2025-10 Java Security Weekly News - Canonical, Red Hat, GitHub
2025 » Published on March 21, 2025
 | Ubuntu Security Notices |
 | Red Hat Security Advisory |
 | Github Security Advisories |
| [GHSA-q298-375f-5q63] Snowflake JDBC Driver client-side encryption key in DEBUG logs net.snowflake:snowflake-jdbc - impacts versions: >= 3.0.13, <= 3.23.0 fixed in: 3.23.1 [GHSA-gvgg-2r3r-53x7] Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims org.keycloak:keycloak-services - impacts versions: >= 26.1.0, < 26.1.3 fixed in: 26.1.3 org.keycloak:keycloak-services - impacts versions: < 26.0.10 fixed in: 26.0.10 [GHSA-2p82-5wwr-43cw] Authentication Bypass Due to Missing LDAP Bind After Password Reset in Keycloak org.keycloak:keycloak-ldap-federation - impacts versions: >= 26.1.0, < 26.1.3 fixed in: 26.1.3 org.keycloak:keycloak-ldap-federation - impacts versions: < 26.0.10 fixed in: 26.0.10 [GHSA-47qw-ccjm-9c2c] LocalS3 XML Parser Vulnerable to XML External Entity (XXE) Injection io.github.robothy:local-s3-rest - impacts versions: < 1.21 fixed in: 1.21 [GHSA-v232-254c-m6p7] LocalS3 Project Vulnerable to XML External Entity (XXE) Injection via Bucket Tagging API io.github.robothy:local-s3-rest - impacts versions: < 1.21 fixed in: 1.21 [GHSA-2466-4485-4pxj] LocalS3 Project Bucket Operations Vulnerable to XML External Entity (XXE) Injection io.github.robothy:local-s3-rest - impacts versions: < 1.21 fixed in: 1.21 [GHSA-g6wm-2v64-wq36] LocalS3 CreateBucketConfiguration Endpoint XML External Entity (XXE) Injection io.github.robothy:local-s3-rest - impacts versions: < 1.21 fixed in: 1.21 |
 | org.xwiki.platform:xwiki-platform-security-authorization-api |
| HIGH | CVE-2025-29924 XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages". It's possible to detect the vulnerability by enabling "Prevent unregistered users to view pages" and then trying to access a page through the REST API without using any credentials. The vulnerability has been patched in XWiki 15.10.14, 16.4.6 and 16.10.0RC1. Published Wednesday, March 19, 2025 |
| | org.xwiki.platform:xwiki-platform-rest-server |
| HIGH | CVE-2025-29925 XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights. Published Wednesday, March 19, 2025 |
| | org.xwiki.platform:xwiki-platform-wiki-rest-default |
| HIGH | CVE-2025-29926 XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module. Published Wednesday, March 19, 2025 |
| | Additional Java CVEs |
| N/A | CVE-2024-12020 There is a reflected cross-site scripting (XSS) within JSP files used to control application appearance. An unauthenticated attacker could deceive a user into clicking a crafted link to trigger the vulnerability. Stealing the session cookie is not possible due to cookie security flags, however the XSS may be used to induce a victim to perform on-site requests without their knowledge. This vulnerability only affects LogicalDOC Enterprise. Published Friday, March 14, 2025 |
| 7.3 | CVE-2025-2322 A vulnerability was found in 274056675 springboot-openai-chatgpt e84f6f5. It has been classified as critical. This affects an unknown part of the file /chatgpt-boot/src/main/java/org/springblade/modules/mjkj/controller/OpenController.java. The manipulation leads to hard-coded credentials. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. Published Saturday, March 15, 2025 |
| 6.3 | CVE-2025-2363 A vulnerability classified as critical has been found in lenve VBlog up to 1.0.0. Affected is the function uploadImg of the file blogserver/src/main/java/org/sang/controller/ArticleController.java. The manipulation of the argument filename leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Monday, March 17, 2025 |
| 3.5 | CVE-2025-2364 A vulnerability classified as problematic was found in lenve VBlog up to 1.0.0. Affected by this vulnerability is the function addNewArticle of the file blogserver/src/main/java/org/sang/service/ArticleService.java. The manipulation of the argument mdContent/htmlContent leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published Monday, March 17, 2025 |
| 6.3 | CVE-2025-2365 A vulnerability, which was classified as problematic, has been found in crmeb_java up to 1.3.4. Affected by this issue is the function webHook of the file WeChatMessageController.java. The manipulation leads to xml external entity reference. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Published Monday, March 17, 2025 |
| N/A | CVE-2024-8510 N-central is vulnerable to a path traversal that allows unintended access to the Apache Tomcat WEB-INF directory. Customer data is not exposed. This vulnerability is present in all deployments of N-central prior to N-central 2024.6. Published Monday, March 17, 2025 |
| 2.4 | CVE-2025-2491 A vulnerability classified as problematic has been found in Dromara ujcms 9.7.5. This affects the function update of the file /main/java/com/ujcms/cms/ext/web/backendapi/WebFileTemplateController.java of the component Edit Template File Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Published Tuesday, March 18, 2025 |
| N/A | CVE-2025-25585 Incorrect access control in the component /config/WebSecurityConfig.java of yimioa before v2024.07.04 allows unauthorized attackers to arbitrarily modify Administrator passwords. Published Tuesday, March 18, 2025 |
| N/A | CVE-2025-25589 An XML external entity (XXE) injection vulnerability in the component /weixin/aes/XMLParse.java of yimioa before v2024.07.04 allows attackers to execute arbitrary code via supplying a crafted XML file. Published Tuesday, March 18, 2025 |
| N/A | CVE-2025-29907 jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.1, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitised image urls to the addImage method, a user can provide a harmful data-url that results in high CPU utilization and denial of service. Other affected methods are html and addSvgAsImage. The vulnerability was fixed in jsPDF 3.0.1. Published Tuesday, March 18, 2025 |
| N/A | CVE-2024-55551 An issue was discovered in Exasol jdbc driver 24.2.0. Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to the database. This can further lead to remote code execution vulnerability. Published Wednesday, March 19, 2025 |
| N/A | CVE-2024-8616 In h2oai/h2o-3 version 3.46.0, the `/99/Models/{name}/json` endpoint allows for arbitrary file overwrite on the target server. The vulnerability arises from the `exportModelDetails` function in `ModelsHandler.java`, where the user-controllable `mexport.dir` parameter is used to specify the file path for writing model details. This can lead to overwriting files at arbitrary locations on the host system. Published Thursday, March 20, 2025 |