{ "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:493e5f23-5c3b-45ba-a931-cda115442d70", "version": 1, "metadata": { "timestamp": "2025-01-16T00:00:00Z", "authors": [ { "name": "Connext Security Team", "email": "security@rti.com" } ], "component": { "type": "framework", "bom-ref": "Connext Pro", "supplier": { "name": "Real-Time Innovations, Inc. (RTI)", "url": [ "https://www.rti.com" ] }, "name": "Connext Professional", "version": "7.3.1.3" }, "properties": [ { "name": "last_updated", "value": "2026-05-21T09:50:06Z" } ] }, "vulnerabilities": [ { "bom-ref": "CVE-2011-1145", "id": "CVE-2011-1145", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1145" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2011-1145&vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1" }, "score": 7.8, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2011-1145&vector=(AV:L/AC:L/Au:N/C:P/I:P/A:P)&version=2" }, "score": 4.6, "severity": "medium", "method": "CVSSv2", "vector": "CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:P" } ], "cwes": [ 120 ], "description": "The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.", "published": "2019-11-14T02:15:10Z", "updated": "2024-11-21T01:25:39Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext does not call the impacted APIs", "firstIssued": "2024-06-12T13:10:44.519000Z", "lastUpdated": "2024-08-05T11:53:38.915000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-203" }, { "name": "xray_id", "value": "XRAY-593529" } ] }, { "bom-ref": "CVE-2012-2657", "id": "CVE-2012-2657", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2657" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2012-2657&vector=(AV:L/AC:L/Au:N/C:N/I:N/A:P)&version=2" }, "score": 2.1, "severity": "low", "method": "CVSSv2", "vector": "CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:N/A:P" } ], "cwes": [ 119 ], "description": "Buffer overflow in the SQLDriverConnect function in unixODBC 2.0.10, 2.3.1, and earlier allows local users to cause a denial of service (crash) via a long string in the FILEDSN option. NOTE: this issue might not be a vulnerability, since the ability to set this option typically implies that the attacker already has legitimate access to cause a DoS or execute code, and therefore the issue would not cross privilege boundaries. There may be limited attack scenarios if isql command-line options are exposed to an attacker, although it seems likely that other, more serious issues would also be exposed, and this issue might not cross privilege boundaries in that context.", "published": "2012-08-31T18:55:00Z", "updated": "2024-11-21T01:39:23Z", "analysis": { "state": "not_affected", "justification": "code_not_present", "detail": "The code that triggers the vulnerability is not present in Connext.", "firstIssued": "2023-01-16T12:06:31.575000Z", "lastUpdated": "2023-01-24T12:13:58.073000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-50" }, { "name": "xray_id", "value": "XRAY-169235" } ] }, { "bom-ref": "CVE-2018-7409", "id": "CVE-2018-7409", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7409" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2018-7409&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3" }, "score": 9.8, "severity": "critical", "method": "CVSSv3", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2018-7409&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P)&version=2" }, "score": 7.5, "severity": "high", "method": "CVSSv2", "vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P" } ], "cwes": [ 119 ], "description": "In unixODBC before 2.3.5, there is a buffer overflow in the unicode_to_ansi_copy() function in DriverManager/__info.c.", "published": "2018-02-22T18:29:00Z", "updated": "2024-11-21T04:12:05Z", "analysis": { "state": "not_affected", "justification": "code_not_present", "detail": "The code that triggers the vulnerability is not present in Connext.", "firstIssued": "2023-01-16T12:06:31.575000Z", "lastUpdated": "2023-01-24T12:13:58.073000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-50" }, { "name": "xray_id", "value": "XRAY-148319" } ] }, { "bom-ref": "CVE-2020-24370", "id": "CVE-2020-24370", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24370" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2020-24370&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1" }, "score": 5.3, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2020-24370&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P)&version=2" }, "score": 5.0, "severity": "medium", "method": "CVSSv2", "vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P" } ], "cwes": [ 191 ], "description": "ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).", "published": "2020-08-17T17:15:13Z", "updated": "2024-11-21T05:14:41Z", "analysis": { "state": "not_affected", "firstIssued": "2023-01-16T12:06:31.575000Z", "lastUpdated": "2023-01-24T12:13:58.073000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-50" }, { "name": "xray_id", "value": "XRAY-146889" } ] }, { "bom-ref": "CVE-2020-24371", "id": "CVE-2020-24371", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24371" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2020-24371&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1" }, "score": 5.3, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2020-24371&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P)&version=2" }, "score": 5.0, "severity": "medium", "method": "CVSSv2", "vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P" } ], "cwes": [ 763 ], "description": "lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.", "published": "2020-08-17T17:15:13Z", "updated": "2024-11-21T05:14:41Z", "analysis": { "state": "not_affected", "justification": "code_not_present", "detail": "The code that triggers the vulnerability is not present in Connext.", "firstIssued": "2023-01-16T12:06:31.575000Z", "lastUpdated": "2023-01-24T12:13:58.073000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-50" }, { "name": "xray_id", "value": "XRAY-142250" } ] }, { "bom-ref": "CVE-2021-3520", "id": "CVE-2021-3520", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3520" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2021-3520&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1" }, "score": 9.8, "severity": "critical", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2021-3520&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P)&version=2" }, "score": 7.5, "severity": "high", "method": "CVSSv2", "vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P" } ], "cwes": [ 190, 787 ], "description": "There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.", "published": "2021-06-02T13:15:13Z", "updated": "2024-11-21T06:21:44Z", "analysis": { "state": "not_affected", "justification": "protected_at_runtime", "response": [ "update" ], "detail": "We never pass an outputSize < 0 (see fix under https://github.com/lz4/lz4/pull/972/commits/8301a21773ef61656225e264f4f06ae14462bca7) . We always sanitize the passed outputSize parameter in all current usages.", "firstIssued": "2023-01-16T12:06:31.575000Z", "lastUpdated": "2023-01-24T12:13:58.073000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-50" }, { "name": "xray_id", "value": "XRAY-177195" } ] }, { "bom-ref": "CVE-2021-43519", "id": "CVE-2021-43519", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43519" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2021-43519&vector=AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H&version=3.1" }, "score": 5.5, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2021-43519&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P)&version=2" }, "score": 4.3, "severity": "medium", "method": "CVSSv2", "vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P" } ], "cwes": [ 674 ], "description": "Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via a crafted script file.", "published": "2021-11-09T13:15:08Z", "updated": "2024-11-21T06:29:20Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The impacted code is not reachable in the product", "firstIssued": "2023-01-16T12:06:31.575000Z", "lastUpdated": "2023-01-24T12:13:58.073000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-50" }, { "name": "xray_id", "value": "XRAY-189532" } ] }, { "bom-ref": "CVE-2021-44647", "id": "CVE-2021-44647", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44647" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2021-44647&vector=AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&version=3.1" }, "score": 5.5, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2021-44647&vector=(AV:L/AC:L/Au:N/C:N/I:N/A:P)&version=2" }, "score": 2.1, "severity": "low", "method": "CVSSv2", "vector": "CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:N/A:P" } ], "cwes": [ 843 ], "description": "Lua v5.4.3 and above are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service.", "published": "2022-01-11T13:15:07Z", "updated": "2024-11-21T06:31:18Z", "analysis": { "state": "not_affected", "justification": "code_not_present", "detail": "The code that triggers the vulnerability is not present in Connext.", "firstIssued": "2023-01-16T12:06:31.575000Z", "lastUpdated": "2023-01-24T12:13:58.073000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-50" }, { "name": "xray_id", "value": "XRAY-194232" } ] }, { "bom-ref": "CVE-2021-45985", "id": "CVE-2021-45985", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45985" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2021-45985&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1" }, "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "cwes": [ 787 ], "description": "In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.", "published": "2023-04-10T09:15:07Z", "updated": "2024-11-21T06:33:25Z", "analysis": { "state": "not_affected", "justification": "code_not_present", "detail": "The code that triggers the vulnerability is not present in Connext.", "firstIssued": "2023-04-20T20:18:32.307000Z", "lastUpdated": "2023-07-17T10:50:34.215000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-95" }, { "name": "xray_id", "value": "XRAY-513829" } ] }, { "bom-ref": "CVE-2022-28805", "id": "CVE-2022-28805", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28805" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2022-28805&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H&version=3.1" }, "score": 9.1, "severity": "critical", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H" }, { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2022-28805&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:P)&version=2" }, "score": 6.4, "severity": "medium", "method": "CVSSv2", "vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:P" } ], "cwes": [ 125 ], "description": "singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.", "published": "2022-04-08T06:15:07Z", "updated": "2024-11-21T06:57:57Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The code path that leads to the vulnerability is not reachable in our usage of Lua.", "firstIssued": "2023-01-16T12:06:31.575000Z", "lastUpdated": "2023-01-24T12:13:58.073000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-50" }, { "name": "xray_id", "value": "XRAY-203400" } ] }, { "bom-ref": "CVE-2022-31631", "id": "CVE-2022-31631", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31631" }, "ratings": [ { "source": { "name": "security@php.net" }, "score": 9.1, "severity": "critical", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" } ], "cwes": [ 74 ], "description": "In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.", "published": "2025-02-12T22:15:29Z", "updated": "2025-07-02T21:35:56Z", "analysis": { "state": "not_affected", "justification": "protected_at_runtime", "detail": "This issue affects the SQLite Driver used by PHP. The vulnerability does not originate from the SQLite3 library itself, but from the way it is being used. The sqlite3_snprintf() function from the SQLite3 library expects an int parameter to specify the buffer size. However, the PHP SQLite driver passes a size_t value, which on a 64-bit system can be larger than the maximum value of an int, leading to a potential overflow. Connext Pro does not directly call sqlite3_snprintf(). This function is only invoked via the SQLite3 library, which correctly manages its buffer sizes to prevent the integer overflow described, ensuring that this vulnerability is not applicable.", "firstIssued": "2025-07-10T13:37:13Z", "lastUpdated": "2025-07-10T13:37:13Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-375" }, { "name": "xray_id", "value": "XRAY-707596" } ] }, { "bom-ref": "CVE-2022-33099", "id": "CVE-2022-33099", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33099" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2022-33099&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1" }, "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2022-33099&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P)&version=2" }, "score": 5.0, "severity": "medium", "method": "CVSSv2", "vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P" } ], "cwes": [ 787 ], "description": "An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs.", "published": "2022-07-01T12:15:08Z", "updated": "2024-11-21T07:07:32Z", "analysis": { "state": "not_affected", "justification": "code_not_present", "detail": "The code that triggers the vulnerability is not present in Connext.", "firstIssued": "2022-10-05T13:24:28.660000Z", "lastUpdated": "2022-10-19T11:20:02.434000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-32" }, { "name": "xray_id", "value": "XRAY-230272" } ] }, { "bom-ref": "CVE-2022-37434", "id": "CVE-2022-37434", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2022-37434&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1" }, "score": 9.8, "severity": "critical", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "cwes": [ 787 ], "description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", "published": "2022-08-05T07:15:07Z", "updated": "2024-11-21T07:14:59Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext is not affected since we are not using inflateGetHeader function from the zlib library.", "firstIssued": "2023-04-26T13:47:24.750000Z", "lastUpdated": "2023-06-26T14:05:02.317000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-81" }, { "name": "xray_id", "value": "XRAY-248499" } ] }, { "bom-ref": "CVE-2023-6378", "id": "CVE-2023-6378", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6378" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-6378&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1" }, "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "source": { "name": "vulnerability@ncsc.ch" }, "score": 7.1, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H" } ], "cwes": [ 502 ], "description": "A serialization vulnerability in logback receiver component part of \nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n", "published": "2023-11-29T12:15:07Z", "updated": "2024-11-29T12:15:06Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext does not use the impacted logback functionality.", "firstIssued": "2024-02-16T11:07:50.937000Z", "lastUpdated": "2024-02-20T14:48:09.733000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-172" }, { "name": "xray_id", "value": "XRAY-539985" } ] }, { "bom-ref": "CVE-2023-23088", "id": "CVE-2023-23088", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23088" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-23088&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1" }, "score": 9.8, "severity": "critical", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "cwes": [ 787 ], "description": "Buffer OverFlow Vulnerability in Barenboim json-parser master and v1.1.0 fixed in v1.1.1 allows an attacker to execute arbitrary code via the json_value_parse function.", "published": "2023-02-03T18:15:17Z", "updated": "2024-11-21T07:45:51Z", "analysis": { "state": "not_affected", "justification": "code_not_present", "detail": "We don't use Barenboim json-parser in our code base. The code impacted code is not present in our codebase.", "firstIssued": "2024-05-03T14:43:35.976000Z", "lastUpdated": "2024-07-31T21:16:11.149000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-200" }, { "name": "xray_id", "value": "XRAY-593528" } ] }, { "bom-ref": "CVE-2023-35116", "id": "CVE-2023-35116", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35116" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-35116&vector=AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H&version=3.1" }, "score": 4.7, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" } ], "cwes": [ 770 ], "description": "jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.", "published": "2023-06-14T14:15:10Z", "updated": "2024-11-21T08:07:58Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext Professional is not affected as this vulnerability has been identified as a false positive.", "firstIssued": "2024-03-07T18:02:19.418000Z", "lastUpdated": "2026-03-10T14:32:17Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-117" }, { "name": "xray_id", "value": "XRAY-522015" } ] }, { "bom-ref": "CVE-2023-45853", "id": "CVE-2023-45853", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45853" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-45853&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1" }, "score": 9.8, "severity": "critical", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2023/45xxx/CVE-2023-45853.json" }, "score": 8.8, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "cwes": [ 190 ], "description": "MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.", "published": "2023-10-14T02:15:09Z", "updated": "2024-12-20T17:41:31Z", "analysis": { "state": "not_affected", "justification": "code_not_present", "detail": "No. The affected code is https://github.com/madler/zlib/blob/develop/contrib/minizip/zip.c#L1016C20-L1016C43 . We do not use MiniZip in our code. There is no `contrib` or `minizip` folder in our codebase.", "firstIssued": "2024-03-05T13:34:45.109000Z", "lastUpdated": "2024-07-31T08:52:59.634000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-202" }, { "name": "xray_id", "value": "XRAY-533513" } ] }, { "bom-ref": "CVE-2024-12798", "id": "CVE-2024-12798", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12798" }, "ratings": [ { "source": { "name": "vulnerability@ncsc.ch" }, "score": 5.9, "severity": "medium", "method": "CVSSv4", "vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Clear" } ], "cwes": [ 917 ], "description": "ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core\n upto including version 0.1 to 1.3.14 and\u00a01.4.0 to 1.5.12 in Java applications allows\n attacker to execute arbitrary code by compromising an existing\n logback configuration file or by injecting an environment variable\n before program execution.\n\n\n\n\n\nMalicious logback configuration files can allow the attacker to execute \narbitrary code using the JaninoEventEvaluator extension.\n\n\n\nA successful attack requires the user to have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.", "published": "2024-12-19T16:15:07Z", "updated": "2025-01-03T14:15:24Z", "recommendation": "Update to a Connext Professional release that does not include the vulnerable version of this third-party software.", "analysis": { "state": "exploitable", "detail": "RTI Admin Console is affected by product issue ADMINCONSOLE-1432, which has a maximum CVSS 3.1 score of 6.1.", "firstIssued": "2025-09-01T15:08:40Z", "lastUpdated": "2025-10-28T17:11:34Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-288" }, { "name": "xray_id", "value": "XRAY-661746" }, { "name": "rti_vulnerability_id", "value": "ADMINCONSOLE-1432" } ] }, { "bom-ref": "CVE-2024-12801", "id": "CVE-2024-12801", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12801" }, "ratings": [ { "source": { "name": "vulnerability@ncsc.ch" }, "score": 2.4, "severity": "low", "method": "CVSSv4", "vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:X/U:Clear" } ], "cwes": [ 918 ], "description": "Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12\u00a0 on the Java platform, allows an attacker to \nforge requests by compromising logback configuration files in XML.\n\n\n\nThe attacks involves the modification of DOCTYPE declaration in\u00a0 XML configuration files.", "published": "2024-12-19T17:15:08Z", "updated": "2025-01-03T14:15:24Z", "recommendation": "Update to a Connext Professional release that does not include the vulnerable version of this third-party software.", "analysis": { "state": "exploitable", "detail": "RTI Admin Console is affected by product issue ADMINCONSOLE-1432, which has a maximum CVSS 3.1 score of 6.1.", "firstIssued": "2025-09-01T15:09:16Z", "lastUpdated": "2025-10-28T17:14:32Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-288" }, { "name": "xray_id", "value": "XRAY-661748" }, { "name": "rti_vulnerability_id", "value": "ADMINCONSOLE-1432" } ] }, { "bom-ref": "CVE-2024-21208", "id": "CVE-2024-21208", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21208" }, "ratings": [ { "source": { "name": "secalert_us@oracle.com" }, "score": 3.7, "severity": "low", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "cwes": [ 203 ], "description": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).", "published": "2024-10-15T20:15:09Z", "updated": "2025-06-18T20:27:14Z", "analysis": { "state": "not_affected", "justification": "code_not_present", "detail": "Not affected since we don\u2019t use Java WebStart or Java Applets.", "firstIssued": "2025-06-27T20:18:12Z", "lastUpdated": "2025-06-27T20:18:12Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-362" }, { "name": "xray_id", "value": "XRAY-705430" } ] }, { "bom-ref": "CVE-2024-21210", "id": "CVE-2024-21210", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21210" }, "ratings": [ { "source": { "name": "secalert_us@oracle.com" }, "score": 3.7, "severity": "low", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "cwes": [ 203 ], "description": "Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).", "published": "2024-10-15T20:15:09Z", "updated": "2025-06-18T20:27:23Z", "analysis": { "state": "not_affected", "justification": "code_not_present", "detail": "Not affected since we don\u2019t use Java WebStart or Java Applets.", "firstIssued": "2025-06-27T20:19:39Z", "lastUpdated": "2025-06-27T20:19:39Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-362" }, { "name": "xray_id", "value": "XRAY-705431" } ] }, { "bom-ref": "CVE-2024-21217", "id": "CVE-2024-21217", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21217" }, "ratings": [ { "source": { "name": "secalert_us@oracle.com" }, "score": 3.7, "severity": "low", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "description": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).", "published": "2024-10-15T20:15:11Z", "updated": "2024-10-18T18:29:36Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Not affected since we don't use Java Web Start or Applets in any of our products.", "firstIssued": "2025-02-05T17:13:28Z", "lastUpdated": "2025-02-05T17:13:28Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-303" }, { "name": "xray_id", "value": "XRAY-646816" } ] }, { "bom-ref": "CVE-2024-21235", "id": "CVE-2024-21235", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21235" }, "ratings": [ { "source": { "name": "secalert_us@oracle.com" }, "score": 4.8, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "description": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).", "published": "2024-10-15T20:15:12Z", "updated": "2024-10-18T18:30:26Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Not affected since we don't use Java Web Start or Applets in any of our products.", "firstIssued": "2025-02-05T17:15:45Z", "lastUpdated": "2025-02-05T17:15:45Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-303" }, { "name": "xray_id", "value": "XRAY-646818" } ] }, { "bom-ref": "CVE-2024-29857", "id": "CVE-2024-29857", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29857" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/29xxx/CVE-2024-29857.json" }, "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "cwes": [ 125 ], "description": "An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.", "published": "2024-05-14T15:17:02Z", "updated": "2024-12-06T14:15:20Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext does not use the impacted component.", "firstIssued": "2024-07-01T15:45:42.097000Z", "lastUpdated": "2024-07-31T08:52:58.554000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-224" }, { "name": "xray_id", "value": "XRAY-601221" } ] }, { "bom-ref": "CVE-2024-30171", "id": "CVE-2024-30171", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30171" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/30xxx/CVE-2024-30171.json" }, "score": 5.9, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "cwes": [ 203 ], "description": "An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.", "published": "2024-05-14T15:21:52Z", "updated": "2024-11-21T09:11:21Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext does not use the impacted component.", "firstIssued": "2024-07-01T15:45:42.097000Z", "lastUpdated": "2024-07-31T08:52:58.554000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-224" }, { "name": "xray_id", "value": "XRAY-601225" } ] }, { "bom-ref": "CVE-2024-30172", "id": "CVE-2024-30172", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30172" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/30xxx/CVE-2024-30172.json" }, "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "description": "An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.", "published": "2024-05-14T15:21:53Z", "updated": "2024-11-21T09:11:21Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext does not use the impacted component.", "firstIssued": "2024-07-01T15:45:42.097000Z", "lastUpdated": "2024-07-31T08:52:58.554000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-224" }, { "name": "xray_id", "value": "XRAY-601227" } ] }, { "bom-ref": "CVE-2024-47554", "id": "CVE-2024-47554", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/47xxx/CVE-2024-47554.json" }, "score": 4.3, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" } ], "cwes": [ 400 ], "description": "Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\n\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\n\n\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\n\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.", "published": "2024-10-03T12:15:02Z", "updated": "2024-12-04T15:15:11Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext does not use the impacted component.", "firstIssued": "2024-11-25T12:06:41.884000Z", "lastUpdated": "2024-11-27T15:37:49.870000Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-277" }, { "name": "xray_id", "value": "XRAY-645644" } ] }, { "bom-ref": "CVE-2024-58249", "id": "CVE-2024-58249", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58249" }, "ratings": [ { "source": { "name": "cve@mitre.org" }, "score": 3.7, "severity": "low", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "cwes": [ 826 ], "description": "In wxWidgets before 3.2.7, a crash can be triggered in wxWidgets apps when connections are refused in wxWebRequestCURL.", "published": "2025-04-16T16:15:29Z", "updated": "2025-04-17T20:22:16Z", "analysis": { "state": "not_affected", "justification": "code_not_present", "detail": "The vulnerable code is not present in the wxWidget version that we are using. It affects versions of wxWidgets between 3.1.5 and 3.2.7. The version of wxWidgets that Shapes Demo uses is not in the aforementioned range.", "firstIssued": "2025-08-26T09:27:07Z", "lastUpdated": "2025-08-26T09:27:07Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-388" }, { "name": "xray_id", "value": "XRAY-704057" } ] }, { "bom-ref": "CVE-2025-8885", "id": "CVE-2025-8885", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8885" }, "ratings": [ { "source": { "name": "91579145-5d7b-4cc5-b925-a0262ff19630" }, "score": 6.3, "severity": "medium", "method": "CVSSv4", "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:X/R:U/V:X/RE:M/U:Amber" } ], "cwes": [ 770 ], "description": "Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcprov, bc-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java.\n\nThis issue affects Bouncy Castle for Java: from BC 1.0 through 1.77, from BC-FJA 1.0.0 through 1.0.2.5, from BC-FJA 2.0.0 through 2.0.0.", "published": "2025-08-12T10:15:26Z", "updated": "2025-08-16T10:15:26Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Admin Console doesn't use the Bouncy Castle security provider on its code base. Bouncy Castle is a dependency of Eclipse third-party components, and Admin Console doesn't exercise the code that calls Bouncy Castle from any of its components.", "firstIssued": "2025-08-18T09:59:11Z", "lastUpdated": "2025-08-18T09:59:11Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-403" }, { "name": "xray_id", "value": "XRAY-714207" } ] }, { "bom-ref": "CVE-2025-10966", "id": "CVE-2025-10966", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10966" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/10xxx/CVE-2025-10966.json" }, "score": 4.3, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" } ], "description": "curl's code for managing SSH connections when SFTP was done using the wolfSSH\npowered backend was flawed and missed host verification mechanisms.\n\nThis prevents curl from detecting MITM attackers and more.", "published": "2025-11-07T08:15:39Z", "updated": "2025-11-12T16:20:22Z", "analysis": { "state": "not_affected", "justification": "code_not_present", "detail": "We are not affected because this CVE only affects curl when built with the wolfSSL backend. The curl built for use with Collector Service is only built with OpenSSL.", "firstIssued": "2025-12-18T14:52:02Z", "lastUpdated": "2025-12-18T14:52:02Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-452" }, { "name": "xray_id", "value": "XRAY-740917" } ] }, { "bom-ref": "CVE-2025-11226", "id": "CVE-2025-11226", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11226" }, "ratings": [ { "source": { "name": "vulnerability@ncsc.ch" }, "score": 5.9, "severity": "medium", "method": "CVSSv4", "vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:M/U:Green" } ], "cwes": [ 20 ], "description": "ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.\n\n\n\nA successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must\u00a0 have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.", "published": "2025-10-01T08:15:31Z", "updated": "2025-10-31T15:15:41Z", "recommendation": "Enforce least-privilege principles on systems running Connext, protecting Connext applications from unauthorized modification or access.", "analysis": { "state": "exploitable", "detail": "RTI Admin Console is affected by product issue ADMINCONSOLE-1499, which has a maximum CVSS 3.1 score of 5.3.", "firstIssued": "2025-11-17T09:29:26Z", "lastUpdated": "2025-11-17T09:29:26Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-440" }, { "name": "xray_id", "value": "XRAY-736604" }, { "name": "rti_vulnerability_id", "value": "ADMINCONSOLE-1499" } ] }, { "bom-ref": "CVE-2025-11563", "id": "CVE-2025-11563", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11563" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/11xxx/CVE-2025-11563.json" }, "score": 4.6, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" } ], "cwes": [ 22 ], "description": "URLs containing percent-encoded slashes (`/` or `\\`) can trick wcurl into\nsaving the output file outside of the current directory without the user\nexplicitly asking for it.\n\nThis flaw only affects the wcurl command line tool.", "published": "2026-02-25T08:16:18Z", "updated": "2026-02-26T20:06:37Z", "analysis": { "state": "not_affected", "justification": "code_not_present", "detail": "We are not affected by this vulnerability as it only affects the wcurl command line tool which we do not use.", "firstIssued": "2026-03-04T15:10:43Z", "lastUpdated": "2026-03-04T15:10:43Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-538" }, { "name": "xray_id", "value": "XRAY-946392" } ] }, { "bom-ref": "CVE-2025-13034", "id": "CVE-2025-13034", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13034" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/13xxx/CVE-2025-13034.json" }, "score": 5.9, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "cwes": [ 295 ], "description": "When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey`\nwith the curl tool,curl should check the public key of the server certificate\nto verify the peer.\n\nThis check was skipped in a certain condition that would then make curl allow\nthe connection without performing the proper check, thus not noticing a\npossible impostor. To skip this check, the connection had to be done with QUIC\nwith ngtcp2 built to use GnuTLS and the user had to explicitly disable the\nstandard certificate verification.", "published": "2026-01-08T10:15:45Z", "updated": "2026-01-20T14:54:02Z", "analysis": { "state": "not_affected", "justification": "code_not_present", "detail": "The Collector Service is not built with the GnuTLS backend.", "firstIssued": "2026-02-11T19:19:20Z", "lastUpdated": "2026-02-11T19:19:20Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-488" }, { "name": "xray_id", "value": "XRAY-930567" } ] }, { "bom-ref": "CVE-2025-14017", "id": "CVE-2025-14017", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14017" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/14xxx/CVE-2025-14017.json" }, "score": 6.3, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" } ], "description": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,\nchanging TLS options in one thread would inadvertently change them globally\nand therefore possibly also affect other concurrently setup transfers.\n\nDisabling certificate verification for a specific transfer could\nunintentionally disable the feature for other threads as well.", "published": "2026-01-08T10:15:45Z", "updated": "2026-01-27T21:29:39Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The Collector Service does not use LDAP.", "firstIssued": "2026-02-11T19:12:21Z", "lastUpdated": "2026-02-11T19:12:21Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-488" }, { "name": "xray_id", "value": "XRAY-930568" } ] }, { "bom-ref": "CVE-2025-14524", "id": "CVE-2025-14524", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14524" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/14xxx/CVE-2025-14524.json" }, "score": 5.3, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" } ], "cwes": [ 601 ], "description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,\nPOP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new\ntarget host.", "published": "2026-01-08T10:15:46Z", "updated": "2026-01-20T14:53:11Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The Collector Service only uses basic authentication.", "firstIssued": "2026-02-11T19:04:50Z", "lastUpdated": "2026-02-11T19:04:50Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-488" }, { "name": "xray_id", "value": "XRAY-930569" } ] }, { "bom-ref": "CVE-2025-14813", "id": "CVE-2025-14813", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14813" }, "ratings": [ { "source": { "name": "91579145-5d7b-4cc5-b925-a0262ff19630" }, "score": 9.3, "severity": "critical", "method": "CVSSv4", "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Red" } ], "cwes": [ 327 ], "description": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher.\n\nGOSTCTR implementation unable to process more than 255 blocks correctly.\n\n\nThis issue affects BC-JAVA: from 1.59 before 1.84.", "published": "2026-04-15T10:16:38Z", "updated": "2026-04-17T15:38:09Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The affected component is the GOST CTR (G3413CTRBlockCipher) implementation within Bouncy Castle. While Admin Console includes Bouncy Castle version 1.80 as a transitive dependency via the Eclipse/OSGi platform, the application is not affected. Neither the Bouncy Castle library nor any of its classes are imported, invoked, or utilized anywhere within our codebase. Furthermore, there are no references to G3413CTRBlockCipher or any Russian cryptographic standards in our system, rendering the vulnerability completely unexploitable in our environment.", "firstIssued": "2026-05-18T08:26:52Z", "lastUpdated": "2026-05-18T08:26:52Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-574" }, { "name": "xray_id", "value": "XRAY-965522" } ] }, { "bom-ref": "CVE-2025-14819", "id": "CVE-2025-14819", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14819" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/14xxx/CVE-2025-14819.json" }, "score": 5.3, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" } ], "cwes": [ 295 ], "description": "When doing TLS related transfers with reused easy or multi handles and\naltering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally\nreuse a CA store cached in memory for which the partial chain option was\nreversed. Contrary to the user's wishes and expectations. This could make\nlibcurl find and accept a trust chain that it otherwise would not.", "published": "2026-01-08T10:15:46Z", "updated": "2026-01-20T14:51:26Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The Collector Service does not use the CURLSSLOPT_NO_PARTIALCHAIN option.", "firstIssued": "2026-02-11T19:03:13Z", "lastUpdated": "2026-02-11T19:03:13Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-488" }, { "name": "xray_id", "value": "XRAY-930570" } ] }, { "bom-ref": "CVE-2025-15079", "id": "CVE-2025-15079", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15079" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/15xxx/CVE-2025-15079.json" }, "score": 5.3, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" } ], "cwes": [ 297 ], "description": "When doing SSH-based transfers using either SCP or SFTP, and setting the\nknown_hosts file, libcurl could still mistakenly accept connecting to hosts\n*not present* in the specified file if they were added as recognized in the\nlibssh *global* known_hosts file.", "published": "2026-01-08T10:15:47Z", "updated": "2026-01-20T14:50:24Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The Collector Service does not use SFTP or SCP.", "firstIssued": "2026-02-11T19:13:32Z", "lastUpdated": "2026-02-11T19:13:32Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-488" }, { "name": "xray_id", "value": "XRAY-930571" } ] }, { "bom-ref": "CVE-2025-15224", "id": "CVE-2025-15224", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15224" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/15xxx/CVE-2025-15224.json" }, "score": 3.1, "severity": "low", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" } ], "cwes": [ 287 ], "description": "When doing SSH-based transfers using either SCP or SFTP, and asked to do\npublic key authentication, curl would wrongly still ask and authenticate using\na locally running SSH agent.", "published": "2026-01-08T10:15:47Z", "updated": "2026-01-20T14:47:52Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The Collector Service does not use SFTP or SCP.", "firstIssued": "2026-02-11T19:20:21Z", "lastUpdated": "2026-02-11T19:20:21Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-488" }, { "name": "xray_id", "value": "XRAY-930572" } ] }, { "bom-ref": "CVE-2025-48924", "id": "CVE-2025-48924", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/48xxx/CVE-2025-48924.json" }, "score": 5.3, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "cwes": [ 674 ], "description": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with\u00a0commons-lang:commons-lang\u00a02.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before\u00a03.18.0.\n\nThe methods ClassUtils.getClass(...) can throw\u00a0StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could\u00a0cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.", "published": "2025-07-11T15:15:24Z", "updated": "2025-07-28T13:45:38Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "No RTI Connext products invoke the impacted function ClassUtils.getClass, either within the RTI tools' direct source code or in any plugin dependencies.", "firstIssued": "2025-08-07T10:51:16Z", "lastUpdated": "2025-08-07T10:51:16Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-378" }, { "name": "xray_id", "value": "XRAY-710140" } ] }, { "bom-ref": "CVE-2025-70873", "id": "CVE-2025-70873", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70873" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/70xxx/CVE-2025-70873.json" }, "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "cwes": [ 244 ], "description": "An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.", "published": "2026-03-12T19:16:15Z", "updated": "2026-04-16T21:15:47Z", "recommendation": "Update to a Connext Professional release that does not include the vulnerable version of this third-party software.", "analysis": { "state": "exploitable", "detail": "RTI Recording Service is affected by product issue RECORD-1584, which has a maximum CVSS 3.1 score of 5.5.", "firstIssued": "2026-04-29T11:45:40Z", "lastUpdated": "2026-04-29T11:45:40Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-575" }, { "name": "xray_id", "value": "XRAY-965659" }, { "name": "rti_vulnerability_id", "value": "RECORD-1584" } ] }, { "bom-ref": "CVE-2026-0636", "id": "CVE-2026-0636", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0636" }, "ratings": [ { "source": { "name": "91579145-5d7b-4cc5-b925-a0262ff19630" }, "score": 5.5, "severity": "medium", "method": "CVSSv4", "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:X/RE:M/U:Amber" } ], "cwes": [ 90 ], "description": "Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper.\n\nThis issue affects BC-JAVA: from 1.74 before 1.84.", "published": "2026-04-15T10:16:38Z", "updated": "2026-04-17T15:38:09Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "LDAP injection vulnerability within Bouncy Castle's LDAPStoreHelper is not exploitable in Admin Console. Although Bouncy Castle is present as a transitive dependency via the Eclipse/OSGi platform, the application's code and configuration do not invoke its LDAP store or query APIs. Furthermore, Admin Console does not configure LDAP query endpoints nor register provider paths that would route certificate retrieval through the vulnerable helper class. Because no untrusted input can reach or construct queries within this component, the necessary execution paths do not exist, rendering the vulnerability as unexploitable.", "firstIssued": "2026-05-18T08:45:21Z", "lastUpdated": "2026-05-18T08:45:21Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-574" }, { "name": "xray_id", "value": "XRAY-966311" } ] }, { "bom-ref": "CVE-2026-1225", "id": "CVE-2026-1225", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1225" }, "ratings": [ { "source": { "name": "vulnerability@ncsc.ch" }, "score": 1.8, "severity": "low", "method": "CVSSv4", "vector": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:X/V:X/RE:M/U:Green" } ], "cwes": [ 20 ], "description": "ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.\n\n\n\n\nThe instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a \nconfiguration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.", "published": "2026-01-22T10:16:07Z", "updated": "2026-01-26T15:04:59Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The affected third-party library code is never loaded by Admin Console during use so the vulnerability cannot be exploited.", "firstIssued": "2026-02-18T20:46:30Z", "lastUpdated": "2026-02-18T20:46:30Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-502" }, { "name": "xray_id", "value": "XRAY-935054" } ] }, { "bom-ref": "CVE-2026-1965", "id": "CVE-2026-1965", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1965" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2026/1xxx/CVE-2026-1965.json" }, "score": 6.5, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "cwes": [ 305 ], "description": "libcurl can in some circumstances reuse the wrong connection when asked to do\nan Negotiate-authenticated HTTP or HTTPS request.\n\nlibcurl features a pool of recent connections so that subsequent requests can\nreuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criterion must first be met. Due to a\nlogical error in the code, a request that was issued by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different credentials. One underlying reason being that\nNegotiate sometimes authenticates *connections* and not *requests*, contrary\nto how HTTP is designed to work.\n\nAn application that allows Negotiate authentication to a server (that responds\nwanting Negotiate) with `user1:password1` and then does another operation to\nthe same server also using Negotiate but with `user2:password2` (while the\nprevious connection is still alive) - the second request wrongly reused the\nsame connection and since it then sees that the Negotiate negotiation is\nalready made, it just sends the request over that connection thinking it uses\nthe user2 credentials when it is in fact still using the connection\nauthenticated for user1...\n\nThe set of authentication methods to use is set with `CURLOPT_HTTPAUTH`.\n\nApplications can disable libcurl's reuse of connections and thus mitigate this\nproblem, by using one of the following libcurl options to alter how\nconnections are or are not reused: `CURLOPT_FRESH_CONNECT`,\n`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the\ncurl_multi API).", "published": "2026-03-11T11:15:59Z", "updated": "2026-03-12T14:11:19Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The Collector Service only uses a single set of credentials when making HTTPS requests.", "firstIssued": "2026-03-19T18:53:12Z", "lastUpdated": "2026-03-19T18:53:12Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-540" }, { "name": "xray_id", "value": "XRAY-950705" } ] }, { "bom-ref": "CVE-2026-2673", "id": "CVE-2026-2673", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2673" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2026/2xxx/CVE-2026-2673.json" }, "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "cwes": [ 757 ], "description": "Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected\npreferred key exchange group when its key exchange group configuration includes\nthe default by using the 'DEFAULT' keyword.\n\nImpact summary: A less preferred key exchange may be used even when a more\npreferred group is supported by both client and server, if the group\nwas not included among the client's initial predicated keyshares.\nThis will sometimes be the case with the new hybrid post-quantum groups,\nif the client chooses to defer their use until specifically requested by\nthe server.\n\nIf an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to\ninterpolate the built-in default group list into its own configuration, perhaps\nadding or removing specific elements, then an implementation defect causes the\n'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups\nwere treated as a single sufficiently secure 'tuple', with the server not\nsending a Hello Retry Request (HRR) even when a group in a more preferred tuple\nwas mutually supported.\n\nAs a result, the client and server might fail to negotiate a mutually supported\npost-quantum key agreement group, such as 'X25519MLKEM768', if the client's\nconfiguration results in only 'classical' groups (such as 'X25519' being the\nonly ones in the client's initial keyshare prediction).\n\nOpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS\n1.3 key agreement group on TLS servers. The old syntax had a single 'flat'\nlist of groups, and treated all the supported groups as sufficiently secure.\nIf any of the keyshares predicted by the client were supported by the server\nthe most preferred among these was selected, even if other groups supported by\nthe client, but not included in the list of predicted keyshares would have been\nmore preferred, if included.\n\nThe new syntax partitions the groups into distinct 'tuples' of roughly\nequivalent security. Within each tuple the most preferred group included among\nthe client's predicted keyshares is chosen, but if the client supports a group\nfrom a more preferred tuple, but did not predict any corresponding keyshares,\nthe server will ask the client to retry the ClientHello (by issuing a Hello\nRetry Request or HRR) with the most preferred mutually supported group.\n\nThe above works as expected when the server's configuration uses the built-in\ndefault group list, or explicitly defines its own list by directly defining the\nvarious desired groups and group 'tuples'.\n\nNo OpenSSL FIPS modules are affected by this issue, the code in question lies\noutside the FIPS boundary.\n\nOpenSSL 3.6 and 3.5 are vulnerable to this issue.\n\nOpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.\nOpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.\n\nOpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.", "published": "2026-03-13T19:54:34Z", "updated": "2026-03-17T18:16:15Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext does not call SSL_CTX_set1_groups_list, which is the impacted API.", "firstIssued": "2026-03-18T02:29:13Z", "lastUpdated": "2026-03-18T02:29:13Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-541" }, { "name": "xray_id", "value": "XRAY-951461" } ] }, { "bom-ref": "CVE-2026-3505", "id": "CVE-2026-3505", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3505" }, "ratings": [ { "source": { "name": "91579145-5d7b-4cc5-b925-a0262ff19630" }, "score": 8.7, "severity": "high", "method": "CVSSv4", "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" } ], "cwes": [ 400, 770 ], "description": "Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java, OperatorHelper.Java.\n\nThis issue affects BC-JAVA: from 1.74 before 1.84.", "published": "2026-04-15T10:16:49Z", "updated": "2026-04-21T17:16:53Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The affected component is the OpenPGP module (bcpg) within Bouncy Castle, specifically regarding its handling of AEAD-encrypted PGP packets. While Admin Console includes bcpg-jdk18on version 1.80 as a transitive dependency via the Eclipse/OSGi platform, the application is not affected. The core codebase does not utilize any PGP or OpenPGP functionality. The module's only consumer is the Eclipse p2 framework for verifying signed plugins; however, this feature is strictly restricted and entirely inaccessible to end-users in the shipped product. Because users cannot install or update plugins, the required execution path cannot be triggered, rendering the vulnerability unexploitable in production environments.", "firstIssued": "2026-05-18T08:38:11Z", "lastUpdated": "2026-05-18T08:38:11Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-574" }, { "name": "xray_id", "value": "XRAY-965523" } ] }, { "bom-ref": "CVE-2026-3783", "id": "CVE-2026-3783", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3783" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2026/3xxx/CVE-2026-3783.json" }, "score": 5.3, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "cwes": [ 522 ], "description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a redirect to a second URL, curl could leak that token to the second\nhostname under some circumstances.\n\nIf the hostname that the first request is redirected to has information in the\nused .netrc file, with either of the `machine` or `default` keywords, curl\nwould pass on the bearer token set for the first host also to the second one.", "published": "2026-03-11T11:16:00Z", "updated": "2026-03-12T14:10:37Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The Collector Service does not use OAuth2 tokens.", "firstIssued": "2026-03-19T18:51:23Z", "lastUpdated": "2026-03-19T18:51:23Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-540" }, { "name": "xray_id", "value": "XRAY-950704" } ] }, { "bom-ref": "CVE-2026-3784", "id": "CVE-2026-3784", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3784" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2026/3xxx/CVE-2026-3784.json" }, "score": 6.5, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "cwes": [ 305 ], "description": "curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a\nserver, even if the new request uses different credentials for the HTTP proxy.\nThe proper behavior is to create or use a separate connection.", "published": "2026-03-11T11:16:00Z", "updated": "2026-03-12T14:09:50Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "When Collector Service uses curl to connect to a server, only one set of credentials is used.", "firstIssued": "2026-03-19T18:47:16Z", "lastUpdated": "2026-03-19T18:47:16Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-540" }, { "name": "xray_id", "value": "XRAY-950702" } ] }, { "bom-ref": "CVE-2026-3805", "id": "CVE-2026-3805", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3805" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2026/3xxx/CVE-2026-3805.json" }, "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "cwes": [ 416 ], "description": "When doing a second SMB request to the same host again, curl would wrongly use\na data pointer pointing into already freed memory.", "published": "2026-03-11T11:16:00Z", "updated": "2026-03-12T14:08:56Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The Collector Service does not use the SMB protocol.", "firstIssued": "2026-03-19T18:48:55Z", "lastUpdated": "2026-03-19T18:48:55Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-540" }, { "name": "xray_id", "value": "XRAY-950703" } ] }, { "bom-ref": "CVE-2026-5598", "id": "CVE-2026-5598", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5598" }, "ratings": [ { "source": { "name": "91579145-5d7b-4cc5-b925-a0262ff19630" }, "score": 8.9, "severity": "high", "method": "CVSSv4", "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:Red" } ], "cwes": [ 385 ], "description": "Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java.\n\nThis issue affects BC-JAVA: from 1.71 before 1.84.", "published": "2026-04-15T10:16:49Z", "updated": "2026-04-21T16:16:20Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Although Bouncy Castle is included as a transitive dependency via the Eclipse/OSGi platform, the application's codebase contains no references to PQC or Frodo APIs. Because this functionality is neither present nor invoked anywhere within the application workflow, the affected cryptographic operations cannot be executed or observed by an attacker, rendering the vulnerability as unreachable and unexploitable.", "firstIssued": "2026-05-18T08:43:06Z", "lastUpdated": "2026-05-18T08:43:06Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-574" }, { "name": "xray_id", "value": "XRAY-965524" } ] }, { "bom-ref": "CVE-2026-22184", "id": "CVE-2026-22184", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22184" }, "ratings": [ { "source": { "name": "disclosure@vulncheck.com" }, "score": 4.6, "severity": "medium", "method": "CVSSv4", "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2026-22184&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1" }, "score": 9.8, "severity": "critical", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "cwes": [ 787 ], "description": "zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.", "published": "2026-01-07T21:16:01Z", "updated": "2026-01-15T14:16:27Z", "analysis": { "state": "not_affected", "justification": "code_not_present", "detail": "The untgz code is not present in the Core Libraries.", "firstIssued": "2026-01-22T15:19:51Z", "lastUpdated": "2026-01-22T15:19:51Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-493" }, { "name": "xray_id", "value": "XRAY-932447" } ] }, { "bom-ref": "CVE-2026-27171", "id": "CVE-2026-27171", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27171" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2026-27171&vector=AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&version=3.1" }, "score": 5.5, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "source": { "name": "cve@mitre.org" }, "score": 2.9, "severity": "low", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "cwes": [ 1284 ], "description": "zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.", "published": "2026-02-18T04:16:01Z", "updated": "2026-02-20T16:45:28Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext does not use crc32_combine64 or crc32_combine_gen64 from the zlib library.", "firstIssued": "2026-02-23T19:37:36Z", "lastUpdated": "2026-02-23T19:37:36Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-536" }, { "name": "xray_id", "value": "XRAY-945094" } ] }, { "bom-ref": "CVE-2026-28387", "id": "CVE-2026-28387", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28387" }, "cwes": [ 416 ], "description": "Issue summary: An uncommon configuration of clients performing DANE TLSA-based\nserver authentication, when paired with uncommon server DANE TLSA records, may\nresult in a use-after-free and/or double-free on the client side.\n\nImpact summary: A use after free can have a range of potential consequences\nsuch as the corruption of valid data, crashes or execution of arbitrary code.\n\nHowever, the issue only affects clients that make use of TLSA records with both\nthe PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate\nusage.\n\nBy far the most common deployment of DANE is in SMTP MTAs for which RFC7672\nrecommends that clients treat as 'unusable' any TLSA records that have the PKIX\ncertificate usages. These SMTP (or other similar) clients are not vulnerable\nto this issue. Conversely, any clients that support only the PKIX usages, and\nignore the DANE-TA(2) usage are also not vulnerable.\n\nThe client would also need to be communicating with a server that publishes a\nTLSA RRset with both types of TLSA records.\n\nNo FIPS modules are affected by this issue, the problem code is outside the\nFIPS module boundary.", "published": "2026-04-07T22:16:20Z", "updated": "2026-04-07T22:16:20Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext does not call SSL_CTX_dane_enable, so it does not support DANE.", "firstIssued": "2026-04-08T21:00:35Z", "lastUpdated": "2026-04-08T21:00:35Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-555" }, { "name": "xray_id", "value": "XRAY-961970" } ] }, { "bom-ref": "CVE-2026-28388", "id": "CVE-2026-28388", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28388" }, "cwes": [ 476 ], "description": "Issue summary: When a delta CRL that contains a Delta CRL Indicator extension\nis processed a NULL pointer dereference might happen if the required CRL\nNumber extension is missing.\n\nImpact summary: A NULL pointer dereference can trigger a crash which\nleads to a Denial of Service for an application.\n\nWhen CRL processing and delta CRL processing is enabled during X.509\ncertificate verification, the delta CRL processing does not check\nwhether the CRL Number extension is NULL before dereferencing it.\nWhen a malformed delta CRL file is being processed, this parameter\ncan be NULL, causing a NULL pointer dereference.\n\nExploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in\nthe verification context, the certificate being verified to contain a\nfreshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and\nan attacker to provide a malformed CRL to an application that processes it.\n\nThe vulnerability is limited to Denial of Service and cannot be escalated to\nachieve code execution or memory disclosure. For that reason the issue was\nassessed as Low severity according to our Security Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the affected code is outside the OpenSSL FIPS module boundary.", "published": "2026-04-07T22:16:20Z", "updated": "2026-04-07T22:16:20Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext does not use X509_V_FLAG_USE_DELTAS.", "firstIssued": "2026-04-08T21:05:42Z", "lastUpdated": "2026-04-08T21:05:42Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-555" }, { "name": "xray_id", "value": "XRAY-961972" } ] }, { "bom-ref": "CVE-2026-28389", "id": "CVE-2026-28389", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28389" }, "cwes": [ 476 ], "description": "Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyAgreeRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is\nprocessed, the optional parameters field of KeyEncryptionAlgorithmIdentifier\nis examined without checking for its presence. This results in a NULL\npointer dereference if the field is missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.", "published": "2026-04-07T22:16:21Z", "updated": "2026-04-07T22:16:21Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext does not decrypt CMS messages.", "firstIssued": "2026-04-08T21:06:53Z", "lastUpdated": "2026-04-08T21:06:53Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-555" }, { "name": "xray_id", "value": "XRAY-961974" } ] }, { "bom-ref": "CVE-2026-28390", "id": "CVE-2026-28390", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28390" }, "cwes": [ 476 ], "description": "Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyTransportRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyTransportRecipientInfo with\nRSA-OAEP encryption is processed, the optional parameters field of\nRSA-OAEP SourceFunc algorithm identifier is examined without checking\nfor its presence. This results in a NULL pointer dereference if the field\nis missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.", "published": "2026-04-07T22:16:21Z", "updated": "2026-04-07T22:16:21Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext does not decrypt CMS messages.", "firstIssued": "2026-04-08T21:08:43Z", "lastUpdated": "2026-04-08T21:08:43Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-555" }, { "name": "xray_id", "value": "XRAY-961978" } ] }, { "bom-ref": "CVE-2026-31789", "id": "CVE-2026-31789", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31789" }, "cwes": [ 787 ], "description": "Issue summary: Converting an excessively large OCTET STRING value to\na hexadecimal string leads to a heap buffer overflow on 32 bit platforms.\n\nImpact summary: A heap buffer overflow may lead to a crash or possibly\nan attacker controlled code execution or other undefined behavior.\n\nIf an attacker can supply a crafted X.509 certificate with an excessively\nlarge OCTET STRING value in extensions such as the Subject Key Identifier\n(SKID) or Authority Key Identifier (AKID) which are being converted to hex,\nthe size of the buffer needed for the result is calculated as multiplication\nof the input length by 3. On 32 bit platforms, this multiplication may overflow\nresulting in the allocation of a smaller buffer and a heap buffer overflow.\n\nApplications and services that print or log contents of untrusted X.509\ncertificates are vulnerable to this issue. As the certificates would have\nto have sizes of over 1 Gigabyte, printing or logging such certificates\nis a fairly unlikely operation and only 32 bit platforms are affected,\nthis issue was assigned Low severity.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.", "published": "2026-04-07T22:16:21Z", "updated": "2026-04-07T22:16:21Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext does not print or log any OCTET STRING fields of a certificate.", "firstIssued": "2026-04-08T21:10:17Z", "lastUpdated": "2026-04-08T21:10:17Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-555" }, { "name": "xray_id", "value": "XRAY-961980" } ] }, { "bom-ref": "CVE-2026-31790", "id": "CVE-2026-31790", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31790" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2026/31xxx/CVE-2026-31790.json" }, "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "cwes": [ 754 ], "description": "Issue summary: Applications using RSASVE key encapsulation to establish\na secret encryption key can send contents of an uninitialized memory buffer to\na malicious peer.\n\nImpact summary: The uninitialized buffer might contain sensitive data from the\nprevious execution of the application process which leads to sensitive data\nleakage to an attacker.\n\nRSA_public_encrypt() returns the number of bytes written on success and -1\non error. The affected code tests only whether the return value is non-zero.\nAs a result, if RSA encryption fails, encapsulation can still return success to\nthe caller, set the output lengths, and leave the caller to use the contents of\nthe ciphertext buffer as if a valid KEM ciphertext had been produced.\n\nIf applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an\nattacker-supplied invalid RSA public key without first validating that key,\nthen this may cause stale or uninitialized contents of the caller-provided\nciphertext buffer to be disclosed to the attacker in place of the KEM\nciphertext.\n\nAs a workaround calling EVP_PKEY_public_check() or\nEVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate\nthe issue.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.", "published": "2026-04-07T22:16:21Z", "updated": "2026-04-08T15:16:11Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext does not call RSA_public_encrypt or EVP_PKEY_encapsulate.", "firstIssued": "2026-04-08T21:08:02Z", "lastUpdated": "2026-04-08T21:08:02Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-555" }, { "name": "xray_id", "value": "XRAY-961976" } ] }, { "bom-ref": "CVE-2026-34477", "id": "CVE-2026-34477", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34477" }, "ratings": [ { "source": { "name": "security@apache.org" }, "score": 6.3, "severity": "medium", "method": "CVSSv4", "vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" } ], "cwes": [ 297 ], "description": "The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the element.\n\nAlthough the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.\n\nA network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:\n\n * An SMTP, Socket, or Syslog appender is in use.\n * TLS is configured via a nested element.\n * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured.\nThis issue does not affect users of the HTTP appender, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names by default.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.", "published": "2026-04-10T16:16:30Z", "updated": "2026-04-13T15:02:06Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "RTI Code Generator does not communicate through any network, socket, etc. All use cases of Log4j are local. In conclusion, RTI Code Generator is not affected by this CVE.", "firstIssued": "2026-04-28T10:20:31Z", "lastUpdated": "2026-04-28T10:20:31Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-571" }, { "name": "xray_id", "value": "XRAY-964590" } ] }, { "bom-ref": "CVE-2026-34478", "id": "CVE-2026-34478", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34478" }, "ratings": [ { "source": { "name": "security@apache.org" }, "score": 6.9, "severity": "medium", "method": "CVSSv4", "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2026-34478&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N&version=3.1" }, "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "cwes": [ 117, 684 ], "description": "Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.\n\nTwo distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:\n\n * The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.\n * The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.\n\n\nUsers of the SyslogAppender are not affected, as its configuration attributes were not modified.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.", "published": "2026-04-10T16:16:31Z", "updated": "2026-04-24T18:10:57Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "RTI Code Generator only uses PatternLayout. The vulnerability only affects Rfc5424Layout. Therefore, RTI Code Generator is not affected.", "firstIssued": "2026-04-28T10:33:58Z", "lastUpdated": "2026-04-28T10:33:58Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-572" }, { "name": "xray_id", "value": "XRAY-964591" } ] }, { "bom-ref": "CVE-2026-34479", "id": "CVE-2026-34479", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34479" }, "ratings": [ { "source": { "name": "security@apache.org" }, "score": 6.9, "severity": "medium", "method": "CVSSv4", "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2026-34479&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N&version=3.1" }, "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "cwes": [ 116 ], "description": "The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\n\nTwo groups of users are affected:\n\n * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.\n * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.\n\n\nUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\n\nNote: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.", "published": "2026-04-10T16:16:31Z", "updated": "2026-05-06T18:21:34Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The affected classes are Log4j1XmlLayout and CMLLayout (via the log4j1 compatibility layer). Neither of these classes is present or referenced within our codebase. Furthermore, there are no Log4j XML configurations or properties that could trigger or activate the vulnerable layout path.", "firstIssued": "2026-05-18T08:18:18Z", "lastUpdated": "2026-05-18T08:18:18Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-570" }, { "name": "xray_id", "value": "XRAY-964592" } ] }, { "bom-ref": "CVE-2026-34480", "id": "CVE-2026-34480", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34480" }, "ratings": [ { "source": { "name": "security@apache.org" }, "score": 6.9, "severity": "medium", "method": "CVSSv4", "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2026-34480&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N&version=3.1" }, "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "cwes": [ 116 ], "description": "Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters.\n\nThe impact depends on the StAX implementation in use:\n\n * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.\n * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger.\n\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.", "published": "2026-04-10T16:16:31Z", "updated": "2026-04-24T18:21:54Z", "recommendation": "Update to a Connext Professional release that does not include the vulnerable version of this third-party software. If upgrading is not immediately possible, do not configure Log4j's XmlLayout in your logging configuration.", "analysis": { "state": "exploitable", "detail": "RTI Distributed Logger is affected by product issue DISTLOG-264, which has a maximum CVSS 3.1 score of 7.5.", "firstIssued": "2026-04-16T23:21:47Z", "lastUpdated": "2026-05-04T13:45:31Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-559" }, { "name": "xray_id", "value": "XRAY-963652" }, { "name": "rti_vulnerability_id", "value": "DISTLOG-264" } ] }, { "bom-ref": "CVE-2026-41080", "id": "CVE-2026-41080", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41080" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2026/41xxx/CVE-2026-41080.json" }, "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "source": { "name": "cve@mitre.org" }, "score": 2.9, "severity": "low", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "cwes": [ 331 ], "description": "libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.", "published": "2026-04-16T17:16:54Z", "updated": "2026-04-27T07:16:03Z", "recommendation": "Update to a Connext Professional release that does not include the vulnerable version of this third-party software.", "analysis": { "state": "exploitable", "detail": "The Core Libraries are affected by product issue CORE-16732, which has a maximum CVSS 3.1 score of 7.5.", "firstIssued": "2026-05-08T01:01:08Z", "lastUpdated": "2026-05-08T01:01:08Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-580" }, { "name": "xray_id", "value": "XRAY-970039" }, { "name": "rti_vulnerability_id", "value": "CORE-16732" } ] }, { "bom-ref": "GHSA-72hv-8253-57qq", "id": "GHSA-72hv-8253-57qq", "source": { "name": "GHSA", "url": "https://github.com/advisories/GHSA-72hv-8253-57qq" }, "ratings": [ { "source": { "name": "GHSA", "url": "https://github.com/advisories/GHSA-72hv-8253-57qq" }, "severity": "high" } ], "cwes": [ 770 ], "description": "jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition", "published": "2026-02-28T02:01:05Z", "updated": "2026-03-03T16:59:15Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Admin Console is using jackson-core, but it is using the synchronous version of it and not the asynchronous parser that is affected. According to the vulnerability description, the synchronous parser is not affected by this vulnerability, so the vulnerable code is not reachable", "firstIssued": "2026-03-17T11:22:18Z", "lastUpdated": "2026-03-17T11:22:18Z" }, "affects": [ { "ref": "Connext Pro" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-539" }, { "name": "xray_id", "value": "XRAY-947687" } ] } ] }