{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-23419", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "state": "PUBLISHED", "assignerShortName": "f5", "dateReserved": "2025-01-22T00:17:16.444Z", "datePublished": "2025-02-05T17:31:07.316Z", "dateUpdated": "2025-11-03T21:00:19.099Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "NGINX Open Source", "vendor": "F5", "versions": [{"changes": [{"at": "1.27.4", "status": "unaffected"}, {"at": "1.26.3", "status": "unaffected"}], "lessThan": "*", "status": "affected", "version": "1.11.4", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "NGINX Plus", "vendor": "F5", "versions": [{"changes": [{"at": "R32 P2", "status": "unaffected"}, {"at": "R33 P2", "status": "unaffected"}], "lessThan": "*", "status": "affected", "version": "R17", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Sven Hebrok"}, {"lang": "en", "type": "finder", "value": "Felix Cramer"}, {"lang": "en", "type": "finder", "value": "Tim Storm"}, {"lang": "en", "type": "finder", "value": "Maximilian Radoy"}, {"lang": "en", "type": "finder", "value": "Juraj Somorovsky"}], "datePublic": "2025-02-05T15:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when <a target=\"_blank\" rel=\"nofollow\" href=\"https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key\">TLS Session Tickets</a> are used and/or the <a target=\"_blank\" rel=\"nofollow\" href=\"https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache\">SSL session cache</a> are used in the default server and the default server is performing client certificate authentication.&nbsp;&nbsp;\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n</p><br><br>"}], "value": "When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication.\u00a0\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2025-02-05T17:31:07.316Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://my.f5.com/manage/s/article/K000149173"}], "source": {"discovery": "EXTERNAL"}, "title": "TLS Session Resumption Vulnerability", "x_generator": {"engine": "F5 SIRTBot v1.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/02/05/8"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00017.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:00:19.099Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-23419", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-05T18:12:47.047226Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:41:06.184Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/02/05/8"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-02-05T20:03:02.242Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-23419", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-05T18:12:47.047226Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:39:28.521Z"}}], "cna": {"title": "TLS Session Resumption Vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Sven Hebrok"}, {"lang": "en", "type": "finder", "value": "Felix Cramer"}, {"lang": "en", "type": "finder", "value": "Tim Storm"}, {"lang": "en", "type": "finder", "value": "Maximilian Radoy"}, {"lang": "en", "type": "finder", "value": "Juraj Somorovsky"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "F5", "product": "NGINX Open Source", "versions": [{"status": "affected", "changes": [{"at": "1.27.4", "status": "unaffected"}, {"at": "1.26.3", "status": "unaffected"}], "version": "1.11.4", "lessThan": "*", "versionType": "semver"}], "defaultStatus": "unknown"}, {"vendor": "F5", "product": "NGINX Plus", "versions": [{"status": "affected", "changes": [{"at": "R32 P2", "status": "unaffected"}, {"at": "R33 P2", "status": "unaffected"}], "version": "R17", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2025-02-05T15:00:00.000Z", "references": [{"url": "https://my.f5.com/manage/s/article/K000149173", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "F5 SIRTBot v1.0"}, "descriptions": [{"lang": "en", "value": "When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication.\u00a0\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "supportingMedia": [{"type": "text/html", "value": "<p>When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when <a target=\"_blank\" rel=\"nofollow\" href=\"https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key\">TLS Session Tickets</a> are used and/or the <a target=\"_blank\" rel=\"nofollow\" href=\"https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache\">SSL session cache</a> are used in the default server and the default server is performing client certificate authentication.&nbsp;&nbsp;\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n</p><br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2025-02-05T17:31:07.316Z"}}}, "cveMetadata": {"cveId": "CVE-2025-23419", "state": "PUBLISHED", "dateUpdated": "2025-02-12T19:41:06.184Z", "dateReserved": "2025-01-22T00:17:16.444Z", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "datePublished": "2025-02-05T17:31:07.316Z", "assignerShortName": "f5"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication.\u00a0\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}, {"lang": "es", "value": "Cuando se configuran varios bloques de servidores para compartir la misma direcci\u00f3n IP y puerto, un atacante puede usar la reanudaci\u00f3n de sesi\u00f3n para eludir los requisitos de autenticaci\u00f3n de certificados de cliente en estos servidores. Esta vulnerabilidad surge cuando se utilizan tickets de sesi\u00f3n TLS https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key y/o se utiliza la cach\u00e9 de sesi\u00f3n SSL https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache en el servidor predeterminado y este est\u00e1 realizando la autenticaci\u00f3n de certificados de cliente. Nota: Las versiones de software que han llegado al final del soporte t\u00e9cnico (EoTS) no se eval\u00faan."}], "id": "CVE-2025-23419", "lastModified": "2025-11-03T21:19:15.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "f5sirt@f5.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f5sirt@f5.com", "type": "Secondary"}]}, "published": "2025-02-05T18:15:33.347", "references": [{"source": "f5sirt@f5.com", "url": "https://my.f5.com/manage/s/article/K000149173"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/02/05/8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00017.html"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "f5sirt@f5.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:7331", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nginx-2:1.20.1-22.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-13T00:00:00Z"}], "bugzilla": {"description": "nginx: TLS Session Resumption Vulnerability", "id": "2344005", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344005"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-287", "details": ["When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication.\u00a0\u00a0\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "A flaw was found in nginx. When name-based virtual hosts are configured to share the same IP address and port combination with TLS 1.3 and OpenSSL, a previously authenticated attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS session tickets are used, the SSL session cache is used in the default virtual server, and the default virtual server performs client certificate authentication."], "mitigation": {"lang": "en:us", "value": "Mitigation is either unavailable or does not meet Red Hat Product Security standards for usability, deployment, applicability, or stability."}, "name": "CVE-2025-23419", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Fix deferred", "package_name": "nginx", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "nginx", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nginx:1.22/nginx", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nginx:1.24/nginx", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nginx:1.22/nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nginx:1.24/nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nginx:1.26/nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:insights_proxy:1", "fix_state": "Fix deferred", "package_name": "insights-proxy/insights-proxy-container-rhel9", "product_name": "Red Hat Insights proxy 1"}], "public_date": "2025-02-05T17:31:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-23419\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-23419\nhttps://my.f5.com/manage/s/article/K000149173"], "statement": "In regulated environments, layered security controls significantly reduce the risk of exploiting this CWE-287: Improper Authentication vulnerability, justifying a severity downgrade from Moderate to Low.\nAccess to the platform is granted only after successful authentication through multifactor authentication (MFA). Domain accounts are configured to lock out based on predefined access policies, reducing the effectiveness of brute-force attacks on authentication mechanisms. The platform employs IAM roles for identification and authentication within its cloud infrastructure that govern user access to resources and manage provisioning, deployment, and configuration within the platform environment. This reduces the risk of unauthorized access through third-party or external user accounts. Finally, memory protection mechanisms are used to enhance resilience against unauthorized commands or improper authentication.\nThis vulnerability affects NGINX versions 1.11.4 to 1.27.3 and is fixed in 1.27.4 (mainline) and 1.26.3 (stable). RHEL 9 includes a backported fix in the NGINX 1.20 package. In RHEL 8 and 9 modular streams (1.22/1.24), the issue is marked \"Fix deferred\" \u2014 see the FAQ for details. RHEL 10 and later, with NGINX 1.26+, are not affected.", "threat_severity": "Moderate"}