CVE-2025-46548

{"id": "CVE-2025-46548", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2025-06-03T15:15:59.110", "references": [{"url": "https://github.com/akka/akka-management/pull/1385", "tags": ["Exploit", "Issue Tracking"], "source": "security@apache.org"}, {"url": "https://github.com/apache/pekko-management/pull/418", "tags": ["Issue Tracking", "Patch"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2025/06/03/7", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.\n\n\nUsers that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.\n\n\n\n\nAkka was affected by the same issue and has released the fix in version 1.6.1."}, {"lang": "es", "value": "Si habilita la autenticaci\u00f3n b\u00e1sica en Pekko Management mediante el DSL de Java, es posible que el autenticador no se aplique correctamente. Se recomienda a los usuarios que dependen de la autenticaci\u00f3n en lugar de asegurarse de que los puertos de la API de administraci\u00f3n solo est\u00e9n disponibles para usuarios de confianza que actualicen a la versi\u00f3n 1.1.1, que soluciona este problema."}], "lastModified": "2025-07-02T14:19:10.130", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:pekko_management:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "100D0B74-D9C2-4DC2-B14E-25416E0A7B7B", "versionEndIncluding": "1.1.1", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:akka:akka_management:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "216EF615-CEA6-4CF7-8BE2-E215442B8935", "versionEndExcluding": "1.6.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}