CVE-2025-49177

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-49177
A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 4.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://access.redhat.com/errata/RHSA-2025:10258
https://access.redhat.com/errata/RHSA-2025:9304
https://access.redhat.com/security/cve/CVE-2025-49177
https://bugzilla.redhat.com/show_bug.cgi?id=2369955
Configurations

No configuration.

History

02 Jul 2025, 20:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2025:10258 -

30 Jun 2025, 10:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 5.5 		v2 : unknown
v3 : 6.1

23 Jun 2025, 07:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2025:9304 -
References
  • () https://access.redhat.com/errata/RHSA-2025:9304 -
References
  • () https://access.redhat.com/errata/RHSA-2025:9304 -
Summary
  • (es) Se detectó una falla en la extensión XFIXES. El controlador XFixesSetClientDisconnectMode no valida la longitud de la solicitud, lo que permite que un cliente lea memoria no deseada de solicitudes anteriores.

17 Jun 2025, 20:50

Type Values Removed Values Added
References
  • {'url': 'https://access.redhat.com/errata/RHSA-2025:9304', 'source': 'secalert@redhat.com'}
References
  • {'url': 'https://access.redhat.com/errata/RHSA-2025:9304', 'source': 'secalert@redhat.com'}

17 Jun 2025, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-17 15:15

Updated : 2025-07-02 20:15

NVD link : CVE-2025-49177

Mitre link : CVE-2025-49177

CVE.ORG link : CVE-2025-49177

JSON object : View

Products Affected

No product.

CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor