{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-46548", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-04-24T20:07:58.395Z", "datePublished": "2025-06-03T14:45:32.890Z", "dateUpdated": "2025-06-11T17:44:23.190Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.pekko:pekko-management_2.12", "product": "Apache Pekko Management", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "1.1.1", "status": "affected", "version": "1.0.0", "versionType": "maven"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.pekko:pekko-management_2.13", "product": "Apache Pekko Management", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "1.1.1", "status": "affected", "version": "1.0.0", "versionType": "maven"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.pekko:pekko-management_3", "product": "Apache Pekko Management", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "1.1.1", "status": "affected", "version": "1.0.0", "versionType": "maven"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "com.lightbend.akka.management:akka-management_2.12", "product": "Akka Management", "vendor": "Lightbend", "versions": [{"lessThan": "1.6.1", "status": "affected", "version": "0", "versionType": "maven"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "com.lightbend.akka.management:akka-management_2.13", "product": "Akka Management", "vendor": "Lightbend", "versions": [{"lessThan": "1.6.1", "status": "affected", "version": "0", "versionType": "maven"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "com.lightbend.akka.management:akka-management_3", "product": "Akka Management", "vendor": "Lightbend", "versions": [{"lessThan": "1.6.1", "status": "affected", "version": "0", "versionType": "maven"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Per-Ivar Bakke of GE Vernova"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.<br></div><div>Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.</div><div><br></div><div>Akka was affected by the same issue and has released the fix in version 1.6.1.</div>"}], "value": "If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.\n\n\nUsers that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.\n\n\n\n\nAkka was affected by the same issue and has released the fix in version 1.6.1."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-06-11T17:44:23.190Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/pekko-management/pull/418"}, {"tags": ["related"], "url": "https://github.com/akka/akka-management/pull/1385"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Pekko Management, Apache Pekko Management, Apache Pekko Management, Akka Management, Akka Management, Akka Management: management API basic authentication is not effective", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/06/03/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-06-03T18:03:45.963Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-06-04T20:25:33.620840Z", "id": "CVE-2025-46548", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-04T20:27:25.436Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/06/03/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-06-03T18:03:45.963Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-46548", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-04T20:25:33.620840Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-04T20:25:54.393Z"}}], "cna": {"title": "Apache Pekko Management, Apache Pekko Management, Apache Pekko Management, Akka Management, Akka Management, Akka Management: management API basic authentication is not effective", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Per-Ivar Bakke of GE Vernova"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Pekko Management", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.1.1", "versionType": "maven"}], "packageName": "org.apache.pekko:pekko-management_2.12", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}, {"vendor": "Apache Software Foundation", "product": "Apache Pekko Management", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.1.1", "versionType": "maven"}], "packageName": "org.apache.pekko:pekko-management_2.13", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}, {"vendor": "Apache Software Foundation", "product": "Apache Pekko Management", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.1.1", "versionType": "maven"}], "packageName": "org.apache.pekko:pekko-management_3", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}, {"vendor": "Lightbend", "product": "Akka Management", "versions": [{"status": "affected", "version": "0", "lessThan": "1.6.1", "versionType": "maven"}], "packageName": "com.lightbend.akka.management:akka-management_2.12", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}, {"vendor": "Lightbend", "product": "Akka Management", "versions": [{"status": "affected", "version": "0", "lessThan": "1.6.1", "versionType": "maven"}], "packageName": "com.lightbend.akka.management:akka-management_2.13", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}, {"vendor": "Lightbend", "product": "Akka Management", "versions": [{"status": "affected", "version": "0", "lessThan": "1.6.1", "versionType": "maven"}], "packageName": "com.lightbend.akka.management:akka-management_3", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/apache/pekko-management/pull/418", "tags": ["patch"]}, {"url": "https://github.com/akka/akka-management/pull/1385", "tags": ["related"]}, {"url": "https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.\n\n\nUsers that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.\n\n\n\n\nAkka was affected by the same issue and has released the fix in version 1.6.1.", "supportingMedia": [{"type": "text/html", "value": "<div>If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.<br></div><div>Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.</div><div><br></div><div>Akka was affected by the same issue and has released the fix in version 1.6.1.</div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-06-11T17:44:23.190Z"}}}, "cveMetadata": {"cveId": "CVE-2025-46548", "state": "PUBLISHED", "dateUpdated": "2025-06-11T17:44:23.190Z", "dateReserved": "2025-04-24T20:07:58.395Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-06-03T14:45:32.890Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.\n\n\nUsers that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.\n\n\n\n\nAkka was affected by the same issue and has released the fix in version 1.6.1."}, {"lang": "es", "value": "Si habilita la autenticaci\u00f3n b\u00e1sica en Pekko Management mediante el DSL de Java, es posible que el autenticador no se aplique correctamente. Se recomienda a los usuarios que dependen de la autenticaci\u00f3n en lugar de asegurarse de que los puertos de la API de administraci\u00f3n solo est\u00e9n disponibles para usuarios de confianza que actualicen a la versi\u00f3n 1.1.1, que soluciona este problema."}], "id": "CVE-2025-46548", "lastModified": "2025-06-11T16:15:24.307", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-06-03T15:15:59.110", "references": [{"source": "security@apache.org", "url": "https://github.com/akka/akka-management/pull/1385"}, {"source": "security@apache.org", "url": "https://github.com/apache/pekko-management/pull/418"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/06/03/7"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security@apache.org", "type": "Secondary"}]}

{}