diff --git a/2025/3xxx/CVE-2025-3837.json b/2025/3xxx/CVE-2025-3837.json
index c1ab7fbf2a5..0241f8cbadf 100644
--- a/2025/3xxx/CVE-2025-3837.json
+++ b/2025/3xxx/CVE-2025-3837.json
@@ -1,18 +1,109 @@
{
+ "data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
- "data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2025-3837",
- "ASSIGNER": "cve@mitre.org",
- "STATE": "RESERVED"
+ "ASSIGNER": "Security@saviynt.com",
+ "STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
- "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ "value": "An improper input validation vulnerability is identified in the End of Life (EOL) OVA based connect component which is deployed for installation purposes in the customer internal network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. Under certain circumstances, an actor can manipulate a specific request parameter and inject code execution payload which could lead to a remote code execution on the infrastructure hosting this component."
}
]
- }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-20 Improper Input Validation",
+ "cweId": "CWE-20"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Saviynt",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "OVA based Connect",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "=",
+ "version_value": "AlmaLinux-8.x_SC2.0-Client-2.0"
+ },
+ {
+ "version_affected": "=",
+ "version_value": "AlmaLinux-8.x_SC2.0-Client-3.0"
+ },
+ {
+ "version_affected": "=",
+ "version_value": "CentOS-7.x_SC2.0-Client-2.0"
+ },
+ {
+ "version_affected": "=",
+ "version_value": "CentOS-7.x_SC2.0-Client-3.0"
+ },
+ {
+ "version_affected": "=",
+ "version_value": "RHEL-8.x_SC2.0-Client-2.0"
+ },
+ {
+ "version_affected": "=",
+ "version_value": "RHEL-8.x_SC2.0-Client-3.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://saviynt.com/trust-compliance-security",
+ "refsource": "MISC",
+ "name": "https://saviynt.com/trust-compliance-security"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.2.0"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Follow this documentation link and migrate to the latest version of Saviynt Connect component
"
+ }
+ ],
+ "value": "Follow this documentation link https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm \u00a0and migrate to the latest version of Saviynt Connect component"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Achmea Security Assessment Team (SAT)"
+ }
+ ]
}
\ No newline at end of file
diff --git a/2025/3xxx/CVE-2025-3838.json b/2025/3xxx/CVE-2025-3838.json
new file mode 100644
index 00000000000..0b4b0717250
--- /dev/null
+++ b/2025/3xxx/CVE-2025-3838.json
@@ -0,0 +1,118 @@
+{
+ "data_version": "4.0",
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "CVE_data_meta": {
+ "ID": "CVE-2025-3838",
+ "ASSIGNER": "Security@saviynt.com",
+ "STATE": "PUBLIC"
+ },
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "An Improper Authorization vulnerability was identified in the EOL OVA based connect component which is deployed for installation purposes in the customer internal network. Under certain conditions, this could allow a bad actor to gain unauthorized access to the local db containing weakly hashed credentials of the installer. This EOL component was deprecated in September 2023 with end of support extended till January 2024."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-863 Incorrect Authorization",
+ "cweId": "CWE-863"
+ }
+ ]
+ },
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
+ "cweId": "CWE-327"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Saviynt",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "OVA based Connect",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "=",
+ "version_value": "AlmaLinux-8.x_SC2.0-Client-2.0"
+ },
+ {
+ "version_affected": "=",
+ "version_value": "AlmaLinux-8.x_SC2.0-Client-3.0"
+ },
+ {
+ "version_affected": "=",
+ "version_value": "CentOS-7.x_SC2.0-Client-2.0"
+ },
+ {
+ "version_affected": "=",
+ "version_value": "CentOS-7.x_SC2.0-Client-3.0"
+ },
+ {
+ "version_affected": "=",
+ "version_value": "RHEL-8.x_SC2.0-Client-2.0"
+ },
+ {
+ "version_affected": "=",
+ "version_value": "RHEL-8.x_SC2.0-Client-3.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://saviynt.com/trust-compliance-security",
+ "refsource": "MISC",
+ "name": "https://saviynt.com/trust-compliance-security"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.2.0"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Follow this documentation link and migrate to the latest version of Saviynt Connect component
"
+ }
+ ],
+ "value": "Follow this documentation link https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm \u00a0and migrate to the latest version of Saviynt Connect component"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Achmea Security Assessment Team (SAT)"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/2025/3xxx/CVE-2025-3839.json b/2025/3xxx/CVE-2025-3839.json
new file mode 100644
index 00000000000..e08e44f4b80
--- /dev/null
+++ b/2025/3xxx/CVE-2025-3839.json
@@ -0,0 +1,18 @@
+{
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "CVE_data_meta": {
+ "ID": "CVE-2025-3839",
+ "ASSIGNER": "cve@mitre.org",
+ "STATE": "RESERVED"
+ },
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/2025/3xxx/CVE-2025-3840.json b/2025/3xxx/CVE-2025-3840.json
new file mode 100644
index 00000000000..d0812046458
--- /dev/null
+++ b/2025/3xxx/CVE-2025-3840.json
@@ -0,0 +1,109 @@
+{
+ "data_version": "4.0",
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "CVE_data_meta": {
+ "ID": "CVE-2025-3840",
+ "ASSIGNER": "Security@saviynt.com",
+ "STATE": "PUBLIC"
+ },
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "An improper neutralization of input vulnerability was identified in the End of Life (EOL) OVA based connect installer component which is deployed for installation purposes in a customer network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. An actor can manipulate the action parameter of the login form to inject malicious scripts which would lead to a XSS attack under certain conditions."
+ }
+ ]
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')",
+ "cweId": "CWE-79"
+ }
+ ]
+ }
+ ]
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Saviynt",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "OVA based Connect",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "=",
+ "version_value": "AlmaLinux-8.x_SC2.0-Client-2.0"
+ },
+ {
+ "version_affected": "=",
+ "version_value": "AlmaLinux-8.x_SC2.0-Client-3.0"
+ },
+ {
+ "version_affected": "=",
+ "version_value": "CentOS-7.x_SC2.0-Client-2.0"
+ },
+ {
+ "version_affected": "=",
+ "version_value": "CentOS-7.x_SC2.0-Client-3.0"
+ },
+ {
+ "version_affected": "=",
+ "version_value": "RHEL-8.x_SC2.0-Client-2.0"
+ },
+ {
+ "version_affected": "=",
+ "version_value": "RHEL-8.x_SC2.0-Client-3.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "references": {
+ "reference_data": [
+ {
+ "url": "https://saviynt.com/trust-compliance-security",
+ "refsource": "MISC",
+ "name": "https://saviynt.com/trust-compliance-security"
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.2.0"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "solution": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Follow this documentation link and migrate to the latest version of Saviynt Connect component
"
+ }
+ ],
+ "value": "Follow this documentation link https://docs.saviyntcloud.com/bundle/Saviynt-Connect-20-Resources/page/Content/Saviynt-Connect-20-Client-Configurations.htm \u00a0and migrate to the latest version of Saviynt Connect component"
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "value": "Achmea Security Assessment Team (SAT)"
+ }
+ ]
+}
\ No newline at end of file