{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-1247", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-02-12T09:43:11.716Z", "datePublished": "2025-02-13T13:26:26.992Z", "dateUpdated": "2025-02-13T14:11:38.780Z"}, "containers": {"cna": {"title": "Io.quarkus:quarkus-rest: quarkus rest endpoint request parameter leakage due to shared instance", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat build of Apache Camel for Quarkus", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus/quarkus-rest", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:camel_quarkus:3"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus/quarkus-rest", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:quarkus:3"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-1247", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345172", "name": "RHBZ#2345172", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2025-02-12T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-488", "description": "Exposure of Data Element to Wrong Session", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-488: Exposure of Data Element to Wrong Session", "timeline": [{"lang": "en", "time": "2025-02-12T09:30:25.106000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-02-12T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-02-13T13:26:26.992Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-13T14:11:32.786242Z", "id": "CVE-2025-1247", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-13T14:11:38.780Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1247", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-13T14:11:32.786242Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-13T14:11:35.346Z"}}], "cna": {"title": "Io.quarkus:quarkus-rest: quarkus rest endpoint request parameter leakage due to shared instance", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:camel_quarkus:3"], "vendor": "Red Hat", "product": "Red Hat build of Apache Camel for Quarkus", "packageName": "io.quarkus/quarkus-rest", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:quarkus:3"], "vendor": "Red Hat", "product": "Red Hat build of Quarkus", "packageName": "io.quarkus/quarkus-rest", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2025-02-12T09:30:25.106000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-02-12T00:00:00+00:00", "value": "Made public."}], "datePublic": "2025-02-12T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-1247", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345172", "name": "RHBZ#2345172", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-488", "description": "Exposure of Data Element to Wrong Session"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-02-13T13:26:26.992Z"}, "x_redhatCweChain": "CWE-488: Exposure of Data Element to Wrong Session"}}, "cveMetadata": {"cveId": "CVE-2025-1247", "state": "PUBLISHED", "dateUpdated": "2025-02-13T14:11:38.780Z", "dateReserved": "2025-02-12T09:43:11.716Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-02-13T13:26:26.992Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information."}], "id": "CVE-2025-1247", "lastModified": "2025-02-13T14:16:18.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2025-02-13T14:16:18.400", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-1247"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345172"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-488"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"bugzilla": {"description": "io.quarkus:quarkus-rest: Quarkus REST Endpoint Request Parameter Leakage Due to Shared Instance", "id": "2345172", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345172"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-488", "details": ["A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.", "A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information."], "name": "CVE-2025-1247", "package_state": [{"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Affected", "package_name": "io.quarkus/quarkus-rest", "product_name": "Red Hat build of Apache Camel for Quarkus"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Affected", "package_name": "io.quarkus/quarkus-rest", "product_name": "Red Hat build of Quarkus"}], "public_date": "2025-02-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-1247\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-1247"], "threat_severity": "Important"}