2025-15 Java Security Weekly News - Oracle, Canonical, Red Hat, GitHub

2025 » Published on April 25, 2025

Oracle Security Alerts

Oracle Critical Patch Update Advisory - April 2025

Ubuntu Security Notices

USN-7435-1: Protocol Buffers vulnerability

Red Hat Security Advisory

(RHSA-2025:3857) Moderate: OpenJDK 21.0.7 Security Update for Windows Builds

(RHSA-2025:3856) Moderate: OpenJDK 21.0.7 Security Update for Portable Linux Builds

(RHSA-2025:3854) Moderate: OpenJDK 17.0.15 Security Update for Windows Builds

(RHSA-2025:3853) Moderate: OpenJDK 17.0.15 Security Update for Portable Linux Builds

(RHSA-2025:3847) Moderate: OpenJDK 8u452 Windows Security Update

(RHSA-2025:3846) Moderate: OpenJDK 8u452 Security Update for Portable Linux Builds

(RHSA-2025:3845) Moderate: java-1.8.0-openjdk security update

(RHSA-2025:3844) Moderate: java-1.8.0-openjdk security update

(RHSA-2025:3850) Moderate: OpenJDK 11.0.27 ELS Security Update for Portable Linux Builds

(RHSA-2025:3849) Moderate: OpenJDK 11.0.27 ELS Security Update for Windows Builds

Github Security Advisories

[GHSA-42fh-pvvh-999x] Unregistered users can see "public" messages from a closed wiki via notifications from a different wiki

org.xwiki.platform:xwiki-platform-messagestream - impacts versions: >= 5.0, <= 16.7.1 fixed in:

Java CVEs

6.3	CVE-2025-3807 A vulnerability, which was classified as critical, was found in zhenfeng13 My-BBS 1.0. This affects the function Upload of the file src/main/java/com/my/bbs/controller/common/UploadController.java of the component Endpoint. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Published Saturday, April 19, 2025
6.3	CVE-2025-3830 A vulnerability was found in kuangstudy KuangSimpleBBS 1.0. It has been declared as critical. Affected by this vulnerability is the function fileUpload of the file src/main/java/com/kuang/controller/QuestionController.java. The manipulation of the argument editormd-image-file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Published Sunday, April 20, 2025
N/A	CVE-2025-28099 opencms V2.3 is vulnerable to Arbitrary file read in src/main/webapp/view/admin/document/dataPage.jsp, Published Monday, April 21, 2025
6.3	CVE-2025-3842 A vulnerability was found in panhainan DS-Java 1.0 and classified as critical. This issue affects the function uploadUserPic.action of the file src/com/phn/action/FileUpload.java. The manipulation of the argument fileUpload leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Published Monday, April 21, 2025
4.3	CVE-2025-3843 A vulnerability was found in panhainan DS-Java 1.0. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Published Monday, April 21, 2025