Security Bulletin: IBM Engineering Lifecycle Optimization - Engineering Publishing affected by a race condition in Eclipse Jersey (CVE-2025-12383)

Summary A critical race condition CVE-2025-12383 has been identified in the Eclipse Jersey client library jersey-client-2.26.jar used by IBM Engineering Lifecycle Optimization - Engineering Publishing. Under high-concurrency conditions, a flaw in the HTTPS client's lazy initialization flow can...

Security Bulletin: Vulnerabilities in jersey-client-3.1.0.jar affecting MongoDB Enterprised Advanced (CVE-2025-12383)

Summary There is a vulnerability in jersey-client-3.1.0.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2025-12383. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2025-12383 DESCRIPTION: In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cau...

CVE-2025-68161

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.htmlSslConfiguration-attr-verifyHostName configuration attribut...

CVE-2025-12383

In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain...

EUVD-2025-198046

Eclipse Jersey has a Race Condition...

Eclipse Jersey has a Race Condition

In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain...

GHSA-7P63-W6X9-6GR7 Eclipse Jersey has a Race Condition

In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain...

CVE-2025-12383

CVE-2025-12383 is a race-condition vulnerability in Eclipse Jersey that can cause ignoring of critical SSL configurations (e.g., mutual authentication, custom key/trust stores), potentially enabling unauthorized trust in insecure servers. Affected assets in the provided IBM context include IBM St...

CVE-2025-12383 Race Condition allows Bypass of Trust Restrictions

In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain...

PT-2025-47323

Name of the Vulnerable Software and Affected Versions Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 Description A race condition in Eclipse Jersey’s SSL configuration processing can lead to the ignoring of critical SSL configurations, including mutual authentication and custom key/trust stores. Thi...

PT-2025-35658

Name of the Vulnerable Software and Affected Versions: PaperCut Print Deploy affected versions not specified Description: PaperCut Print Deploy, an optional component integrated with PaperCut NG/MF, is susceptible to man-in-the-middle attacks if not correctly configured with a trusted certificate...

CVE-2023-25656

notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is...

CVE-2023-25656 notation-go has excessive memory allocation on verification

notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is...

CVE-2023-25656 notation-go has excessive memory allocation on verification

notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is...

Improper certificate management in AWS IoT Device SDK v2

Connections initialized by the AWS IoT Device SDK v2 for Java versions prior to 1.4.2, Python versions prior to 1.6.1, C++ versions prior to 1.12.7 and Node.js versions prior to 1.5.3 did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities CA in the...

Improper certificate management in AWS IoT Device SDK v2

Connections initialized by the AWS IoT Device SDK v2 for Java versions prior to 1.3.3, Python versions prior to 1.5.18, C++ versions prior to 1.12.7 and Node.js versions prior to 1.5.1 did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities CA in...

GHSA-94JQ-Q5V2-76WJ Improper certificate management in AWS IoT Device SDK v2

Connections initialized by the AWS IoT Device SDK v2 for Java versions prior to 1.3.3, Python versions prior to 1.5.18, C++ versions prior to 1.12.7 and Node.js versions prior to 1.5.1 did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities CA in...

Insecure Certificate Validation

aws/aws-iot-device-sdk-js-v2 is vulnerable to Insecure Certificate Validation. Attackers are able to compromise certificate authorities in their trust stores on Linux/Unix, by spoofing DNS records to bypass CA pinning...

Insecure Certificate Validation

aws-iot-device-sdk-v2 uses insecure certificate validation. The library does not verify server certificate hostname during TLS handshake, allowing attackers to override certificate authorities in their trust stores on Microsoft Windows...

Insecure Certificate Validation

aws-iot-device-sdk-v2 uses insecure certificate validation. The library does not verify server certificate hostname during TLS handshake, allowing attackers to override certificate authorities in their trust stores on MacOS...