{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"apache-commons-lang security update", "category":"general", "title":"Synopsis" }, { "text":"An update for apache-commons-lang is now available for openEuler-20.03-LTS-SP4", "category":"general", "title":"Summary" }, { "text":"The standard Java libraries fail to provide enough methods for manipulation of its core classes. Apache Commons Lang provides these extra methods.\n\nSecurity Fix(es):\n\nA vulnerability classified as problematic has been found in Apache Commons Lang up to 2.6/3.17.x.CWE is classifying the issue as CWE-674. The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 3.18.0 eliminates this vulnerability.(CVE-2025-48924)", "category":"general", "title":"Description" }, { "text":"An update for apache-commons-lang is now available for openEuler-20.03-LTS-SP4.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"apache-commons-lang", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-2061", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2061" }, { "summary":"CVE-2025-48924", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-48924&packageName=apache-commons-lang" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48924" }, { "summary":"openEuler-SA-2025-2061 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openeuler-sa-2025-2061.json" } ], "title":"An update for apache-commons-lang is now available for openEuler-20.03-LTS-SP4", "tracking":{ "initial_release_date":"2025-08-22T19:39:47+08:00", "revision_history":[ { "date":"2025-08-22T19:39:47+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-08-22T19:39:47+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-08-22T19:39:47+08:00", "id":"openEuler-SA-2025-2061", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"openEuler-20.03-LTS-SP4", "name":"openEuler-20.03-LTS-SP4" }, "name":"openEuler-20.03-LTS-SP4", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"apache-commons-lang-2.6-24.oe2003sp4.noarch.rpm", "name":"apache-commons-lang-2.6-24.oe2003sp4.noarch.rpm" }, "name":"apache-commons-lang-2.6-24.oe2003sp4.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"apache-commons-lang-help-2.6-24.oe2003sp4.noarch.rpm", "name":"apache-commons-lang-help-2.6-24.oe2003sp4.noarch.rpm" }, "name":"apache-commons-lang-help-2.6-24.oe2003sp4.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"apache-commons-lang-2.6-24.oe2003sp4.src.rpm", "name":"apache-commons-lang-2.6-24.oe2003sp4.src.rpm" }, "name":"apache-commons-lang-2.6-24.oe2003sp4.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"apache-commons-lang-2.6-24.oe2003sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:apache-commons-lang-2.6-24.oe2003sp4.noarch", "name":"apache-commons-lang-2.6-24.oe2003sp4.noarch as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"apache-commons-lang-help-2.6-24.oe2003sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:apache-commons-lang-help-2.6-24.oe2003sp4.noarch", "name":"apache-commons-lang-help-2.6-24.oe2003sp4.noarch as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"apache-commons-lang-2.6-24.oe2003sp4.src.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:apache-commons-lang-2.6-24.oe2003sp4.src", "name":"apache-commons-lang-2.6-24.oe2003sp4.src as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2025-48924", "notes":[ { "text":"A vulnerability classified as problematic has been found in Apache Commons Lang up to 2.6/3.17.x.CWE is classifying the issue as CWE-674. The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 3.18.0 eliminates this vulnerability.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP4:apache-commons-lang-2.6-24.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:apache-commons-lang-help-2.6-24.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:apache-commons-lang-2.6-24.oe2003sp4.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP4:apache-commons-lang-2.6-24.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:apache-commons-lang-help-2.6-24.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:apache-commons-lang-2.6-24.oe2003sp4.src" ], "details":"apache-commons-lang security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2061" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.3, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP4:apache-commons-lang-2.6-24.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:apache-commons-lang-help-2.6-24.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:apache-commons-lang-2.6-24.oe2003sp4.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2025-48924" } ] }