SCA: security update for org.igniterealtime.openfire:xmppserver (GHSA-w252-645g-87mp)

medium Tenable Cloud Security Plugin ID 435333

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Openfire is an XMPP server licensed under the Open Source Apache License. Openfire’s SASL EXTERNAL
mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from
X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls
X509Certificate.getSubjectDN().getName() and applies a regex to look for CN=. This method produces a
provider-dependent string that does not escape special characters. In SunJSSE
(sun.security.x509.X500Name), for example, commas and equals signs inside attribute values are not
escaped. As a result, a malicious certificate can embed CN= inside another attribute value (e.g.
OU="CN=admin,"). The regex will incorrectly interpret this as a legitimate Common Name and extract admin.
If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to
impersonate another user. The fix is included in Openfire 5.0.2 and 5.1.0. (CVE-2025-59154)

See Also

https://github.com/advisories/GHSA-w252-645g-87mp

Plugin Details

Severity: Medium

ID: 435333

Version: Revision 1.15

Type: Local

Family: SCA Checks

Published: 9/16/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.56

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.2

Temporal Score: 4.6

Vector: CVSS2#AV:N/AC:H/Au:M/C:C/I:C/A:N

CVSS Score Source: CVE-2025-59154

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/16/2025

Vulnerability Publication Date: 9/15/2025

Reference Information

CVE: CVE-2025-59154

cwe: CWE-290