Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 9134ac562ae0 · 2025-11-26T09:33:43.000Z
GHSA-49pm-cgmh-hw25 GHSA-892r-x96w-jh76 GHSA-h4r4-6hvf-34r8 GHSA-8mjc-g2w7-fch8 GHSA-932v-x9x2-vq29 GHSA-w88f-4875-99c8
diff --git a/advisories/unreviewed/2025/10/GHSA-49pm-cgmh-hw25/GHSA-49pm-cgmh-hw25.json b/advisories/unreviewed/2025/10/GHSA-49pm-cgmh-hw25/GHSA-49pm-cgmh-hw25.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-49pm-cgmh-hw25",
-  "modified": "2025-11-26T06:31:27Z",
+  "modified": "2025-11-26T09:31:21Z",
   "published": "2025-10-30T06:30:53Z",
   "aliases": [
     "CVE-2025-62229"
@@ -31,6 +31,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-62229"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22167"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:22164"
diff --git a/advisories/unreviewed/2025/10/GHSA-892r-x96w-jh76/GHSA-892r-x96w-jh76.json b/advisories/unreviewed/2025/10/GHSA-892r-x96w-jh76/GHSA-892r-x96w-jh76.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-892r-x96w-jh76",
-  "modified": "2025-11-26T06:31:27Z",
+  "modified": "2025-11-26T09:31:21Z",
   "published": "2025-10-30T06:30:54Z",
   "aliases": [
     "CVE-2025-62230"
@@ -31,6 +31,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-62230"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22167"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:22164"
diff --git a/advisories/unreviewed/2025/10/GHSA-h4r4-6hvf-34r8/GHSA-h4r4-6hvf-34r8.json b/advisories/unreviewed/2025/10/GHSA-h4r4-6hvf-34r8/GHSA-h4r4-6hvf-34r8.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h4r4-6hvf-34r8",
-  "modified": "2025-11-26T06:31:27Z",
+  "modified": "2025-11-26T09:31:21Z",
   "published": "2025-10-30T06:30:53Z",
   "aliases": [
     "CVE-2025-62231"
@@ -31,6 +31,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-62231"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2025:22167"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2025:22164"
diff --git a/advisories/unreviewed/2025/11/GHSA-8mjc-g2w7-fch8/GHSA-8mjc-g2w7-fch8.json b/advisories/unreviewed/2025/11/GHSA-8mjc-g2w7-fch8/GHSA-8mjc-g2w7-fch8.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8mjc-g2w7-fch8",
+  "modified": "2025-11-26T09:31:21Z",
+  "published": "2025-11-26T09:31:21Z",
+  "aliases": [
+    "CVE-2025-13735"
+  ],
+  "details": "Out-of-bounds Read vulnerability in ASR1903、ASR3901 in ASR Lapwing_Linux on Linux (nr_fw modules). This vulnerability is associated with program files Code/nr_fw/DLP/src/NrCgi.C.\n\nThis issue affects Lapwing_Linux: before 2025/11/26.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13735"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.asrmicro.com/en/goods/psirt?cid=41"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-125"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-26T07:16:00Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-932v-x9x2-vq29/GHSA-932v-x9x2-vq29.json b/advisories/unreviewed/2025/11/GHSA-932v-x9x2-vq29/GHSA-932v-x9x2-vq29.json
@@ -0,0 +1,31 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-932v-x9x2-vq29",
+  "modified": "2025-11-26T09:31:22Z",
+  "published": "2025-11-26T09:31:22Z",
+  "aliases": [
+    "CVE-2025-62728"
+  ],
+  "details": "SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false.\n\nThis issue affects Apache Hive: from 4.1.0 before 4.2.0.\n\nUsers are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62728"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/yj65dd8dmzgy8p3nv8zy33v8knzg9o7g"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-26T09:15:46Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/11/GHSA-w88f-4875-99c8/GHSA-w88f-4875-99c8.json b/advisories/unreviewed/2025/11/GHSA-w88f-4875-99c8/GHSA-w88f-4875-99c8.json
@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w88f-4875-99c8",
+  "modified": "2025-11-26T09:31:22Z",
+  "published": "2025-11-26T09:31:21Z",
+  "aliases": [
+    "CVE-2025-59390"
+  ],
+  "details": "Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`,\n which is not a crypto-graphically secure random number generator. This \nmay allow an attacker to predict or brute force the secret used to sign \nauthentication cookies, potentially enabling token forgery or \nauthentication bypass. Additionally, each process generates its own \nfallback secret, resulting in inconsistent secrets across nodes. This \ncauses authentication failures in distributed or multi-broker \ndeployments, effectively leading to a incorrectly configured clusters. Users are \nadvised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret`\n\n\n\nThis issue affects Apache Druid: through 34.0.0.\n\nUsers are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59390"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/jwjltllnntgj1sb9wzsjmvwm9f8rlhg8"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2025/11/26/1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-338"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-11-26T09:15:46Z"
+  }
+}
