ALT-PU-2025-12789-4

BDU:2025-08956

MEDIUM5.3

Уязвимость функции ClassUtils.getClass() библиотеки Apache Commons Lang для языка программирования Java, позволяющая нарушителю вызывать отказ в обслуживании

Published: 2025-07-24Modified: 2026-04-20

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

References

CVE-2025-48924

CVE-2025-48924

MEDIUM5.3

Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.

Published: 2025-07-11Modified: 2025-11-04

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

CVE-2025-7962

MEDIUM6.0

In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.

Published: 2025-07-21Modified: 2025-11-13

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS 4.0MEDIUM 6.0

CVSS:4.0/CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

CVE-2026-0871

MEDIUM4.9

A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the system is configured to restrict such modifications.

Published: 2026-02-27Modified: 2026-03-05

CVSS 3.xMEDIUM 4.9

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

References

GHSA-9342-92gg-6v29

MEDIUM6.0

Jakarta Mail vulnerable to SMTP Injection

Published: 2025-07-21Modified: 2026-04-16

CVSS 3.xMEDIUM 6.0

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS 4.0MEDIUM 6.0

CVSS:4.0/CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N

References

GHSA-j288-q9x7-2f5v

MEDIUM6.5

Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs

Published: 2025-07-11Modified: 2025-11-05

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

GHSA-v4jw-m6rm-399h

MEDIUM4.9

Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes

Published: 2026-02-27Modified: 2026-02-28

CVSS 3.xMEDIUM 4.9

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

References

Package update keycloak in branch sisyphus

Closed issues (7)

Уязвимость функции ClassUtils.getClass() библиотеки Apache Commons Lang для языка программирования Java, позволяющая нарушителю вызывать отказ в обслуживании

In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.

Jakarta Mail vulnerable to SMTP Injection

Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs

Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes