{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-30472", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-03-25T15:10:15.130Z", "dateReserved": "2025-03-22T00:00:00.000Z", "datePublished": "2025-03-22T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "Corosync", "vendor": "Corosync", "versions": [{"lessThanOrEqual": "3.1.9", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Corosync through 3.1.9, if encryption is disabled or the attacker knows the encryption key, has a stack-based buffer overflow in orf_token_endian_convert in exec/totemsrp.c via a large UDP packet."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-03-22T01:25:08.583Z"}, "references": [{"url": "https://github.com/corosync/corosync/blob/73ba225cc48ebb1903897c792065cb5e876613b0/exec/totemsrp.c#L4677"}, {"url": "https://github.com/corosync/corosync/issues/778"}, {"url": "https://corosync.org"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:corosync:corosync:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.1.9"}]}]}]}, "adp": [{"references": [{"url": "https://github.com/corosync/corosync/issues/778", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-25T15:10:00.490273Z", "id": "CVE-2025-30472", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-25T15:10:15.130Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-30472", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-25T15:10:00.490273Z"}}}], "references": [{"url": "https://github.com/corosync/corosync/issues/778", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-25T15:10:09.968Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}}], "affected": [{"vendor": "Corosync", "product": "Corosync", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.1.9"}], "defaultStatus": "unknown"}], "references": [{"url": "https://github.com/corosync/corosync/blob/73ba225cc48ebb1903897c792065cb5e876613b0/exec/totemsrp.c#L4677"}, {"url": "https://github.com/corosync/corosync/issues/778"}, {"url": "https://corosync.org"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "Corosync through 3.1.9, if encryption is disabled or the attacker knows the encryption key, has a stack-based buffer overflow in orf_token_endian_convert in exec/totemsrp.c via a large UDP packet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:corosync:corosync:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "3.1.9"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-03-22T01:25:08.583Z"}}}, "cveMetadata": {"cveId": "CVE-2025-30472", "state": "PUBLISHED", "dateUpdated": "2025-03-25T15:10:15.130Z", "dateReserved": "2025-03-22T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-03-22T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:corosync:corosync:*:*:*:*:*:*:*:*", "matchCriteriaId": "F6237AC4-3271-4985-9504-8E888B8B51EF", "versionEndIncluding": "3.1.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Corosync through 3.1.9, if encryption is disabled or the attacker knows the encryption key, has a stack-based buffer overflow in orf_token_endian_convert in exec/totemsrp.c via a large UDP packet."}, {"lang": "es", "value": "Desde Corosync hasta la versi\u00f3n 3.1.9, si el cifrado est\u00e1 deshabilitado o el atacante conoce la clave de cifrado, se produce un desbordamiento de b\u00fafer basado en pila en orf_token_endian_convert en exec/totemsrp.c a trav\u00e9s de un paquete UDP grande."}], "id": "CVE-2025-30472", "lastModified": "2025-04-01T20:28:02.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-22T02:15:16.620", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://corosync.org"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/corosync/corosync/blob/73ba225cc48ebb1903897c792065cb5e876613b0/exec/totemsrp.c#L4677"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/corosync/corosync/issues/778"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/corosync/corosync/issues/778"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "cve@mitre.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:7478", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "corosync-0:3.1.9-1.el10_0.1", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:7201", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "corosync-0:3.1.9-2.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-13T00:00:00Z"}], "bugzilla": {"description": "corosync: Stack buffer overflow from 'orf_token_endian_convert'", "id": "2354229", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2354229"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-121", "details": ["Corosync through 3.1.9, if encryption is disabled or the attacker knows the encryption key, has a stack-based buffer overflow in orf_token_endian_convert in exec/totemsrp.c via a large UDP packet.", "A flaw was found in Corosync. In affected versions, a stack-based buffer overflow may be triggered via a large UDP packet in configurations where encryption is disabled or if an attacker knows the encryption key. This issue can lead to an application crash or other undefined behavior."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability in RHEL, use pcs to ensure that the corosync configuration used in your cluster(s) has encryption enabled (verify that during setup the `--crypto` option's `cipher` and `hash` parameters are not set to `none`)."}, "name": "CVE-2025-30472", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "corosync", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "corosync", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2025-03-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-30472\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-30472\nhttps://corosync.org\nhttps://github.com/corosync/corosync/blob/73ba225cc48ebb1903897c792065cb5e876613b0/exec/totemsrp.c#L4677\nhttps://github.com/corosync/corosync/issues/778"], "statement": "Red Hat believes this vulnerability to be of moderate impact because successful exploitation requires the attacker to have gained access to the shared secret keys used by the cluster for encrypted communication or for the corosync configuration in the cluster to have encryption and signing disabled, which would be a non-standard configuration.", "threat_severity": "Moderate"}