Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit f79a61c5d0b3 · 2025-12-10T20:06:23.000Z
GHSA-9p56-p6mw-w8qc GHSA-rj35-4m94-77jh GHSA-9p56-p6mw-w8qc
diff --git a/advisories/github-reviewed/2025/12/GHSA-9p56-p6mw-w8qc/GHSA-9p56-p6mw-w8qc.json b/advisories/github-reviewed/2025/12/GHSA-9p56-p6mw-w8qc/GHSA-9p56-p6mw-w8qc.json
@@ -0,0 +1,122 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9p56-p6mw-w8qc",
+  "modified": "2025-12-10T20:05:52Z",
+  "published": "2025-12-10T18:30:26Z",
+  "aliases": [
+    "CVE-2025-67635"
+  ],
+  "summary": "Jenkins has a Denial of service vulnerability in HTTP-based CLI",
+  "details": "Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.jenkins-ci.main:jenkins-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.529"
+            },
+            {
+              "fixed": "2.541"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.jenkins-ci.main:cli"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.529"
+            },
+            {
+              "fixed": "2.541"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.jenkins-ci.main:jenkins-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.528.3"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.jenkins-ci.main:cli"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.528.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67635"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/jenkinsci/jenkins/commit/efa1816322026f2b9235a27eee814bcc7ba0a764"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/jenkinsci/jenkins"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3630"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-404"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-10T20:05:52Z",
+    "nvd_published_at": "2025-12-10T17:15:55Z"
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-rj35-4m94-77jh/GHSA-rj35-4m94-77jh.json b/advisories/github-reviewed/2025/12/GHSA-rj35-4m94-77jh/GHSA-rj35-4m94-77jh.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rj35-4m94-77jh",
-  "modified": "2025-12-05T18:12:51Z",
+  "modified": "2025-12-10T20:03:48Z",
   "published": "2025-12-05T18:12:51Z",
   "aliases": [
     "CVE-2025-64763"
   ],
   "summary": "Envoy forwards early CONNECT data in TCP proxy mode",
-  "details": "## Summary\n\nForwarding of early CONNECT data in TCP proxy mode.\n\n## Details\n\nPer [RFC 7231-4.3.6](https://www.rfc-editor.org/rfc/rfc7231#section-4.3.6) the sender of CONNECT (and all inbound proxies)  switch to tunnel mode only after receiving 2xx response. However in TCP proxy mode, Envoy accepts client data before it has issued a 2xx response and eagerly proxies it to an established TCP connection. This creates possibility of a de-synchronized tunnel state if a proxy upstream from Envoy responds with a status other an 2xx.\n\nThe RFC does not specify the behavior in case an early CONNECT data is received and early CONNECT data is common as a latency reduction mechanism. To prevent disruption to existing deployments Envoy will by default allow early CONNECT data. Setting the `envoy.reloadable_features.reject_early_connect_data` runtime flag to `true` will cause CONNECT requests that send data before 2xx response to be rejected. This options should be enabled if there are intermediaries upstream from Envoy that may reject establishment of a CONNECT tunnel. \n\n## Impact\n\nDe-synchronization of CONNECT tunnel state if a forwarding proxy upstream from Envoy responds with a non 2xx status.\n\n## Attack vector(s)\nSending data for a CONNECT request before receiving 2xx response.\n\n## Patches\nUsers should upgrade to v1.36.3, v1.35.7, v1.34.11 or v1.33.13\n\n## Credits\n\nPatrick Smith (pesmithsea@gmail.com)",
+  "details": "## Summary\n\nForwarding of early CONNECT data in TCP proxy mode.\n\n## Details\n\nPer [RFC 7231-4.3.6](https://www.rfc-editor.org/rfc/rfc7231#section-4.3.6) the sender of CONNECT (and all inbound proxies)  switch to tunnel mode only after receiving 2xx response. However in TCP proxy mode, Envoy accepts client data before it has issued a 2xx response and eagerly proxies it to an established TCP connection. This creates possibility of a de-synchronized tunnel state if a proxy upstream from Envoy responds with a status other an 2xx.\n\nThe RFC does not specify the behavior in case an early CONNECT data is received and early CONNECT data is common as a latency reduction mechanism. To prevent disruption to existing deployments Envoy will by default allow early CONNECT data. Setting the `envoy.reloadable_features.reject_early_connect_data` runtime flag to `true` will cause CONNECT requests that send data before 2xx response to be rejected. This options should be enabled if there are intermediaries upstream from Envoy that may reject establishment of a CONNECT tunnel. \n\n## Impact\n\nDe-synchronization of CONNECT tunnel state if a forwarding proxy upstream from Envoy responds with a non 2xx status.\n\n## Attack vector(s)\nSending data for a CONNECT request before receiving 2xx response.\n\n## Patches\nUsers should upgrade to v1.36.3, v1.35.7, v1.34.11 or v1.33.13\n\n## Credits\n\n[chasingimpact](https://github.com/chasingimpact) (Patrick)",
   "severity": [
     {
       "type": "CVSS_V3",
diff --git a/advisories/unreviewed/2025/12/GHSA-9p56-p6mw-w8qc/GHSA-9p56-p6mw-w8qc.json b/advisories/unreviewed/2025/12/GHSA-9p56-p6mw-w8qc/GHSA-9p56-p6mw-w8qc.json
