CVE-2025-5195 – GitLab Compliance Framework Unauthorized Data Disclosure

June 12, 2025

CVE ID : CVE-2025-5195

Published : June 12, 2025, 11:15 a.m. | 2 hours, 44 minutes ago

Description : An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. It was possible for authenticated users to access arbitrary compliance frameworks, leading to unauthorized data disclosure.

Severity: 4.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-6021 – Libxml2 Stack-Based Buffer Overflow Vulnerability

Next Article CVE-2025-0673 – GitLab CE/EE Infinite Redirect Loop Vulnerability

Highlights

CVE-2025-27817 – Apache Kafka Client Arbitrary File Read and SSRF Vulnerability

June 10, 2025

CVE ID : CVE-2025-27817

Published : June 10, 2025, 8:15 a.m. | 1 hour, 29 minutes ago

Description : A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including “sasl.oauthbearer.token.endpoint.url” and “sasl.oauthbearer.jwks.endpoint.url”. Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the “sasl.oauthbearer.token.endpoint.url” and “sasl.oauthbearer.jwks.endpoint.url” configuratin to read arbitrary contents of the disk and environment variables or make requests to an unintended location. In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment/URL access, which may be undesirable in certain environments, including SaaS products.

Since Apache Kafka 3.9.1/4.0.0, we have added a system property (“-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls”) to set the allowed urls in SASL JAAS configuration. In 3.9.1, it accepts all urls by default for backward compatibility. However in 4.0.0 and newer, the default value is empty list and users have to set the allowed urls explicitly.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

How To Prevent WordPress SQL Injection Attacks

This week in AI dev tools: Apple’s Foundations Model framework, Mistral’s first reasoning model, and more (June 13, 2025)

Open Talent platforms emerging to match skilled workers to needs, study finds

Java never goes out of style: Celebrating 30 years of the language

6 registry tweaks every tech-savvy user must apply on Windows 11

Here’s why network infrastructure is vital to maximizing your company’s AI adoption

The AI video tool behind the most viral social trends right now

Got a new password manager? How to clean up the password mess you left in the cloud

Right Invoicing App for iPhone: InvoiceTemple

Right Invoicing App for iPhone: InvoiceTemple

Tunnel Run game in 170 lines of pure JS

Integrating Drupal with Salesforce SSO via SAML and Dynamic User Sync

Windows 11 24H2 tests toggle to turn off Recommended feed in the Start menu

Windows 11 24H2 tests toggle to turn off Recommended feed in the Start menu

User calls Windows 11 “pure horror,” Microsoft says it’s listening to feedback

John the Ripper is an advanced offline password cracker

CVE-2025-5195 – GitLab Compliance Framework Unauthorized Data Disclosure

HPE Issues Security Patch for StoreOnce Bug Allowing Remote Authentication Bypass

Chaos RAT Malware Targets Windows and Linux via Fake Network Tool Downloads

Creating a Microsoft 365 Group or Office 365 Group

CVE-2025-45986 – Blink Command Injection Vulnerability in Router SetMacBlack Function

CVE-2025-32924 – Roninwp Revy SQL Injection Vulnerability

Empowering the next generation for an AI-enabled world

CVE-2025-27817 – Apache Kafka Client Arbitrary File Read and SSRF Vulnerability

Mafia: The Old Country Confirmed To Launch on PS 5, Xbox Series X|S, and PC Soon on THIS Date – Check for Details

Using Pages CMS for Static Site Content Management

Rilasciati GNOME 48.2 e 47.7:l’ambiente desktop porta varie migliorie e correzioni di errori

CVE-2025-5195 – GitLab Compliance Framework Unauthorized Data Disclosure

Related Posts