{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-25T00:00:00Z",
  "bugzilla" : {
    "description" : "rexml: REXML: Denial of Service via inefficient regex parsing",
    "id" : "2398216",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2398216"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1333",
  "details" : [ "A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x...;) in XML documents. This could lead to a Regular Expression Denial of Service (ReDoS), impacting the availability of the affected component. This issue is the result of an incomplete fix for CVE-2024-49761.", "A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x...;) in XML documents. This could lead to a Regular Expression Denial of Service (ReDoS), impacting the availability of the affected component. This issue is the result of an incomplete fix for CVE-2024-49761." ],
  "statement" : "This vulnerability is rated as a moderate severity because it allows attackers to exploit inefficient regex parsing in hex numeric character references (&#x...;), causing a ReDoS and impacting availability, it requires specific malicious input but does not affect confidentiality or integrity.\nSatellite employs multiple versions of ReXML in the Puppet Agent and Server components across varying versions of Satellite:\n- In Satellite 6.15 (on RHEL8), the Puppet Agent component uses ReXML version 7.28-0-1 and IS affected.\n- In Satellite 6.15 (on RHEL8), the Satellite server component uses ReXML version 7.17.2-1 and is NOT affected.\n- In Satellite 6.16 and 6.17 (on RHEL8 and RHEL9), the Puppet Agent component uses ReXML version 8.8.1-1 and is NOT affected.\n- In Satellite 6.16 and 6.17 (on RHEL8 and RHEL9), the Satellite server component uses ReXML version 8.6.2-2 and IS affected.\nTo reiterate, only the Puppet Agent component in Satellite 6.15 and the Satellite server component in Satellite 6.16 and 6.17 are affected. Any other component/Satellite version combinations are considered not-affected.",
  "affected_release" : [ {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 8",
    "release_date" : "2025-10-08T00:00:00Z",
    "advisory" : "RHSA-2025:17613",
    "cpe" : "cpe:/a:redhat:satellite:6.16::el8",
    "package" : "puppet-agent-0:8.8.1-3.el8sat"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 8",
    "release_date" : "2025-10-08T00:00:00Z",
    "advisory" : "RHSA-2025:17613",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.16::el8",
    "package" : "puppet-agent-0:8.8.1-3.el8sat"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 9",
    "release_date" : "2025-10-08T00:00:00Z",
    "advisory" : "RHSA-2025:17613",
    "cpe" : "cpe:/a:redhat:satellite:6.16::el9",
    "package" : "puppet-agent-0:8.8.1-3.el9sat"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 9",
    "release_date" : "2025-10-08T00:00:00Z",
    "advisory" : "RHSA-2025:17613",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.16::el9",
    "package" : "puppet-agent-0:8.8.1-3.el9sat"
  }, {
    "product_name" : "Red Hat Satellite 6.17 for RHEL 9",
    "release_date" : "2025-10-08T00:00:00Z",
    "advisory" : "RHSA-2025:17606",
    "cpe" : "cpe:/a:redhat:satellite:6.17::el9",
    "package" : "puppet-agent-0:8.8.1-3.el9sat"
  }, {
    "product_name" : "Red Hat Satellite 6.17 for RHEL 9",
    "release_date" : "2025-10-08T00:00:00Z",
    "advisory" : "RHSA-2025:17606",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.17::el9",
    "package" : "puppet-agent-0:8.8.1-3.el9sat"
  }, {
    "product_name" : "Satellite Client 6 for RHEL 8",
    "release_date" : "2025-10-09T00:00:00Z",
    "advisory" : "RHSA-2025:17693",
    "cpe" : "cpe:/a:redhat:rhel_satellite_client:6::el8",
    "package" : "puppet-agent-0:7.34.0-4.el8sat"
  }, {
    "product_name" : "Satellite Client 6 for RHEL 9",
    "release_date" : "2025-10-09T00:00:00Z",
    "advisory" : "RHSA-2025:17693",
    "cpe" : "cpe:/a:redhat:rhel_satellite_client:6::el9",
    "package" : "puppet-agent-0:7.34.0-4.el9sat"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-10990\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-10990" ],
  "name" : "CVE-2025-10990",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}