Detections
Analytics
Linux Distros Unpatched Vulnerability : CVE-2025-41242
medium Nessus Plugin ID 260137
Language:
Synopsis
The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be patched.Description
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.- Spring Framework MVC applications can be vulnerable to a Path Traversal Vulnerability when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: * the application is deployed as a WAR or with an embedded Servlet container * the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet- spec-6.1.html#uri-path-canonicalization * the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with Spring resource handling We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration.
Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application. (CVE-2025-41242)
Note that Nessus relies on the presence of the package as reported by the vendor.
Solution
There is no known solution at this time.See Also
https://access.redhat.com/security/cve/cve-2025-41242
Plugin Details
Severity: Medium
ID: 260137
File Name: unpatched_CVE_2025_41242.nasl
Version: 1.4
Type: local
Agent: unix
Family: Misc.
Published: 9/1/2025
Updated: 9/29/2025
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
CVSS v2
Risk Factor: Medium
Base Score: 5
Temporal Score: 3.7
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Score Source: CVE-2025-41242
CVSS v3
Risk Factor: Medium
Base Score: 5.9
Temporal Score: 5.2
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:redhat:enterprise_linux:pki-resteasy-jackson2-provider, cpe:/o:debian:debian_linux:14.0, cpe:/o:debian:debian_linux:11.0, p-cpe:/a:centos:centos:log4j-slf4j, cpe:/o:centos:centos:8, p-cpe:/a:redhat:enterprise_linux:pki-resteasy, p-cpe:/a:redhat:enterprise_linux:log4j, cpe:/o:canonical:ubuntu_linux:16.04:-:lts, cpe:/o:canonical:ubuntu_linux:22.04:-:lts, p-cpe:/a:redhat:enterprise_linux:pki-resteasy-client, p-cpe:/a:centos:centos:pki-resteasy-core, p-cpe:/a:redhat:enterprise_linux:pki-resteasy-servlet-initializer, p-cpe:/a:redhat:enterprise_linux:resteasy-javadoc, p-cpe:/a:redhat:enterprise_linux:log4j-web, cpe:/o:canonical:ubuntu_linux:24.04:-:lts, p-cpe:/a:redhat:enterprise_linux:pki-resteasy-core, p-cpe:/a:centos:centos:log4j-jcl, p-cpe:/a:redhat:enterprise_linux:log4j-slf4j, p-cpe:/a:centos:centos:pki-resteasy, p-cpe:/a:debian:debian_linux:libspring-java, p-cpe:/a:centos:centos:resteasy, cpe:/o:redhat:enterprise_linux:8, cpe:/o:canonical:ubuntu_linux:18.04:-:lts, cpe:/o:canonical:ubuntu_linux:25.04, cpe:/o:redhat:enterprise_linux:9, p-cpe:/a:redhat:enterprise_linux:resteasy, p-cpe:/a:centos:centos:pki-resteasy-jackson2-provider, cpe:/o:debian:debian_linux:13.0, p-cpe:/a:redhat:enterprise_linux:log4j-jcl, p-cpe:/a:canonical:ubuntu_linux:libspring-java, p-cpe:/a:centos:centos:resteasy-javadoc, p-cpe:/a:centos:centos:pki-resteasy-servlet-initializer, p-cpe:/a:centos:centos:pki-resteasy-client, p-cpe:/a:centos:centos:log4j-web, cpe:/o:canonical:ubuntu_linux:14.04:-:lts, cpe:/o:canonical:ubuntu_linux:20.04:-:lts, p-cpe:/a:centos:centos:log4j, cpe:/o:debian:debian_linux:12.0
Required KB Items: Host/local_checks_enabled, Host/cpu, global_settings/vendor_unpatched, Host/OS/identifier
Exploit Ease: No known exploits are available
Vulnerability Publication Date: 8/18/2025
Reference Information
CVE: CVE-2025-41242