e.g., `a[]=value`). This bypasses the `arrayLimit` option, which is designed to limit the size of parsed arrays and prevent resource exhaustion. Successful exploitation can lead to memory exhaustion, causing a Denial of Service (DoS) where the application crashes or becomes unresponsive, making the service unavailable to users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "qs: qs: Denial of Service via improper input validation in array parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important for Red Hat products that utilize the `qs` module for parsing query strings, particularly when processing user-controlled input with bracket notation. The `arrayLimit` option, intended to prevent resource exhaustion, is bypassed when bracket notation (`a[]=value`) is used, allowing a remote attacker to cause a denial of service through memory exhaustion. This can lead to application crashes or unresponsiveness, making the service unavailable.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:42ad2b45f4837a3a7145bb5465193c0fbd0f9a19cd084319ae3cec2c044d7749_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d5052b06326f477548bc4e5d0b941040dd8263e5f1d431dca86cc1d19cdfb227_amd64"
],
"known_not_affected": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:47f169436c4a6e40c8e829af7e753e481b5e672ca24b59971a2914807e968bc7_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:85f9a6db86ade5099c06d162d6affcd65f117f8449e3f18df628a89ba90e7eb1_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:58a80ea179c75c8cfba9c1171930c647f8b1da4f6720925166ba88debb562f68_amd64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:5abe74e5e4e6c0272cb013786441d99f3c182f56e120f8db68bfa2288a2b0741_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:30742c883d8b607beace385e79829d3e954b222e973ebda2ebbe80d05b89df4a_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:449cdba9e4b8d185a14530cb4877532a6e8dccbd9892862f03caffd3255e7d4d_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:3990bc1d5cdbba8a52bfd6e22811d056b122e3d0e423eb9fd6480ac02f56a8bc_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:bde9b20b5563b1f76e64adfd16325158dd4d6a3d7f5cc6bb114c11e6bdf8d863_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:0dc529cfd1c5b62bab2b45a002029260ee1add496bf771ddf430d7f2388a3a3c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:3ba64d19551ff3ebfe9fd9939e0fd338135addb278c29f32c6d3dbdfba72c682_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:1faf17c23b013dff6ef9967fb12c35df9cb44c816ad2422ddf028006c35ee003_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:9e066a2c850468e029b0b0c78857a96d71f4ed005a1b29b903f47dcd74e308ce_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:89580204b1fb3c1df3fcccb6b22cf47f4b5a7f76cc779984274c72b24c9d0f37_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:b15d84cdd4f637461f3776b3170f80f330da4fffede49aec08bae13031e3d89a_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:2309b2886630d23f88c169d53a0213547d1ad42d337c77332dcb279ee31c6c3f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:e421d42889a7f26d7023c6d13cf24f299a76967fa3c89bf7a7aaa226fe5fd5fb_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3ba904612846ada1e6fc3d48e35c33642b93030a41dd148e7fac998ba59ab960_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3e9168fa43bfd9af8c55c73b45359c06ad65cd22d10770ba5c75fe83d0c5f948_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-15284"
},
{
"category": "external",
"summary": "RHBZ#2425946",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2425946"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-15284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15284"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-15284",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15284"
},
{
"category": "external",
"summary": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9",
"url": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9"
},
{
"category": "external",
"summary": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p",
"url": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p"
}
],
"release_date": "2025-12-29T22:56:45.240000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-19T03:34:11+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:42ad2b45f4837a3a7145bb5465193c0fbd0f9a19cd084319ae3cec2c044d7749_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d5052b06326f477548bc4e5d0b941040dd8263e5f1d431dca86cc1d19cdfb227_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0761"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:47f169436c4a6e40c8e829af7e753e481b5e672ca24b59971a2914807e968bc7_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:85f9a6db86ade5099c06d162d6affcd65f117f8449e3f18df628a89ba90e7eb1_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:58a80ea179c75c8cfba9c1171930c647f8b1da4f6720925166ba88debb562f68_amd64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:5abe74e5e4e6c0272cb013786441d99f3c182f56e120f8db68bfa2288a2b0741_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:30742c883d8b607beace385e79829d3e954b222e973ebda2ebbe80d05b89df4a_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:449cdba9e4b8d185a14530cb4877532a6e8dccbd9892862f03caffd3255e7d4d_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:42ad2b45f4837a3a7145bb5465193c0fbd0f9a19cd084319ae3cec2c044d7749_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d5052b06326f477548bc4e5d0b941040dd8263e5f1d431dca86cc1d19cdfb227_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:3990bc1d5cdbba8a52bfd6e22811d056b122e3d0e423eb9fd6480ac02f56a8bc_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:bde9b20b5563b1f76e64adfd16325158dd4d6a3d7f5cc6bb114c11e6bdf8d863_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:0dc529cfd1c5b62bab2b45a002029260ee1add496bf771ddf430d7f2388a3a3c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:3ba64d19551ff3ebfe9fd9939e0fd338135addb278c29f32c6d3dbdfba72c682_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:1faf17c23b013dff6ef9967fb12c35df9cb44c816ad2422ddf028006c35ee003_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:9e066a2c850468e029b0b0c78857a96d71f4ed005a1b29b903f47dcd74e308ce_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:89580204b1fb3c1df3fcccb6b22cf47f4b5a7f76cc779984274c72b24c9d0f37_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:b15d84cdd4f637461f3776b3170f80f330da4fffede49aec08bae13031e3d89a_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:2309b2886630d23f88c169d53a0213547d1ad42d337c77332dcb279ee31c6c3f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:e421d42889a7f26d7023c6d13cf24f299a76967fa3c89bf7a7aaa226fe5fd5fb_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3ba904612846ada1e6fc3d48e35c33642b93030a41dd148e7fac998ba59ab960_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3e9168fa43bfd9af8c55c73b45359c06ad65cd22d10770ba5c75fe83d0c5f948_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:47f169436c4a6e40c8e829af7e753e481b5e672ca24b59971a2914807e968bc7_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:85f9a6db86ade5099c06d162d6affcd65f117f8449e3f18df628a89ba90e7eb1_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:58a80ea179c75c8cfba9c1171930c647f8b1da4f6720925166ba88debb562f68_amd64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:5abe74e5e4e6c0272cb013786441d99f3c182f56e120f8db68bfa2288a2b0741_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:30742c883d8b607beace385e79829d3e954b222e973ebda2ebbe80d05b89df4a_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:449cdba9e4b8d185a14530cb4877532a6e8dccbd9892862f03caffd3255e7d4d_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:42ad2b45f4837a3a7145bb5465193c0fbd0f9a19cd084319ae3cec2c044d7749_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d5052b06326f477548bc4e5d0b941040dd8263e5f1d431dca86cc1d19cdfb227_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:3990bc1d5cdbba8a52bfd6e22811d056b122e3d0e423eb9fd6480ac02f56a8bc_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:bde9b20b5563b1f76e64adfd16325158dd4d6a3d7f5cc6bb114c11e6bdf8d863_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:0dc529cfd1c5b62bab2b45a002029260ee1add496bf771ddf430d7f2388a3a3c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:3ba64d19551ff3ebfe9fd9939e0fd338135addb278c29f32c6d3dbdfba72c682_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:1faf17c23b013dff6ef9967fb12c35df9cb44c816ad2422ddf028006c35ee003_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:9e066a2c850468e029b0b0c78857a96d71f4ed005a1b29b903f47dcd74e308ce_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:89580204b1fb3c1df3fcccb6b22cf47f4b5a7f76cc779984274c72b24c9d0f37_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:b15d84cdd4f637461f3776b3170f80f330da4fffede49aec08bae13031e3d89a_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:2309b2886630d23f88c169d53a0213547d1ad42d337c77332dcb279ee31c6c3f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:e421d42889a7f26d7023c6d13cf24f299a76967fa3c89bf7a7aaa226fe5fd5fb_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3ba904612846ada1e6fc3d48e35c33642b93030a41dd148e7fac998ba59ab960_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3e9168fa43bfd9af8c55c73b45359c06ad65cd22d10770ba5c75fe83d0c5f948_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "qs: qs: Denial of Service via improper input validation in array parsing"
},
{
"cve": "CVE-2025-66566",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"discovery_date": "2025-12-05T19:00:50.134024+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:47f169436c4a6e40c8e829af7e753e481b5e672ca24b59971a2914807e968bc7_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:85f9a6db86ade5099c06d162d6affcd65f117f8449e3f18df628a89ba90e7eb1_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:58a80ea179c75c8cfba9c1171930c647f8b1da4f6720925166ba88debb562f68_amd64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:5abe74e5e4e6c0272cb013786441d99f3c182f56e120f8db68bfa2288a2b0741_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:30742c883d8b607beace385e79829d3e954b222e973ebda2ebbe80d05b89df4a_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:449cdba9e4b8d185a14530cb4877532a6e8dccbd9892862f03caffd3255e7d4d_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:42ad2b45f4837a3a7145bb5465193c0fbd0f9a19cd084319ae3cec2c044d7749_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d5052b06326f477548bc4e5d0b941040dd8263e5f1d431dca86cc1d19cdfb227_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:3990bc1d5cdbba8a52bfd6e22811d056b122e3d0e423eb9fd6480ac02f56a8bc_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:bde9b20b5563b1f76e64adfd16325158dd4d6a3d7f5cc6bb114c11e6bdf8d863_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:1faf17c23b013dff6ef9967fb12c35df9cb44c816ad2422ddf028006c35ee003_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:9e066a2c850468e029b0b0c78857a96d71f4ed005a1b29b903f47dcd74e308ce_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:2309b2886630d23f88c169d53a0213547d1ad42d337c77332dcb279ee31c6c3f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:e421d42889a7f26d7023c6d13cf24f299a76967fa3c89bf7a7aaa226fe5fd5fb_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419500"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lz4-java. This vulnerability allows disclosure of sensitive data via crafted compressed input due to insufficient clearing of the output buffer in Java-based decompressor implementations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated IMPORTANT because it allows for information disclosure when Java-based decompressor implementations reuse output buffers without proper clearing, potentially exposing sensitive data via crafted compressed input. JNI-based implementations of lz4-java are not affected by this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:0dc529cfd1c5b62bab2b45a002029260ee1add496bf771ddf430d7f2388a3a3c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:3ba64d19551ff3ebfe9fd9939e0fd338135addb278c29f32c6d3dbdfba72c682_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:89580204b1fb3c1df3fcccb6b22cf47f4b5a7f76cc779984274c72b24c9d0f37_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:b15d84cdd4f637461f3776b3170f80f330da4fffede49aec08bae13031e3d89a_arm64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3ba904612846ada1e6fc3d48e35c33642b93030a41dd148e7fac998ba59ab960_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3e9168fa43bfd9af8c55c73b45359c06ad65cd22d10770ba5c75fe83d0c5f948_arm64"
],
"known_not_affected": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:47f169436c4a6e40c8e829af7e753e481b5e672ca24b59971a2914807e968bc7_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:85f9a6db86ade5099c06d162d6affcd65f117f8449e3f18df628a89ba90e7eb1_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:58a80ea179c75c8cfba9c1171930c647f8b1da4f6720925166ba88debb562f68_amd64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:5abe74e5e4e6c0272cb013786441d99f3c182f56e120f8db68bfa2288a2b0741_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:30742c883d8b607beace385e79829d3e954b222e973ebda2ebbe80d05b89df4a_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:449cdba9e4b8d185a14530cb4877532a6e8dccbd9892862f03caffd3255e7d4d_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:42ad2b45f4837a3a7145bb5465193c0fbd0f9a19cd084319ae3cec2c044d7749_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d5052b06326f477548bc4e5d0b941040dd8263e5f1d431dca86cc1d19cdfb227_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:3990bc1d5cdbba8a52bfd6e22811d056b122e3d0e423eb9fd6480ac02f56a8bc_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:bde9b20b5563b1f76e64adfd16325158dd4d6a3d7f5cc6bb114c11e6bdf8d863_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:1faf17c23b013dff6ef9967fb12c35df9cb44c816ad2422ddf028006c35ee003_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:9e066a2c850468e029b0b0c78857a96d71f4ed005a1b29b903f47dcd74e308ce_amd64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:2309b2886630d23f88c169d53a0213547d1ad42d337c77332dcb279ee31c6c3f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:e421d42889a7f26d7023c6d13cf24f299a76967fa3c89bf7a7aaa226fe5fd5fb_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66566"
},
{
"category": "external",
"summary": "RHBZ#2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66566"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840",
"url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q",
"url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q"
}
],
"release_date": "2025-12-05T18:10:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-19T03:34:11+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:0dc529cfd1c5b62bab2b45a002029260ee1add496bf771ddf430d7f2388a3a3c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:3ba64d19551ff3ebfe9fd9939e0fd338135addb278c29f32c6d3dbdfba72c682_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:89580204b1fb3c1df3fcccb6b22cf47f4b5a7f76cc779984274c72b24c9d0f37_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:b15d84cdd4f637461f3776b3170f80f330da4fffede49aec08bae13031e3d89a_arm64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3ba904612846ada1e6fc3d48e35c33642b93030a41dd148e7fac998ba59ab960_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3e9168fa43bfd9af8c55c73b45359c06ad65cd22d10770ba5c75fe83d0c5f948_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0761"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:47f169436c4a6e40c8e829af7e753e481b5e672ca24b59971a2914807e968bc7_amd64",
"9Base-Cryostat-4:cryostat/cryostat-agent-init-rhel9@sha256:85f9a6db86ade5099c06d162d6affcd65f117f8449e3f18df628a89ba90e7eb1_arm64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:58a80ea179c75c8cfba9c1171930c647f8b1da4f6720925166ba88debb562f68_amd64",
"9Base-Cryostat-4:cryostat/cryostat-db-rhel9@sha256:5abe74e5e4e6c0272cb013786441d99f3c182f56e120f8db68bfa2288a2b0741_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:30742c883d8b607beace385e79829d3e954b222e973ebda2ebbe80d05b89df4a_arm64",
"9Base-Cryostat-4:cryostat/cryostat-grafana-dashboard-rhel9@sha256:449cdba9e4b8d185a14530cb4877532a6e8dccbd9892862f03caffd3255e7d4d_amd64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:42ad2b45f4837a3a7145bb5465193c0fbd0f9a19cd084319ae3cec2c044d7749_arm64",
"9Base-Cryostat-4:cryostat/cryostat-openshift-console-plugin-rhel9@sha256:d5052b06326f477548bc4e5d0b941040dd8263e5f1d431dca86cc1d19cdfb227_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:3990bc1d5cdbba8a52bfd6e22811d056b122e3d0e423eb9fd6480ac02f56a8bc_amd64",
"9Base-Cryostat-4:cryostat/cryostat-operator-bundle@sha256:bde9b20b5563b1f76e64adfd16325158dd4d6a3d7f5cc6bb114c11e6bdf8d863_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:0dc529cfd1c5b62bab2b45a002029260ee1add496bf771ddf430d7f2388a3a3c_arm64",
"9Base-Cryostat-4:cryostat/cryostat-reports-rhel9@sha256:3ba64d19551ff3ebfe9fd9939e0fd338135addb278c29f32c6d3dbdfba72c682_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:1faf17c23b013dff6ef9967fb12c35df9cb44c816ad2422ddf028006c35ee003_arm64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9-operator@sha256:9e066a2c850468e029b0b0c78857a96d71f4ed005a1b29b903f47dcd74e308ce_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:89580204b1fb3c1df3fcccb6b22cf47f4b5a7f76cc779984274c72b24c9d0f37_amd64",
"9Base-Cryostat-4:cryostat/cryostat-rhel9@sha256:b15d84cdd4f637461f3776b3170f80f330da4fffede49aec08bae13031e3d89a_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:2309b2886630d23f88c169d53a0213547d1ad42d337c77332dcb279ee31c6c3f_arm64",
"9Base-Cryostat-4:cryostat/cryostat-storage-rhel9@sha256:e421d42889a7f26d7023c6d13cf24f299a76967fa3c89bf7a7aaa226fe5fd5fb_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3ba904612846ada1e6fc3d48e35c33642b93030a41dd148e7fac998ba59ab960_amd64",
"9Base-Cryostat-4:cryostat/jfr-datasource-rhel9@sha256:3e9168fa43bfd9af8c55c73b45359c06ad65cd22d10770ba5c75fe83d0c5f948_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing"
}
]
}
RHSA-2026:0134
Vulnerability from csaf_redhat - Published: 2026-01-06 13:22 - Updated: 2026-01-21 23:32Summary
Red Hat Security Advisory: Red Hat build of Quarkus 3.27.1.SP1 security update
Notes
Topic
An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 3.27.1.SP1 includes the following CVE fixes:
* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing [quarkus-3.27] (CVE-2025-66566)
* lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure [quarkus-3.27] (CVE-2025-12183)
* vertx-web: Eclipse Vert.x cross site scripting [quarkus-3.27] (CVE-2025-11966)
For more information, see the release notes page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 3.27.1.SP1 includes the following CVE fixes:\n\n* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing [quarkus-3.27] (CVE-2025-66566)\n\n* lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure [quarkus-3.27] (CVE-2025-12183)\n\n* vertx-web: Eclipse Vert.x cross site scripting [quarkus-3.27] (CVE-2025-11966)\n\nFor more information, see the release notes page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:0134",
"url": "https://access.redhat.com/errata/RHSA-2026:0134"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/products/quarkus/",
"url": "https://access.redhat.com/products/quarkus/"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.27.1.SP1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.27.1.SP1"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.27",
"url": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.27"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_0134.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.27.1.SP1 security update",
"tracking": {
"current_release_date": "2026-01-21T23:32:32+00:00",
"generator": {
"date": "2026-01-21T23:32:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.15"
}
},
"id": "RHSA-2026:0134",
"initial_release_date": "2026-01-06T13:22:25+00:00",
"revision_history": [
{
"date": "2026-01-06T13:22:25+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-01-06T13:22:25+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-01-21T23:32:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus 3.27.1.SP1",
"product": {
"name": "Red Hat build of Quarkus 3.27.1.SP1",
"product_id": "Red Hat build of Quarkus 3.27.1.SP1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:3.27::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-11966",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2025-10-22T15:01:24.122189+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2405789"
}
],
"notes": [
{
"category": "description",
"text": "In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when \"directory listing\" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.vertx/vertx-web: Eclipse Vert.x cross site scripting",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.27.1.SP1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-11966"
},
{
"category": "external",
"summary": "RHBZ#2405789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-11966",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11966"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-11966",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11966"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303"
}
],
"release_date": "2025-10-22T14:44:24.145000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-06T13:22:25+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.27.1.SP1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0134"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.27.1.SP1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.27.1.SP1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.vertx/vertx-web: Eclipse Vert.x cross site scripting"
},
{
"cve": "CVE-2025-12183",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2025-11-28T16:00:42.516514+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2417718"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lz4-java. This vulnerability allows remote attackers to cause denial of service (DoS) and read adjacent memory via untrusted compressed input. This vulnerability affects only programs using the unsafe LZ4_decompress_fast API, known as the \"fast\" decompressor.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability affects the \"fast\" decompressor, this is due to the fact such implementation relies on LZ4_decompress_fast API of the lz4 C library. This function was deprecated in the lz4 library as it misses boundary checks and is considered insecure when processing untrusted inputs.\nRed Hat has considered this vulnerability as having a security impact of Moderate as the attack may be considered of a high complexity, additionally when exploited the attacker doesn\u0027t have full control over the memory read and its content.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.27.1.SP1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-12183"
},
{
"category": "external",
"summary": "RHBZ#2417718",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417718"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-12183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-12183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12183"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/releases/tag/v1.8.1",
"url": "https://github.com/yawkat/lz4-java/releases/tag/v1.8.1"
},
{
"category": "external",
"summary": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183",
"url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183"
}
],
"release_date": "2025-11-28T15:52:56.140000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-06T13:22:25+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.27.1.SP1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0134"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.27.1.SP1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.27.1.SP1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure"
},
{
"cve": "CVE-2025-66566",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"discovery_date": "2025-12-05T19:00:50.134024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419500"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lz4-java. This vulnerability allows disclosure of sensitive data via crafted compressed input due to insufficient clearing of the output buffer in Java-based decompressor implementations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated IMPORTANT because it allows for information disclosure when Java-based decompressor implementations reuse output buffers without proper clearing, potentially exposing sensitive data via crafted compressed input. JNI-based implementations of lz4-java are not affected by this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.27.1.SP1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66566"
},
{
"category": "external",
"summary": "RHBZ#2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66566"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840",
"url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q",
"url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q"
}
],
"release_date": "2025-12-05T18:10:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-06T13:22:25+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.27.1.SP1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0134"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.27.1.SP1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing"
}
]
}
RHSA-2026:0467
Vulnerability from csaf_redhat - Published: 2026-01-12 15:04 - Updated: 2026-01-19 13:55Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel 4.10 for Quarkus 3.20 update is now available (RHBQ 3.20.4.SP1)
Notes
Topic
An update for Red Hat Build of Apache Camel 4.10 for Quarkus 3.20 update is now available (RHBQ 3.20.4.SP1).
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
Red Hat Product Security has rated this update as having a security impact of Important.
Details
An update for Red Hat Build of Apache Camel 4.10 for Quarkus 3.20 update is now available (RHBQ 3.20.4.SP1).
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:
* lz4-java: lz4-java: Information Disclosure via Insufficient Output
Buffer Clearing (CVE-2025-66566)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Build of Apache Camel 4.10 for Quarkus 3.20 update is now available (RHBQ 3.20.4.SP1).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\nRed Hat Product Security has rated this update as having a security impact of Important.",
"title": "Topic"
},
{
"category": "general",
"text": "An update for Red Hat Build of Apache Camel 4.10 for Quarkus 3.20 update is now available (RHBQ 3.20.4.SP1).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:\n* lz4-java: lz4-java: Information Disclosure via Insufficient Output\nBuffer Clearing (CVE-2025-66566)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:0467",
"url": "https://access.redhat.com/errata/RHSA-2026:0467"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-66566",
"url": "https://access.redhat.com/security/cve/CVE-2025-66566"
},
{
"category": "external",
"summary": "2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_0467.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.10 for Quarkus 3.20 update is now available (RHBQ 3.20.4.SP1)",
"tracking": {
"current_release_date": "2026-01-19T13:55:46+00:00",
"generator": {
"date": "2026-01-19T13:55:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.15"
}
},
"id": "RHSA-2026:0467",
"initial_release_date": "2026-01-12T15:04:27+00:00",
"revision_history": [
{
"date": "2026-01-12T15:04:27+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-01-12T15:04:27+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-01-19T13:55:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Build of Apache Camel 4.10 for Quarkus 3.20",
"product": {
"name": "Red Hat Build of Apache Camel 4.10 for Quarkus 3.20",
"product_id": "Red Hat Build of Apache Camel 4.10 for Quarkus 3.20",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:apache_camel_quarkus:3.20"
}
}
}
],
"category": "product_family",
"name": "Red Hat Build of Apache Camel"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-66566",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"discovery_date": "2025-12-05T19:00:50.134024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419500"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lz4-java. This vulnerability allows disclosure of sensitive data via crafted compressed input due to insufficient clearing of the output buffer in Java-based decompressor implementations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated IMPORTANT because it allows for information disclosure when Java-based decompressor implementations reuse output buffers without proper clearing, potentially exposing sensitive data via crafted compressed input. JNI-based implementations of lz4-java are not affected by this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Build of Apache Camel 4.10 for Quarkus 3.20"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66566"
},
{
"category": "external",
"summary": "RHBZ#2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66566"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840",
"url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q",
"url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q"
}
],
"release_date": "2025-12-05T18:10:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-12T15:04:27+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Build of Apache Camel 4.10 for Quarkus 3.20"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0467"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Build of Apache Camel 4.10 for Quarkus 3.20"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing"
}
]
}
RHSA-2026:0726
Vulnerability from csaf_redhat - Published: 2026-01-15 19:53 - Updated: 2026-01-19 13:56Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel 4.14.2.P1 for Spring Boot release.
Notes
Topic
Red Hat build of Apache Camel 4.14.2 for Spring Boot patch 1 release and security update is now available.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Details
Red Hat build of Apache Camel 4.14.2 for Spring Boot patch 1 release and security update is now available.
The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing (CVE-2025-66566)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat build of Apache Camel 4.14.2 for Spring Boot patch 1 release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of\nImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives\na detailed severity rating, is available for each vulnerability from the CVE\nlink(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Apache Camel 4.14.2 for Spring Boot patch 1 release and security update is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n \n* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing (CVE-2025-66566)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:0726",
"url": "https://access.redhat.com/errata/RHSA-2026:0726"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_0726.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.14.2.P1 for Spring Boot release.",
"tracking": {
"current_release_date": "2026-01-19T13:56:08+00:00",
"generator": {
"date": "2026-01-19T13:56:08+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.15"
}
},
"id": "RHSA-2026:0726",
"initial_release_date": "2026-01-15T19:53:18+00:00",
"revision_history": [
{
"date": "2026-01-15T19:53:18+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-01-15T19:53:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-01-19T13:56:08+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Apache Camel 4.14.2.P1 for Spring Boot 3.5.9",
"product": {
"name": "Red Hat build of Apache Camel 4.14.2.P1 for Spring Boot 3.5.9",
"product_id": "Red Hat build of Apache Camel 4.14.2.P1 for Spring Boot 3.5.9",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.14"
}
}
}
],
"category": "product_family",
"name": "Red Hat Build of Apache Camel"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-66566",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"discovery_date": "2025-12-05T19:00:50.134024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419500"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lz4-java. This vulnerability allows disclosure of sensitive data via crafted compressed input due to insufficient clearing of the output buffer in Java-based decompressor implementations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated IMPORTANT because it allows for information disclosure when Java-based decompressor implementations reuse output buffers without proper clearing, potentially exposing sensitive data via crafted compressed input. JNI-based implementations of lz4-java are not affected by this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4.14.2.P1 for Spring Boot 3.5.9"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66566"
},
{
"category": "external",
"summary": "RHBZ#2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66566"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840",
"url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q",
"url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q"
}
],
"release_date": "2025-12-05T18:10:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-15T19:53:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Apache Camel 4.14.2.P1 for Spring Boot 3.5.9"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0726"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4.14.2.P1 for Spring Boot 3.5.9"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing"
}
]
}
RHSA-2026:0751
Vulnerability from csaf_redhat - Published: 2026-01-19 01:16 - Updated: 2026-01-19 13:56Summary
Red Hat Security Advisory: jmc security update
Notes
Topic
An update for jmc is now available for Red Hat Enterprise Linux 9.6 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
JDK Mission Control is a powerful profiler for HotSpot JVMs and has an advanced set of tools that enables efficient and detailed analysis of the extensive data collected by JDK Flight Recorder. The tool chain enables developers and administrators to collect and analyze data from Java applications running locally or deployed in production environments.
Security Fix(es):
* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing (CVE-2025-66566)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for jmc is now available for Red Hat Enterprise Linux 9.6 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "JDK Mission Control is a powerful profiler for HotSpot JVMs and has an advanced set of tools that enables efficient and detailed analysis of the extensive data collected by JDK Flight Recorder. The tool chain enables developers and administrators to collect and analyze data from Java applications running locally or deployed in production environments.\n\nSecurity Fix(es):\n\n* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing (CVE-2025-66566)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:0751",
"url": "https://access.redhat.com/errata/RHSA-2026:0751"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_0751.json"
}
],
"title": "Red Hat Security Advisory: jmc security update",
"tracking": {
"current_release_date": "2026-01-19T13:56:16+00:00",
"generator": {
"date": "2026-01-19T13:56:16+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.15"
}
},
"id": "RHSA-2026:0751",
"initial_release_date": "2026-01-19T01:16:23+00:00",
"revision_history": [
{
"date": "2026-01-19T01:16:23+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-01-19T01:16:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-01-19T13:56:16+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"product": {
"name": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"product_id": "CRB-9.6.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.6::crb"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "jmc-0:8.2.0-18.el9_6.2.src",
"product": {
"name": "jmc-0:8.2.0-18.el9_6.2.src",
"product_id": "jmc-0:8.2.0-18.el9_6.2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jmc@8.2.0-18.el9_6.2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jmc-0:8.2.0-18.el9_6.2.x86_64",
"product": {
"name": "jmc-0:8.2.0-18.el9_6.2.x86_64",
"product_id": "jmc-0:8.2.0-18.el9_6.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jmc@8.2.0-18.el9_6.2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jmc-0:8.2.0-18.el9_6.2.src as a component of Red Hat CodeReady Linux Builder EUS (v.9.6)",
"product_id": "CRB-9.6.0.Z.EUS:jmc-0:8.2.0-18.el9_6.2.src"
},
"product_reference": "jmc-0:8.2.0-18.el9_6.2.src",
"relates_to_product_reference": "CRB-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jmc-0:8.2.0-18.el9_6.2.x86_64 as a component of Red Hat CodeReady Linux Builder EUS (v.9.6)",
"product_id": "CRB-9.6.0.Z.EUS:jmc-0:8.2.0-18.el9_6.2.x86_64"
},
"product_reference": "jmc-0:8.2.0-18.el9_6.2.x86_64",
"relates_to_product_reference": "CRB-9.6.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-66566",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"discovery_date": "2025-12-05T19:00:50.134024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419500"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lz4-java. This vulnerability allows disclosure of sensitive data via crafted compressed input due to insufficient clearing of the output buffer in Java-based decompressor implementations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated IMPORTANT because it allows for information disclosure when Java-based decompressor implementations reuse output buffers without proper clearing, potentially exposing sensitive data via crafted compressed input. JNI-based implementations of lz4-java are not affected by this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"CRB-9.6.0.Z.EUS:jmc-0:8.2.0-18.el9_6.2.src",
"CRB-9.6.0.Z.EUS:jmc-0:8.2.0-18.el9_6.2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66566"
},
{
"category": "external",
"summary": "RHBZ#2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66566"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840",
"url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q",
"url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q"
}
],
"release_date": "2025-12-05T18:10:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-19T01:16:23+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"CRB-9.6.0.Z.EUS:jmc-0:8.2.0-18.el9_6.2.src",
"CRB-9.6.0.Z.EUS:jmc-0:8.2.0-18.el9_6.2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0751"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CRB-9.6.0.Z.EUS:jmc-0:8.2.0-18.el9_6.2.src",
"CRB-9.6.0.Z.EUS:jmc-0:8.2.0-18.el9_6.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing"
}
]
}
RHSA-2026:0131
Vulnerability from csaf_redhat - Published: 2026-01-06 13:12 - Updated: 2026-01-21 23:32Summary
Red Hat Security Advisory: Red Hat build of Quarkus 3.20.4.SP1 security update
Notes
Topic
An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 3.20.4.SP1 includes the following CVE fixes:
* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing [quarkus-3.20] (CVE-2025-66566)
* lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure [quarkus-3.20] (CVE-2025-12183)
* vertx-web: Eclipse Vert.x cross site scripting [quarkus-3.20 (CVE-2025-11966)
For more information, see the release notes page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 3.20.4.SP1 includes the following CVE fixes:\n\n* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing [quarkus-3.20] (CVE-2025-66566)\n\n* lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure [quarkus-3.20] (CVE-2025-12183)\n\n* vertx-web: Eclipse Vert.x cross site scripting [quarkus-3.20 (CVE-2025-11966)\n\nFor more information, see the release notes page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:0131",
"url": "https://access.redhat.com/errata/RHSA-2026:0131"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/products/quarkus/",
"url": "https://access.redhat.com/products/quarkus/"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.20.4.SP1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.20.4.SP1"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.20",
"url": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.20"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_0131.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.20.4.SP1 security update",
"tracking": {
"current_release_date": "2026-01-21T23:32:30+00:00",
"generator": {
"date": "2026-01-21T23:32:30+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.15"
}
},
"id": "RHSA-2026:0131",
"initial_release_date": "2026-01-06T13:12:23+00:00",
"revision_history": [
{
"date": "2026-01-06T13:12:23+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-01-13T15:04:57+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-01-21T23:32:30+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus 3.20.4.SP1",
"product": {
"name": "Red Hat build of Quarkus 3.20.4.SP1",
"product_id": "Red Hat build of Quarkus 3.20.4.SP1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:3.20::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-11966",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2025-10-22T15:01:24.122189+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2405789"
}
],
"notes": [
{
"category": "description",
"text": "In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when \"directory listing\" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.vertx/vertx-web: Eclipse Vert.x cross site scripting",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.20.4.SP1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-11966"
},
{
"category": "external",
"summary": "RHBZ#2405789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-11966",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11966"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-11966",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11966"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303"
}
],
"release_date": "2025-10-22T14:44:24.145000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-06T13:12:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.20.4.SP1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0131"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.20.4.SP1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.20.4.SP1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.vertx/vertx-web: Eclipse Vert.x cross site scripting"
},
{
"cve": "CVE-2025-12183",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2025-11-28T16:00:42.516514+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2417718"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lz4-java. This vulnerability allows remote attackers to cause denial of service (DoS) and read adjacent memory via untrusted compressed input. This vulnerability affects only programs using the unsafe LZ4_decompress_fast API, known as the \"fast\" decompressor.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability affects the \"fast\" decompressor, this is due to the fact such implementation relies on LZ4_decompress_fast API of the lz4 C library. This function was deprecated in the lz4 library as it misses boundary checks and is considered insecure when processing untrusted inputs.\nRed Hat has considered this vulnerability as having a security impact of Moderate as the attack may be considered of a high complexity, additionally when exploited the attacker doesn\u0027t have full control over the memory read and its content.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.20.4.SP1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-12183"
},
{
"category": "external",
"summary": "RHBZ#2417718",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417718"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-12183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-12183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12183"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/releases/tag/v1.8.1",
"url": "https://github.com/yawkat/lz4-java/releases/tag/v1.8.1"
},
{
"category": "external",
"summary": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183",
"url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183"
}
],
"release_date": "2025-11-28T15:52:56.140000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-06T13:12:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.20.4.SP1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0131"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.20.4.SP1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.20.4.SP1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure"
},
{
"cve": "CVE-2025-66566",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"discovery_date": "2025-12-05T19:00:50.134024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419500"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lz4-java. This vulnerability allows disclosure of sensitive data via crafted compressed input due to insufficient clearing of the output buffer in Java-based decompressor implementations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated IMPORTANT because it allows for information disclosure when Java-based decompressor implementations reuse output buffers without proper clearing, potentially exposing sensitive data via crafted compressed input. JNI-based implementations of lz4-java are not affected by this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.20.4.SP1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66566"
},
{
"category": "external",
"summary": "RHBZ#2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66566"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840",
"url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q",
"url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q"
}
],
"release_date": "2025-12-05T18:10:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-06T13:12:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.20.4.SP1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0131"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.20.4.SP1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing"
}
]
}
RHSA-2026:0468
Vulnerability from csaf_redhat - Published: 2026-01-12 15:22 - Updated: 2026-01-19 13:55Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available (RHBQ 3.27.1.SP1)
Notes
Topic
An update for Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available (RHBQ 3.27.1.SP1).
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
Red Hat Product Security has rated this update as having a security impact of Important.
Details
An update for Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available (RHBQ 3.27.1.SP1).
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:
* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing (CVE-2025-66566)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available (RHBQ 3.27.1.SP1).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\nRed Hat Product Security has rated this update as having a security impact of Important.",
"title": "Topic"
},
{
"category": "general",
"text": "An update for Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available (RHBQ 3.27.1.SP1).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:\n * lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing (CVE-2025-66566)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:0468",
"url": "https://access.redhat.com/errata/RHSA-2026:0468"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_0468.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available (RHBQ 3.27.1.SP1)",
"tracking": {
"current_release_date": "2026-01-19T13:55:46+00:00",
"generator": {
"date": "2026-01-19T13:55:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.15"
}
},
"id": "RHSA-2026:0468",
"initial_release_date": "2026-01-12T15:22:38+00:00",
"revision_history": [
{
"date": "2026-01-12T15:22:38+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-01-12T15:22:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-01-19T13:55:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27",
"product": {
"name": "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27",
"product_id": "Red Hat Build of Apache Camel 4.14 for Quarkus 3.27",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:apache_camel_quarkus:3.27"
}
}
}
],
"category": "product_family",
"name": "Red Hat Build of Apache Camel"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-66566",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"discovery_date": "2025-12-05T19:00:50.134024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419500"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lz4-java. This vulnerability allows disclosure of sensitive data via crafted compressed input due to insufficient clearing of the output buffer in Java-based decompressor implementations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated IMPORTANT because it allows for information disclosure when Java-based decompressor implementations reuse output buffers without proper clearing, potentially exposing sensitive data via crafted compressed input. JNI-based implementations of lz4-java are not affected by this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Build of Apache Camel 4.14 for Quarkus 3.27"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66566"
},
{
"category": "external",
"summary": "RHBZ#2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66566"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840",
"url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q",
"url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q"
}
],
"release_date": "2025-12-05T18:10:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-12T15:22:38+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Build of Apache Camel 4.14 for Quarkus 3.27"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0468"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Build of Apache Camel 4.14 for Quarkus 3.27"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing"
}
]
}
RHSA-2026:0752
Vulnerability from csaf_redhat - Published: 2026-01-19 01:17 - Updated: 2026-01-19 13:56Summary
Red Hat Security Advisory: jmc security update
Notes
Topic
An update for jmc is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
JDK Mission Control is a powerful profiler for HotSpot JVMs and has an advanced set of tools that enables efficient and detailed analysis of the extensive data collected by JDK Flight Recorder. The tool chain enables developers and administrators to collect and analyze data from Java applications running locally or deployed in production environments.
Security Fix(es):
* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing (CVE-2025-66566)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for jmc is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "JDK Mission Control is a powerful profiler for HotSpot JVMs and has an advanced set of tools that enables efficient and detailed analysis of the extensive data collected by JDK Flight Recorder. The tool chain enables developers and administrators to collect and analyze data from Java applications running locally or deployed in production environments.\n\nSecurity Fix(es):\n\n* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing (CVE-2025-66566)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:0752",
"url": "https://access.redhat.com/errata/RHSA-2026:0752"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_0752.json"
}
],
"title": "Red Hat Security Advisory: jmc security update",
"tracking": {
"current_release_date": "2026-01-19T13:56:16+00:00",
"generator": {
"date": "2026-01-19T13:56:16+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.15"
}
},
"id": "RHSA-2026:0752",
"initial_release_date": "2026-01-19T01:17:13+00:00",
"revision_history": [
{
"date": "2026-01-19T01:17:13+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-01-19T01:17:13+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-01-19T13:56:16+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"product_id": "CRB-9.7.0.Z.MAIN",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::crb"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "jmc-0:8.2.0-18.el9_7.2.src",
"product": {
"name": "jmc-0:8.2.0-18.el9_7.2.src",
"product_id": "jmc-0:8.2.0-18.el9_7.2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jmc@8.2.0-18.el9_7.2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jmc-0:8.2.0-18.el9_7.2.x86_64",
"product": {
"name": "jmc-0:8.2.0-18.el9_7.2.x86_64",
"product_id": "jmc-0:8.2.0-18.el9_7.2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jmc@8.2.0-18.el9_7.2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jmc-0:8.2.0-18.el9_7.2.src as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"product_id": "CRB-9.7.0.Z.MAIN:jmc-0:8.2.0-18.el9_7.2.src"
},
"product_reference": "jmc-0:8.2.0-18.el9_7.2.src",
"relates_to_product_reference": "CRB-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jmc-0:8.2.0-18.el9_7.2.x86_64 as a component of Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"product_id": "CRB-9.7.0.Z.MAIN:jmc-0:8.2.0-18.el9_7.2.x86_64"
},
"product_reference": "jmc-0:8.2.0-18.el9_7.2.x86_64",
"relates_to_product_reference": "CRB-9.7.0.Z.MAIN"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-66566",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"discovery_date": "2025-12-05T19:00:50.134024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419500"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lz4-java. This vulnerability allows disclosure of sensitive data via crafted compressed input due to insufficient clearing of the output buffer in Java-based decompressor implementations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated IMPORTANT because it allows for information disclosure when Java-based decompressor implementations reuse output buffers without proper clearing, potentially exposing sensitive data via crafted compressed input. JNI-based implementations of lz4-java are not affected by this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"CRB-9.7.0.Z.MAIN:jmc-0:8.2.0-18.el9_7.2.src",
"CRB-9.7.0.Z.MAIN:jmc-0:8.2.0-18.el9_7.2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66566"
},
{
"category": "external",
"summary": "RHBZ#2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66566"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840",
"url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q",
"url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q"
}
],
"release_date": "2025-12-05T18:10:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-19T01:17:13+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"CRB-9.7.0.Z.MAIN:jmc-0:8.2.0-18.el9_7.2.src",
"CRB-9.7.0.Z.MAIN:jmc-0:8.2.0-18.el9_7.2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0752"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CRB-9.7.0.Z.MAIN:jmc-0:8.2.0-18.el9_7.2.src",
"CRB-9.7.0.Z.MAIN:jmc-0:8.2.0-18.el9_7.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing"
}
]
}
NCSC-2026-0021
Vulnerability from csaf_ncscnl - Published: 2026-01-21 09:19 - Updated: 2026-01-21 09:19Summary
Kwetsbaarheden verholpen in Oracle Database Server producten
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Oracle heeft kwetsbaarheden verholpen in Oracle Database Server producten.
Interpretaties
De kwetsbaarheden in Oracle Database Server stellen niet-geauthenticeerde aanvallers in staat om de integriteit en vertrouwelijkheid van gegevens te compromitteren. Dit kan leiden tot ongeautoriseerde toegang tot gevoelige data en zelfs een mogelijke overname van de SQLcl-component.
Oplossingen
Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans
medium
Schade
high
CWE-20
Improper Input Validation
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
CWE-201
Insertion of Sensitive Information Into Sent Data
CWE-295
Improper Certificate Validation
CWE-297
Improper Validation of Certificate with Host Mismatch
CWE-326
Inadequate Encryption Strength
CWE-347
Improper Verification of Cryptographic Signature
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-404
Improper Resource Shutdown or Release
CWE-457
Use of Uninitialized Variable
CWE-502
Deserialization of Untrusted Data
CWE-674
Uncontrolled Recursion
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CWE-862
Missing Authorization
CWE-908
Use of Uninitialized Resource
CWE-937
CWE-937
CWE-1035
CWE-1035
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Oracle heeft kwetsbaarheden verholpen in Oracle Database Server producten.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden in Oracle Database Server stellen niet-geauthenticeerde aanvallers in staat om de integriteit en vertrouwelijkheid van gegevens te compromitteren. Dit kan leiden tot ongeautoriseerde toegang tot gevoelige data en zelfs een mogelijke overname van de SQLcl-component. ",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "general",
"text": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"title": "CWE-93"
},
{
"category": "general",
"text": "Improper Neutralization of Escape, Meta, or Control Sequences",
"title": "CWE-150"
},
{
"category": "general",
"text": "Insertion of Sensitive Information Into Sent Data",
"title": "CWE-201"
},
{
"category": "general",
"text": "Improper Certificate Validation",
"title": "CWE-295"
},
{
"category": "general",
"text": "Improper Validation of Certificate with Host Mismatch",
"title": "CWE-297"
},
{
"category": "general",
"text": "Inadequate Encryption Strength",
"title": "CWE-326"
},
{
"category": "general",
"text": "Improper Verification of Cryptographic Signature",
"title": "CWE-347"
},
{
"category": "general",
"text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"title": "CWE-362"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Use of Uninitialized Variable",
"title": "CWE-457"
},
{
"category": "general",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "general",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "general",
"text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"title": "CWE-835"
},
{
"category": "general",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "Use of Uninitialized Resource",
"title": "CWE-908"
},
{
"category": "general",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "general",
"text": "CWE-1035",
"title": "CWE-1035"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://www.oracle.com/security-alerts/cpujan2026.html"
}
],
"title": "Kwetsbaarheden verholpen in Oracle Database Server producten",
"tracking": {
"current_release_date": "2026-01-21T09:19:00.000449Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2026-0021",
"initial_release_date": "2026-01-21T09:19:00.000449Z",
"revision_history": [
{
"date": "2026-01-21T09:19:00.000449Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "Core RDBMS"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "Essbase"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "Fleet Patching and Provisioning"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-4"
}
}
],
"category": "product_name",
"name": "GoldenGate"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-5"
}
}
],
"category": "product_name",
"name": "GoldenGate Big Data and Application Adapters"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-6"
}
}
],
"category": "product_name",
"name": "Goldengate Stream Analytics"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-7"
}
}
],
"category": "product_name",
"name": "GraalVM"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-8"
}
}
],
"category": "product_name",
"name": "Graph Server And Client"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-9"
}
}
],
"category": "product_name",
"name": "Java Virtual Machine"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-10"
}
}
],
"category": "product_name",
"name": "NoSQL Database"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-11"
}
}
],
"category": "product_name",
"name": "Oracle APEX Sample Applications"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-12"
}
}
],
"category": "product_name",
"name": "Oracle Database Server"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-13"
}
}
],
"category": "product_name",
"name": "Oracle Graal Development Kit for Micronaut"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-14"
}
}
],
"category": "product_name",
"name": "Oracle Zero Data Loss Recovery Appliance Software"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-15"
}
}
],
"category": "product_name",
"name": "SQLcl"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-16"
}
}
],
"category": "product_name",
"name": "Secure Backup"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-17"
}
}
],
"category": "product_name",
"name": "Spatial and Graph"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-8194",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"notes": [
{
"category": "other",
"text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"title": "CWE-835"
},
{
"category": "description",
"text": "Recent updates for Python 3 address multiple vulnerabilities, including denial of service risks in the tarfile module and HTML parsing, affecting various versions and leading to potential infinite loops and deadlocks.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-8194 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-8194.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2025-8194"
},
{
"cve": "CVE-2025-12383",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"notes": [
{
"category": "other",
"text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"title": "CWE-362"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Oracle Database Server versions 23.4.0-23.26.0 have a vulnerability in the Fleet Patching and Provisioning component, while Eclipse Jersey versions 2.45, 3.0.16, and 3.1.9 may ignore critical SSL configurations due to a race condition.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-12383 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-12383.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2025-12383"
},
{
"cve": "CVE-2025-30065",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "other",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "description",
"text": "Recent vulnerabilities in Oracle NoSQL Database and Apache Parquet allow for significant security risks, including arbitrary code execution and database compromise, affecting versions 1.5 and 1.6 of Oracle NoSQL and 1.15.0 and earlier of Apache Parquet.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-30065 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-30065.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2025-30065"
},
{
"cve": "CVE-2025-48924",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "description",
"text": "Multiple vulnerabilities have been identified in Oracle WebLogic Server and Oracle Communications ASAP, both allowing unauthenticated partial denial of service, alongside an uncontrolled recursion issue in Apache Commons Lang leading to potential application crashes.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48924 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48924.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2025-48924"
},
{
"cve": "CVE-2025-54874",
"cwe": {
"id": "CWE-457",
"name": "Use of Uninitialized Variable"
},
"notes": [
{
"category": "other",
"text": "Use of Uninitialized Variable",
"title": "CWE-457"
},
{
"category": "description",
"text": "Oracle Fusion Middleware has a critical vulnerability (CVSS 9.8) allowing unauthenticated access, while OpenJPEG versions 2.5.1 to 2.5.3 contain a flaw leading to out-of-bounds heap memory writes.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-54874 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-54874.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2025-54874"
},
{
"cve": "CVE-2025-55039",
"cwe": {
"id": "CWE-326",
"name": "Inadequate Encryption Strength"
},
"notes": [
{
"category": "other",
"text": "Inadequate Encryption Strength",
"title": "CWE-326"
},
{
"category": "other",
"text": "Improper Verification of Cryptographic Signature",
"title": "CWE-347"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Apache Spark versions prior to 4.0.0, 3.5.2, and 3.4.4 have a vulnerability due to insecure RPC encryption, while Oracle GoldenGate Stream Analytics versions 19.1.0.0.0-19.1.0.0.11 allow unauthorized data access.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-55039 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55039.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2025-55039"
},
{
"cve": "CVE-2025-59250",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "A vulnerability in Oracle GoldenGate\u0027s JDBC Driver for SQL Server (versions 21.3-21.20 and 23.4-23.10) allows unauthenticated attackers to exploit improper input validation, posing significant confidentiality and integrity risks with a CVSS score of 8.1.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-59250 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-59250.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2025-59250"
},
{
"cve": "CVE-2025-59419",
"cwe": {
"id": "CWE-93",
"name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"title": "CWE-93"
},
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Netty\u0027s SMTP codec has a command injection vulnerability allowing email forgery, while Oracle GoldenGate Big Data and Application Adapters are susceptible to denial of service attacks by low-privileged users.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-59419 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-59419.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2025-59419"
},
{
"cve": "CVE-2025-61755",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "description",
"text": "Vulnerabilities in Oracle GraalVM for JDK and the GraalVM Multilingual Engine of Oracle Database Server allow unauthorized data access, with CVSS scores of 3.7 and 3.1, respectively.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-61755 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-61755.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2025-61755"
},
{
"cve": "CVE-2025-61795",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Apache Tomcat and Oracle Communications Unified Assurance have critical vulnerabilities related to Denial of Service (DoS) risks, affecting multiple versions and requiring updates to address issues like improper resource shutdown and HTTP access exploitation.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-61795 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-61795.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2025-61795"
},
{
"cve": "CVE-2025-65082",
"cwe": {
"id": "CWE-150",
"name": "Improper Neutralization of Escape, Meta, or Control Sequences"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Escape, Meta, or Control Sequences",
"title": "CWE-150"
},
{
"category": "description",
"text": "Recent vulnerabilities in Oracle Communications Unified Assurance and Apache HTTP Server versions 2.4.0 to 2.4.65 expose systems to unauthorized data manipulation, denial of service, and sensitive information disclosure through various exploitation methods.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-65082 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-65082.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2025-65082"
},
{
"cve": "CVE-2025-66566",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"notes": [
{
"category": "other",
"text": "Insertion of Sensitive Information Into Sent Data",
"title": "CWE-201"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "other",
"text": "Use of Uninitialized Resource",
"title": "CWE-908"
},
{
"category": "description",
"text": "Multiple vulnerabilities in lz4-java (1.10.0 and earlier) and Oracle Essbase (21.8.0.0.0) allow unauthorized access and sensitive data disclosure due to insufficient buffer clearing and unauthenticated access, respectively.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-66566 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-66566.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2025-66566"
},
{
"cve": "CVE-2025-67735",
"cwe": {
"id": "CWE-93",
"name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"title": "CWE-93"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "The `io.netty.handler.codec.http.HttpRequestEncoder` is vulnerable to CRLF injection in the request URI, leading to request smuggling, while the Oracle Graal Development Kit for Micronaut has an exploitable vulnerability affecting specific versions.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-67735 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-67735.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2025-67735"
},
{
"cve": "CVE-2025-68161",
"cwe": {
"id": "CWE-297",
"name": "Improper Validation of Certificate with Host Mismatch"
},
"notes": [
{
"category": "other",
"text": "Improper Validation of Certificate with Host Mismatch",
"title": "CWE-297"
},
{
"category": "other",
"text": "Improper Certificate Validation",
"title": "CWE-295"
},
{
"category": "other",
"text": "CWE-1035",
"title": "CWE-1035"
},
{
"category": "other",
"text": "CWE-937",
"title": "CWE-937"
},
{
"category": "description",
"text": "Apache Log4j Core versions 2.0-beta9 to 2.25.2 lack TLS hostname verification in the Socket Appender, while Oracle\u0027s Primavera Gateway has a vulnerability allowing unauthenticated access via TLS.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-68161 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-68161.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2025-68161"
},
{
"cve": "CVE-2026-21931",
"notes": [
{
"category": "description",
"text": "A vulnerability in Oracle APEX Sample Applications allows low-privileged attackers to compromise applications, leading to unauthorized data access and modifications across several supported versions.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-21931 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21931.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-21931"
},
{
"cve": "CVE-2026-21939",
"notes": [
{
"category": "description",
"text": "A vulnerability in Oracle Database Server\u0027s SQLcl component (versions 23.4.0-23.26.0) allows unauthenticated attackers to compromise SQLcl with human interaction, rated with a CVSS 3.1 Base Score of 7.0.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-21939 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21939.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-21939"
},
{
"cve": "CVE-2026-21975",
"notes": [
{
"category": "description",
"text": "A vulnerability in the Java VM component of Oracle Database Server versions 19.3-19.29 and 21.3-21.20 allows high-privileged authenticated users to potentially cause a denial of service, with a CVSS score of 4.5.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-21975 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21975.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-21975"
},
{
"cve": "CVE-2026-21977",
"notes": [
{
"category": "description",
"text": "A vulnerability in Oracle Zero Data Loss Recovery Appliance Software (versions 23.1.0-23.1.202509) allows unauthenticated attackers to potentially gain unauthorized read access to data, with a CVSS score of 3.1.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-21977 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21977.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17"
]
}
],
"title": "CVE-2026-21977"
}
]
}
FKIE_CVE-2025-66566
Vulnerability from fkie_nvd - Published: 2025-12-05 18:15 - Updated: 2025-12-08 18:26
Severity ?
Summary
yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1."
}
],
"id": "CVE-2025-66566",
"lastModified": "2025-12-08T18:26:49.133",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-12-05T18:15:59.580",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-201"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-CMP6-M4WJ-Q63Q
Vulnerability from github – Published: 2025-12-05 18:54 – Updated: 2025-12-05 18:54
VLAI?
Summary
yawkat LZ4 Java has a possible information leak in Java safe decompressor
Details
Summary
Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data.
JNI-based implementations are not affected.
Details
During the decompression process, the lz4 algorithm may have to repeat data that was previously decompressed in the same input frame. In the Java implementation, this is implemented by copy operations within the output buffer.
With a crafted input, an attacker may induce the Java implementation to copy from a region in the output buffer that does not contain decompressed data yet. If that region contains sensitive information because the output buffer was not cleared prior to decompression, that data will then be copied to the decompressed output.
LZ4Factory.nativeInstance().safeDecompressor()is not affected.LZ4Factory.nativeInstance().fastDecompressor()is affected because it actually usessafeInstance()since 1.8.1. In 1.8.0 and earlier versions, this implementation is instead vulnerable to the more severe CVE‐2025‐12183, so downgrading is not a solution.- Both decompressors of
LZ4Factory.safeInstance(),LZ4Factory.unsafeInstance()andLZ4Factory.fastestJavaInstance()are affected. LZ4Factory.fastestInstance()uses thenativeInstanceorfastestJavaInstancedepending on platform.LZ4Factory.fastestInstance().fastDecompressor()is always affected, whileLZ4Factory.fastestInstance().safeDecompressor()is affected only when JNI cannot be used (e.g. on unsupported platforms).
Independent of this vulnerability, it is recommended that users migrate from fastDecompressor to safeDecompressor, as the latter is more performant (despite the name).
The impact of this vulnerability depends on how user code interacts with the decompression API. Users that allocate a new destination buffer each time, or use only zeroed buffers, are not impacted. When the buffer is reused, however, the confidentiality impact can be severe. This vulnerability is marked as VC:H out of caution.
Mitigation
lz4-java 1.10.1 fixes this issue without requiring changes in user code.
If you cannot upgrade to 1.10.1, you can mitigate this vulnerability by zeroing the output buffer before passing it to the decompression function.
Relation to CVE‐2025‐12183
This CVE is a different attack than CVE‐2025‐12183, affecting different implementations with different impact. This new vulnerability was discovered by CodeIntelligence during research that followed up on CVE‐2025‐12183. Users are recommended to upgrade to 1.10.1 to fix both vulnerabilities.
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.10.0"
},
"package": {
"ecosystem": "Maven",
"name": "at.yawk.lz4:lz4-java"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.lz4:lz4-java"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.lz4:lz4-pure-java"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "net.jpountz.lz4:lz4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66566"
],
"database_specific": {
"cwe_ids": [
"CWE-201"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-05T18:54:55Z",
"nvd_published_at": "2025-12-05T18:15:59Z",
"severity": "HIGH"
},
"details": "### Summary\n\nInsufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data.\n\nJNI-based implementations are *not* affected.\n\n### Details\n\nDuring the decompression process, the lz4 algorithm may have to repeat data that was previously decompressed in the same input frame. In the Java implementation, this is implemented by copy operations within the output buffer.\n\nWith a crafted input, an attacker may induce the Java implementation to copy from a region in the output buffer that does not contain decompressed data yet. If that region contains sensitive information because the output buffer was not cleared prior to decompression, that data will then be copied to the decompressed output.\n\n- `LZ4Factory.nativeInstance().safeDecompressor()` *is not* affected.\n- `LZ4Factory.nativeInstance().fastDecompressor()` *is* affected because it actually uses `safeInstance()` since 1.8.1. In 1.8.0 and earlier versions, this implementation is instead vulnerable to the more severe [CVE\u20102025\u201012183](https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183), so downgrading is not a solution.\n- Both decompressors of `LZ4Factory.safeInstance()`, `LZ4Factory.unsafeInstance()` and `LZ4Factory.fastestJavaInstance()` are affected.\n- `LZ4Factory.fastestInstance()` uses the `nativeInstance` or `fastestJavaInstance` depending on platform. `LZ4Factory.fastestInstance().fastDecompressor()` is always affected, while `LZ4Factory.fastestInstance().safeDecompressor()` is affected only when JNI cannot be used (e.g. on unsupported platforms).\n\nIndependent of this vulnerability, it is recommended that users migrate from `fastDecompressor` to `safeDecompressor`, as the latter is more performant (despite the name).\n\nThe impact of this vulnerability depends on how user code interacts with the decompression API. Users that allocate a new destination buffer each time, or use only zeroed buffers, are not impacted. When the buffer is reused, however, the confidentiality impact can be severe. This vulnerability is marked as VC:H out of caution.\n\n### Mitigation\n\nlz4-java 1.10.1 fixes this issue without requiring changes in user code.\n\nIf you cannot upgrade to 1.10.1, you can mitigate this vulnerability by zeroing the output buffer before passing it to the decompression function.\n\n### Relation to CVE\u20102025\u201012183\n\nThis CVE is a different attack than [CVE\u20102025\u201012183](https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183), affecting different implementations with different impact. This new vulnerability was discovered by [CodeIntelligence](https://www.code-intelligence.com/) during research that followed up on CVE\u20102025\u201012183. Users are recommended to upgrade to 1.10.1 to fix both vulnerabilities.",
"id": "GHSA-cmp6-m4wj-q63q",
"modified": "2025-12-05T18:54:55Z",
"published": "2025-12-05T18:54:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566"
},
{
"type": "WEB",
"url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840"
},
{
"type": "PACKAGE",
"url": "https://github.com/yawkat/lz4-java"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "yawkat LZ4 Java has a possible information leak in Java safe decompressor"
}
WID-SEC-W-2026-0019
Vulnerability from csaf_certbund - Published: 2026-01-06 23:00 - Updated: 2026-01-19 23:00Summary
Red Hat Enterprise Linux (Quarkus): Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.
Angriff
Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, einen Denial-of-Service-Zustand zu verursachen oder vertrauliche Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux ausnutzen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren, einen Denial-of-Service-Zustand zu verursachen oder vertrauliche Informationen offenzulegen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0019 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0019.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0019 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0019"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:0131 vom 2026-01-06",
"url": "https://access.redhat.com/errata/RHSA-2026:0131"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:0134 vom 2026-01-06",
"url": "https://access.redhat.com/errata/RHSA-2026:0134"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:0467 vom 2026-01-12",
"url": "https://access.redhat.com/errata/RHSA-2026:0467"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:0468 vom 2026-01-12",
"url": "https://access.redhat.com/errata/RHSA-2026:0468"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:0726 vom 2026-01-15",
"url": "https://access.redhat.com/errata/RHSA-2026:0726"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:0761 vom 2026-01-19",
"url": "https://access.redhat.com/errata/RHSA-2026:0761"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:0751 vom 2026-01-19",
"url": "https://access.redhat.com/errata/RHSA-2026:0751"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2026:0752 vom 2026-01-19",
"url": "https://access.redhat.com/errata/RHSA-2026:0752"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2026-0752 vom 2026-01-20",
"url": "http://linux.oracle.com/errata/ELSA-2026-0752.html"
}
],
"source_lang": "en-US",
"title": "Red Hat Enterprise Linux (Quarkus): Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-01-19T23:00:00.000+00:00",
"generator": {
"date": "2026-01-20T08:04:36.436+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0019",
"initial_release_date": "2026-01-06T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-01-06T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-01-12T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-01-15T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-01-18T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2026-01-19T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Oracle Linux aufgenommen"
}
],
"status": "final",
"version": "5"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"category": "product_version_range",
"name": "Quarkus \u003c3.20.4.SP1",
"product": {
"name": "Red Hat Enterprise Linux Quarkus \u003c3.20.4.SP1",
"product_id": "T049714"
}
},
{
"category": "product_version",
"name": "Quarkus 3.20.4.SP1",
"product": {
"name": "Red Hat Enterprise Linux Quarkus 3.20.4.SP1",
"product_id": "T049714-fixed",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:quarkus__3.20.4.sp1"
}
}
},
{
"category": "product_version_range",
"name": "Quarkus \u003c3.27.1.SP1",
"product": {
"name": "Red Hat Enterprise Linux Quarkus \u003c3.27.1.SP1",
"product_id": "T049715"
}
},
{
"category": "product_version",
"name": "Quarkus 3.27.1.SP1",
"product": {
"name": "Red Hat Enterprise Linux Quarkus 3.27.1.SP1",
"product_id": "T049715-fixed",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:quarkus__3.27.1.sp1"
}
}
}
],
"category": "product_name",
"name": "Enterprise Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-11966",
"product_status": {
"known_affected": [
"T049715",
"67646",
"T004914"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-11966"
},
{
"cve": "CVE-2025-12183",
"product_status": {
"known_affected": [
"T049715",
"T049714",
"67646",
"T004914"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-12183"
},
{
"cve": "CVE-2025-66566",
"product_status": {
"known_affected": [
"T049715",
"T049714",
"67646",
"T004914"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-66566"
}
]
}
CERTFR-2026-AVI-0041
Vulnerability from certfr_avis - Published: 2026-01-14 - Updated: 2026-01-14
De multiples vulnérabilités ont été découvertes dans les produits Elastic. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à la confidentialité des données et une falsification de requêtes côté serveur (SSRF).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Elastic | Packetbeat | Packetbeat versions 9.2.x antérieures à 9.2.4 | ||
| Elastic | Packetbeat | Packetbeat toutes versions 7.x | ||
| Elastic | Packetbeat | Packetbeat versions 8.19.x antérieures à 8.19.10 | ||
| Elastic | Packetbeat | Packetbeat versions 9.x antérieures à 9.1.10 | ||
| Elastic | Metricbeat | Metricbeat toutes versions 7.x | ||
| Elastic | Metricbeat | Metricbeat versions 8.19.x antérieures à 8.19.10 | ||
| Elastic | Elasticsearch | Elasticsearch versions 9.2.x antérieures à 9.2.4 | ||
| Elastic | Metricbeat | Metricbeat versions 9.x antérieures à 9.1.10 | ||
| Elastic | Elasticsearch | Elasticsearch toutes versions 7.x | ||
| Elastic | Elasticsearch | Elasticsearch versions 9.x antérieures à 9.1.10 | ||
| Elastic | Elasticsearch | Elasticsearch versions 8.19.x antérieures à 8.19.10 | ||
| Elastic | Metricbeat | Metricbeat versions 9.2.x antérieures à 9.2.4 | ||
| Elastic | Kibana | Kibana versions 8.19.x antérieures à 8.19.10 | ||
| Elastic | Kibana | Kibana toutes versions 7.x | ||
| Elastic | Kibana | Kibana versions 9.2.x antérieures à 9.2.4 | ||
| Elastic | Kibana | Kibana versions 9.x antérieures à 9.1.10 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Packetbeat versions 9.2.x ant\u00e9rieures \u00e0 9.2.4",
"product": {
"name": "Packetbeat",
"vendor": {
"name": "Elastic",
"scada": false
}
}
},
{
"description": "Packetbeat toutes versions 7.x",
"product": {
"name": "Packetbeat",
"vendor": {
"name": "Elastic",
"scada": false
}
}
},
{
"description": "Packetbeat versions 8.19.x ant\u00e9rieures \u00e0 8.19.10",
"product": {
"name": "Packetbeat",
"vendor": {
"name": "Elastic",
"scada": false
}
}
},
{
"description": "Packetbeat versions 9.x ant\u00e9rieures \u00e0 9.1.10",
"product": {
"name": "Packetbeat",
"vendor": {
"name": "Elastic",
"scada": false
}
}
},
{
"description": "Metricbeat toutes versions 7.x",
"product": {
"name": "Metricbeat",
"vendor": {
"name": "Elastic",
"scada": false
}
}
},
{
"description": "Metricbeat versions 8.19.x ant\u00e9rieures \u00e0 8.19.10",
"product": {
"name": "Metricbeat",
"vendor": {
"name": "Elastic",
"scada": false
}
}
},
{
"description": "Elasticsearch versions 9.2.x ant\u00e9rieures \u00e0 9.2.4",
"product": {
"name": "Elasticsearch",
"vendor": {
"name": "Elastic",
"scada": false
}
}
},
{
"description": "Metricbeat versions 9.x ant\u00e9rieures \u00e0 9.1.10",
"product": {
"name": "Metricbeat",
"vendor": {
"name": "Elastic",
"scada": false
}
}
},
{
"description": "Elasticsearch toutes versions 7.x",
"product": {
"name": "Elasticsearch",
"vendor": {
"name": "Elastic",
"scada": false
}
}
},
{
"description": "Elasticsearch versions 9.x ant\u00e9rieures \u00e0 9.1.10",
"product": {
"name": "Elasticsearch",
"vendor": {
"name": "Elastic",
"scada": false
}
}
},
{
"description": "Elasticsearch versions 8.19.x ant\u00e9rieures \u00e0 8.19.10",
"product": {
"name": "Elasticsearch",
"vendor": {
"name": "Elastic",
"scada": false
}
}
},
{
"description": "Metricbeat versions 9.2.x ant\u00e9rieures \u00e0 9.2.4",
"product": {
"name": "Metricbeat",
"vendor": {
"name": "Elastic",
"scada": false
}
}
},
{
"description": "Kibana versions 8.19.x ant\u00e9rieures \u00e0 8.19.10",
"product": {
"name": "Kibana",
"vendor": {
"name": "Elastic",
"scada": false
}
}
},
{
"description": "Kibana toutes versions 7.x",
"product": {
"name": "Kibana",
"vendor": {
"name": "Elastic",
"scada": false
}
}
},
{
"description": "Kibana versions 9.2.x ant\u00e9rieures \u00e0 9.2.4",
"product": {
"name": "Kibana",
"vendor": {
"name": "Elastic",
"scada": false
}
}
},
{
"description": "Kibana versions 9.x ant\u00e9rieures \u00e0 9.1.10",
"product": {
"name": "Kibana",
"vendor": {
"name": "Elastic",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-0532",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0532"
},
{
"name": "CVE-2026-0528",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0528"
},
{
"name": "CVE-2026-0530",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0530"
},
{
"name": "CVE-2026-0529",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0529"
},
{
"name": "CVE-2025-66566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66566"
},
{
"name": "CVE-2026-0543",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0543"
},
{
"name": "CVE-2026-0531",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0531"
}
],
"initial_release_date": "2026-01-14T00:00:00",
"last_revision_date": "2026-01-14T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0041",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-14T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Elastic. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Elastic",
"vendor_advisories": [
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 Elastic ESA-2026-08",
"url": "https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-08/384523"
},
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 Elastic ESA-2026-02",
"url": "https://discuss.elastic.co/t/packetbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-02/384520"
},
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 Elastic ESA-2026-01",
"url": "https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519"
},
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 Elastic ESA-2026-04",
"url": "https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-04/384522"
},
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 Elastic ESA-2026-05",
"url": "https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-05/384524"
},
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 Elastic ESA-2026-07",
"url": "https://discuss.elastic.co/t/elasticsearch-8-19-10-9-1-10-9-2-4-security-update-esa-2026-07/384525"
},
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 Elastic ESA-2026-03",
"url": "https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-03/384521"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…