Red Hat JBoss Enterprise Application Platform 8.1 update for JGit

Published: 2025-11-27

Risk	High
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2025-4949
CWE-ID	CWE-611
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	JBoss Enterprise Application Platform Server applications / Application servers eap8-yasson (Red Hat package) Operating systems & Components / Operating system package or component eap8-wildfly-javadocs (Red Hat package) Operating systems & Components / Operating system package or component eap8-wildfly-http-client (Red Hat package) Operating systems & Components / Operating system package or component eap8-wildfly-clustering (Red Hat package) Operating systems & Components / Operating system package or component eap8-wildfly (Red Hat package) Operating systems & Components / Operating system package or component eap8-stax2-api (Red Hat package) Operating systems & Components / Operating system package or component eap8-stax-ex (Red Hat package) Operating systems & Components / Operating system package or component eap8-snakeyaml (Red Hat package) Operating systems & Components / Operating system package or component eap8-saaj-impl (Red Hat package) Operating systems & Components / Operating system package or component eap8-reactivex-rxjava2 (Red Hat package) Operating systems & Components / Operating system package or component eap8-reactive-streams (Red Hat package) Operating systems & Components / Operating system package or component eap8-parsson (Red Hat package) Operating systems & Components / Operating system package or component eap8-objectweb-asm (Red Hat package) Operating systems & Components / Operating system package or component eap8-jgroups (Red Hat package) Operating systems & Components / Operating system package or component eap8-jctools (Red Hat package) Operating systems & Components / Operating system package or component eap8-jbossws-cxf (Red Hat package) Operating systems & Components / Operating system package or component eap8-jakarta-xml-bind-api (Red Hat package) Operating systems & Components / Operating system package or component eap8-jakarta-ws-rs-api (Red Hat package) Operating systems & Components / Operating system package or component eap8-jakarta-validation-api (Red Hat package) Operating systems & Components / Operating system package or component eap8-jakarta-servlet-api (Red Hat package) Operating systems & Components / Operating system package or component eap8-jakarta-mail (Red Hat package) Operating systems & Components / Operating system package or component eap8-jakarta-interceptor-api (Red Hat package) Operating systems & Components / Operating system package or component eap8-jakarta-annotation-api (Red Hat package) Operating systems & Components / Operating system package or component eap8-jakarta-activation (Red Hat package) Operating systems & Components / Operating system package or component eap8-infinispan (Red Hat package) Operating systems & Components / Operating system package or component eap8-httpcomponents-core (Red Hat package) Operating systems & Components / Operating system package or component eap8-httpcomponents-client (Red Hat package) Operating systems & Components / Operating system package or component eap8-hibernate-search (Red Hat package) Operating systems & Components / Operating system package or component eap8-hibernate (Red Hat package) Operating systems & Components / Operating system package or component eap8-hal-console (Red Hat package) Operating systems & Components / Operating system package or component eap8-eclipse-jgit (Red Hat package) Operating systems & Components / Operating system package or component eap8-eap-product-conf-parent (Red Hat package) Operating systems & Components / Operating system package or component eap8-atinject (Red Hat package) Operating systems & Components / Operating system package or component eap8-apache-commons-lang (Red Hat package) Operating systems & Components / Operating system package or component eap8-apache-commons-io (Red Hat package) Operating systems & Components / Operating system package or component eap8-antlr4 (Red Hat package) Operating systems & Components / Operating system package or component eap8-angus-activation (Red Hat package) Operating systems & Components / Operating system package or component eap8-activemq-artemis (Red Hat package) Operating systems & Components / Operating system package or component
Vendor	Red Hat Inc.

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) XML External Entity injection

EUVDB-ID: #VU114059

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-4949

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

JBoss Enterprise Application Platform: 8.1.0 - 8.1.1

eap8-yasson (Red Hat package): before 3.0.4-2.redhat_00004.1.el9eap

eap8-wildfly-javadocs (Red Hat package): before 8.1.1-2.GA_redhat_00006.1.el9eap

eap8-wildfly-http-client (Red Hat package): before 2.1.3-1.Final_redhat_00001.1.el9eap

eap8-wildfly-clustering (Red Hat package): before 5.0.11-1.Final_redhat_00001.1.el9eap

eap8-wildfly (Red Hat package): before 8.1.2-1.GA_redhat_00004.1.el9eap

eap8-stax2-api (Red Hat package): before 4.2.2-2.redhat_00003.1.el9eap

eap8-stax-ex (Red Hat package): before 2.1.0-3.redhat_00003.1.el9eap

eap8-snakeyaml (Red Hat package): before 2.3.0-1.redhat_00002.1.el9eap

eap8-saaj-impl (Red Hat package): before 3.0.4-2.redhat_00002.1.el9eap

eap8-reactivex-rxjava2 (Red Hat package): before 2.2.21-4.redhat_00003.1.el9eap

eap8-reactive-streams (Red Hat package): before 1.0.4-4.redhat_00005.1.el9eap

eap8-parsson (Red Hat package): before 1.1.7-3.redhat_00003.1.el9eap

eap8-objectweb-asm (Red Hat package): before 9.7.1-3.redhat_00002.1.el9eap

eap8-jgroups (Red Hat package): before 5.3.21-1.Final_redhat_00001.1.el9eap

eap8-jctools (Red Hat package): before 4.0.5-3.redhat_00002.1.el9eap

eap8-jbossws-cxf (Red Hat package): before 7.3.6-1.Final_redhat_00001.1.el9eap

eap8-jakarta-xml-bind-api (Red Hat package): before 4.0.2-2.redhat_00003.1.el9eap

eap8-jakarta-ws-rs-api (Red Hat package): before 3.1.0-5.redhat_00003.1.el9eap

eap8-jakarta-validation-api (Red Hat package): before 3.0.2-3.redhat_00006.1.el9eap

eap8-jakarta-servlet-api (Red Hat package): before 6.0.0-6.redhat_00007.1.el9eap

eap8-jakarta-mail (Red Hat package): before 2.1.3-3.redhat_00003.1.el9eap

eap8-jakarta-interceptor-api (Red Hat package): before 2.1.0-5.redhat_00003.1.el9eap

eap8-jakarta-annotation-api (Red Hat package): before 2.1.1-5.redhat_00005.1.el9eap

eap8-jakarta-activation (Red Hat package): before 2.1.3-2.redhat_00002.1.el9eap

eap8-infinispan (Red Hat package): before 15.0.21-1.Final_redhat_00002.1.el9eap

eap8-httpcomponents-core (Red Hat package): before 4.4.16-6.redhat_00011.1.el9eap

eap8-httpcomponents-client (Red Hat package): before 4.5.14-5.redhat_00016.1.el9eap

eap8-hibernate-search (Red Hat package): before 7.2.4-1.Final_redhat_00001.1.el9eap

eap8-hibernate (Red Hat package): before 6.6.31-1.Final_redhat_00001.1.el9eap

eap8-hal-console (Red Hat package): before 3.7.16-1.Final_redhat_00001.1.el9eap

eap8-eclipse-jgit (Red Hat package): before 6.10.1.202505221210-1.r_redhat_00002.1.el9eap

eap8-eap-product-conf-parent (Red Hat package): before 801.2.0-1.GA_redhat_00001.1.el9eap

eap8-atinject (Red Hat package): before 2.0.1-5.redhat_00007.1.el9eap

eap8-apache-commons-lang (Red Hat package): before 3.18.0-2.redhat_00003.1.el9eap

eap8-apache-commons-io (Red Hat package): before 2.16.1-2.redhat_00002.1.el9eap

eap8-antlr4 (Red Hat package): before 4.13.2-1.redhat_00001.1.el9eap

eap8-angus-activation (Red Hat package): before 2.0.2-2.redhat_00002.1.el9eap

eap8-activemq-artemis (Red Hat package): before 2.40.0-3.redhat_00008.1.el9eap

CPE2.3

External links

https://access.redhat.com/errata/RHSA-2025:22188
https://access.redhat.com/errata/RHSA-2025:22190

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.