{ "threat_severity" : "Important", "public_date" : "2025-06-23T19:00:45Z", "bugzilla" : { "description" : "pbkdf2: pbkdf2 silently returns static keys", "id" : "2374378", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2374378" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.", "A flaw was found in the npm pbkdf2 library, allowing signature spoofing. Under specific use cases, pbkdf2 may return static keys. This issue only occurs when running the library on Node.js." ], "statement" : "This vulnerability is rated as an Important severity because a logic flaw was found in the npm pbkdf2 library where the vulnerability, located in the toBuffer method, causes password and salt inputs provided as Uint8Array objects to be silently ignored. This results in the function returning a static, predictable key derived from empty inputs, completely undermining the security guarantees of any feature that relies on the generated key, this allows an attacker to forge signatures, leading to a complete compromise of the application's data confidentiality, integrity, and availability.", "affected_release" : [ { "product_name" : "Red Hat OpenShift Pipelines 1.15", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3710", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.15::el8", "package" : "openshift-pipelines/pipelines-hub-api-rhel8:1771425314" }, { "product_name" : "Red Hat OpenShift Pipelines 1.15", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3710", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.15::el8", "package" : "openshift-pipelines/pipelines-hub-db-migration-rhel8:1771964224" }, { "product_name" : "Red Hat OpenShift Pipelines 1.15", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3710", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.15::el8", "package" : "openshift-pipelines/pipelines-hub-ui-rhel8:1772036471" }, { "product_name" : "Red Hat OpenShift Pipelines 1.15", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3712", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.15::el8", "package" : "openshift-pipelines/pipelines-hub-api-rhel8:1771425314" }, { "product_name" : "Red Hat OpenShift Pipelines 1.15", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3712", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.15::el8", "package" : "openshift-pipelines/pipelines-hub-db-migration-rhel8:1771964224" }, { "product_name" : "Red Hat OpenShift Pipelines 1.15", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3712", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.15::el8", "package" : "openshift-pipelines/pipelines-hub-ui-rhel8:1772036471" }, { "product_name" : "Red Hat OpenShift Pipelines 1.19", "release_date" : "2025-12-09T00:00:00Z", "advisory" : "RHSA-2025:22905", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.19::el9", "package" : "openshift-pipelines/pipelines-hub-api-rhel9:v1.19.4-1764818880" }, { "product_name" : "Red Hat OpenShift Service Mesh 3", "release_date" : "2025-07-09T00:00:00Z", "advisory" : "RHSA-2025:10738", "cpe" : "cpe:/a:redhat:service_mesh:3.0::el9", "package" : "openshift-service-mesh/kiali-ossmc-rhel9:2.4.7-1751549390" }, { "product_name" : "Red Hat Trusted Artifact Signer 1.2", "release_date" : "2025-08-25T00:00:00Z", "advisory" : "RHSA-2025:14474", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1.2::el9", "package" : "rhtas/rekor-search-ui-rhel9:1.2.1-1755456740" } ], "package_state" : [ { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Affected", "package_name" : "openshift-logging/kibana6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-console-plugin-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-hub-db-migration-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-hub-ui-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Service Mesh 3", "fix_state" : "Will not fix", "package_name" : "openshift-service-mesh/kiali-operator-bundle", "cpe" : "cpe:/a:redhat:service_mesh:3" }, { "product_name" : "OpenShift Service Mesh 3", "fix_state" : "Will not fix", "package_name" : "openshift-service-mesh/kiali-rhel9", "cpe" : "cpe:/a:redhat:service_mesh:3" }, { "product_name" : "OpenShift Service Mesh 3", "fix_state" : "Will not fix", "package_name" : "openshift-service-mesh/kiali-rhel9-operator", "cpe" : "cpe:/a:redhat:service_mesh:3" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Affected", "package_name" : "io.apicurio-apicurio-registry", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat Developer Hub", "fix_state" : "Not affected", "package_name" : "rhdh/rhdh-hub-rhel9", "cpe" : "cpe:/a:redhat:rhdh:1" }, { "product_name" : "Red Hat Developer Hub", "fix_state" : "Not affected", "package_name" : "rhdh/rhdh-rhel9-operator", "cpe" : "cpe:/a:redhat:rhdh:1" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "thunderbird", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "mozjs60", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "pcs", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "gjs", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "pcs", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "polkit", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "io.apicurio-apicurito", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "io.syndesis-syndesis-parent", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Will not fix", "package_name" : "io.apicurio-apicurio-registry", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-data-science-pipelines-argo-argoexec-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-console", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-console-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Will not fix", "package_name" : "devspaces/dashboard-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/dashboard-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "org.kie-process-migration-service", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "org.kie.workbench-kie-wb-common", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "org.uberfire-uberfire-parent", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Affected", "package_name" : "com.github.streamshub-console", "cpe" : "cpe:/a:redhat:amq_streams:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-6547\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-6547\nhttps://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb\nhttps://github.com/browserify/pbkdf2/security/advisories/GHSA-v62p-rq8g-8h59" ], "name" : "CVE-2025-6547", "csaw" : false }