SB2025120932 - Multiple vulnerabilities in Red Hat OpenShift Pipelines Release 1.19

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025120932

SB2025120932 - Multiple vulnerabilities in Red Hat OpenShift Pipelines Release 1.19

Published: December 9, 2025

Security Bulletin ID SB2025120932
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) OS Command Injection (CVE-ID: CVE-2025-64756)

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when processing file names. A remote user can pass specially crafted filename to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Input validation error (CVE-ID: CVE-2025-6545)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to application silently returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algorithm strings. A remote attacker can perform a spoofing attack. 


3) Input validation error (CVE-ID: CVE-2025-6547)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input as the application silently disregards Uint8Array input. A remote attacker can spoof signature. 


4) Input validation error (CVE-ID: CVE-2025-9287)

The vulnerability allows a remote attacker to manipulate data or perform a denial of service attack.

The vulnerability exists due to a missing type check of untrusted input. A remote attacker can manipulate data representation within the application, which can lead to denial of service conditions or various calculation errors when handling private keys or hashes. 


5) Input validation error (CVE-ID: CVE-2025-9288)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a missing type check when handling untrusted input that can lead to calculation of invalid values or rewinding the hash state. A remote attacker can pass specially crafted data to the application and bypass implemented security restrictions. 


Remediation

Install update from vendor's website.

References