Advisory Week

Week 11, 2025

National Cyber Awareness System

CISA Releases Five Industrial Control Systems Advisories

CISA Adds Three Known Exploited Vulnerabilities to Catalog

CISA Releases Seven Industrial Control Systems Advisories

Supply Chain Compromise of Third-Party GitHub Action, CVE-2025-30066

CISA Adds Two Known Exploited Vulnerabilities to Catalog

Ubuntu Security Notices

PAM-PKCS#11 vulnerabilities: USN-7363-1

go-gh vulnerability: USN-7362-1

Libxslt vulnerability: USN-7361-1 / USN-7357-1

Alpine vulnerabilities: USN-7360-1

Valkey vulnerabilities: USN-7359-1

PostgreSQL vulnerabilities: USN-7358-1

uriparser vulnerabilities: USN-7356-1

RestrictedPython vulnerabilities: USN-7355-1

djoser vulnerability: USN-7354-1

FreeType vulnerabilities: USN-7352-2

PlantUML vulnerability: USN-7353-1

FreeType vulnerability: USN-7352-1

X.Org X Server regression: USN-7299-4

Red Hat Security Advisory

Important: kpatch-patch-5_14_0-427_13_1, kpatch-patch-5_14_0-427_31_1, kpatch-patch-5_14_0-427_44_1, and kpatch-patch-5_14_0-427_55_1 security update: RHSA-2025:3097

Important: kpatch-patch-5_14_0-284_104_1, kpatch-patch-5_14_0-284_52_1, kpatch-patch-5_14_0-284_79_1, and kpatch-patch-5_14_0-284_92_1 security update: RHSA-2025:3096

Important: kpatch-patch-4_18_0-372_118_1, kpatch-patch-4_18_0-372_131_1, kpatch-patch-4_18_0-372_137_1, and kpatch-patch-4_18_0-372_91_1 security update: RHSA-2025:3095

Important: kpatch-patch-4_18_0-477_43_1, kpatch-patch-4_18_0-477_67_1, kpatch-patch-4_18_0-477_81_1, and kpatch-patch-4_18_0-477_89_1 security update: RHSA-2025:3094

Important: kpatch-patch-4_18_0-305_120_1, kpatch-patch-4_18_0-305_138_1, kpatch-patch-4_18_0-305_145_1, and kpatch-patch-4_18_0-305_150_1 security update: RHSA-2025:3093

Moderate: Red Hat Build of Apache Camel 4.8 for Quarkus 3.15 update is now available (RHBQ 3.15.3.SP2): RHSA-2025:3091

Important: postgresql:12 security update: RHSA-2025:3063

Important: webkit2gtk3 security update: RHSA-2025:3005 / RHSA-2025:3002 / RHSA-2025:3001 / RHSA-2025:3000 / RHSA-2025:2998 / RHSA-2025:2997 / RHSA-2025:2864 / RHSA-2025:2863

Important: OpenShift Container Platform 4.18.5 bug fix and security update: RHSA-2025:2705

Important: thunderbird security update: RHSA-2025:2900 / RHSA-2025:2899

Important: mysql:8.0 security update: RHSA-2025:2883 / RHSA-2025:2882

Important: tigervnc security update: RHSA-2025:2880 / RHSA-2025:2875 / RHSA-2025:2874 / RHSA-2025:2873 / RHSA-2025:2866 / RHSA-2025:2865 / RHSA-2025:2862 / RHSA-2025:2861

Important: xorg-x11-server security update: RHSA-2025:2879

Moderate: ACS 4.7 enhancement and security update: RHSA-2025:2876

Important: pcs security update: RHSA-2025:2872

Important: grub2 security update: RHSA-2025:2869 / RHSA-2025:2867

Important: libreoffice security update: RHSA-2025:2868

Atlassian Security Advisories

Security Bulletin - March 18 2025

Microsoft Security

Microsoft March 2025 Security Update Guide

CVE-2025-29795 Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability

CVE-2025-29806 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Chromium: CVE-2025-2476 Use after free in Lens

Jenkins Security Advisories

Jenkins Security Advisory 2025-03-19

Amazon AWS Security Advisories

Issue with the AWS CDK CLI and custom credential plugins (CVE-2025-2598)

Github Security Advisories

[GHSA-528q-4pgm-wvg2] Reflected XSS in go-httpbin due to unrestricted client control over Content-Type

[GHSA-mh63-6h87-95cp] jwt-go allows excessive memory allocation during header parsing

[GHSA-v63m-x9r9-8gqp] AWS CDK CLI prints AWS credentials retrieved by custom credential plugins

[GHSA-837q-jhwx-cmpv] Parse Server has an OAuth login vulnerability

[GHSA-g8vq-v3mg-7mrg] Redlib allows a Denial of Service via DEFLATE Decompression Bomb in restore_preferences Form

[GHSA-cf3q-gqg7-3fm9] Envoy crashes when HTTP ext_proc processes local replies

[GHSA-f82v-jwr5-mffw] Authorization Bypass in Next.js Middleware

[GHSA-5w4j-f78p-4wh9] Libcontainer is affected by capabilities elevation similar to GHSA-f3fp-gc8g-vw66

[GHSA-92cp-5422-2mw7] go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment

[GHSA-w2rr-38wv-8rrp] kcp allows unauthorized creation and deletion of objects in arbitrary workspaces through APIExport Virtual Workspace

[GHSA-q9f5-625g-xm39] OWASP Coraza WAF has parser confusion which leads to wrong URI in `REQUEST_FILENAME`

[GHSA-gfp2-6qhm-7x43] The WikiManager REST API allows any user to create wikis

[GHSA-22q5-9phm-744v] XWiki allows unregistered users to access private pages information through REST endpoint

[GHSA-gq32-758c-3wm3] XWiki uses the wrong wiki reference in AuthorizationManager

[GHSA-jvhm-gjrh-3h93] Nuxt allows DOS via cache poisoning with payload rendering response

[GHSA-wq9g-9vfc-cfq9] Improper Handling of Highly Compressed Data (Data Amplification) in github.com/getkin/kin-openapi/openapi3filter

[GHSA-hxg4-65p5-9w37] Sylius PayPal Pluginhas an Order Manipulation Vulnerability after PayPal Checkout

[GHSA-x3m8-f7g5-qhm7] vLLM Allows Remote Code Execution via Mooncake Integration

[GHSA-mgrm-fgjv-mhv8] vLLM denial of service via outlines unbounded cache on disk

[GHSA-gm45-q3v2-6cf8] Fast-JWT Improperly Validates iss Claims

[GHSA-qmg3-hpqr-gqvc] Multiple Reviewdog actions were compromised during a specific time period

[GHSA-w532-jxjh-hjhj] jsPDF Bypass Regular Expression Denial of Service (ReDoS)

[GHSA-vqqr-fgmh-f626] Contao Vulnerable to Cross-Site Scripting (XSS) through SVG uploads

[GHSA-m4gq-fm9h-8q75] buildx allows a possible credential leakage to telemetry endpoint

[GHSA-pqq3-q84h-pj6x] Sylius PayPal Plugin Payment Amount Manipulation Vulnerability

[GHSA-94vh-gphv-8pm8] zip Incorrectly Canonicalizes Paths during Archive Extraction Leading to Arbitrary File Write

[GHSA-93mq-9ffx-83m2] Memory Exhaustion in Expr Parser with Unrestricted Input

[GHSA-c98h-7hp9-v9hq] Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD

[GHSA-265r-hfxg-fhmg] containerd has an integer overflow in User ID handling

[GHSA-v432-7f47-9g94] PostQuantum-Feldman-VSS'S Dependency Vulnerability in gmpy2 Leading to Interpreter Crash

[GHSA-w6fv-6gcc-x825] Zincati allows unprivileged access to rpm-ostree D-Bus `Deploy()` and `FinalizeDeployment()` methods

Drupal Security Advisories

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

Spring Security Advisories

CVE-2025-22228 - High - CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length

CVE-2025-22223 - Medium - CVE-2025-22223: Spring Security authorization bypass for method security annotations on parameterized types

CISA Known Exploted Vulnerabilities

tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability CVE-2025-30066

Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability CVE-2025-24472

SAP NetWeaver Directory Traversal Vulnerability CVE-2017-12637

NAKIVO Backup and Replication Absolute Path Traversal Vulnerability CVE-2024-48248

Edimax IC-7100 IP Camera OS Command Injection Vulnerability CVE-2025-1316

The known exploited vulnerabilities list contains vulnerabilities that are known to be actively exploited. They may not be new or recently discovered. Vulnerabilities listed here were added to this list in the past week.

Switch to Daily Mode

We're thrilled to announce the launch of AdvisoryDaily, a once a day version of this newsletter.

Get AdvisoryDaily