SB20251015139 - Red Hat Enterprise Linux 9 update for .NET 8.0
Published: October 15, 2025 Updated: November 14, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Inadequate Encryption Strength (CVE-ID: CVE-2025-55248)
CWE-ID: CWE-326 - Inadequate Encryption Strength
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to inadequate encryption strength. A remote attacker can trick the victim to open a specially crafted email or click on the link and gain access to personally identifiable information (PII).
2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2025-55315)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L/E:P/U:Green
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests in ASP.NET. A remote user can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
3) Link following (CVE-ID: CVE-2025-55247)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to an insecure link following issue in .NET. A local user can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application.
Remediation
Install update from vendor's website.