Data Management and Analytics

In MySQL Server (component: Server: UDF) versions 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0 a medium severity vulnerability CVE-2025-30721 was detected. This vulnerability allows a high-privileged attacker with logon access to compromise MySQL Server, requiring human interaction and potentially causing a crash (DOS). To address this issue, users should upgrade MySQL Server to versions 8.0.42-1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30721.

In Mattermost versions 10.5.0 to 10.5.1, 10.4.0 to 10.4.3, and 9.11.0 to 9.11.9 a low severity vulnerability CVE-2025-24839 was detected. This vulnerability allows users to turn on the AI bot by adding a setting to a post using the Wrangler plugin, even if they don’t have access to the bot. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-24839.

In Metabase versions 52.x before 52.17.1, 53.x before 53.9.5 and 54.x before 54.1.5 a low severity vulnerability CVE-2025-32382 was detected. This vulnerability allows sensitive Snowflake connection credentials, including usernames and passwords, to be logged during connection migration due to improper purging of stale connection methods. To address this issue, users should upgrade Metabase to versions 52.17.1, 53.9.5 or 54.1.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-32382.

In Elasticsearch versions 7.17.0 to 7.17.23 and 8.0 to 8.15.0 a medium severity vulnerability CVE-2024-52981 was detected. This vulnerability allows attackers to trigger a stack overflow by submitting a Well-Known Text (WKT) formatted string containing deeply nested GeometryCollection objects. To address this issue, users should upgrade Elasticsearch to versions 8.15.1 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-52981.

In Elasticsearch versions 7.17.0 to 8.15.0 a medium severity vulnerability CVE-2024-52980 was detected. This vulnerability allows attackers with the `read_pipeline` cluster privilege to craft a recursive input that exploits the `innerForbidCircularReferences` function in the `PatternBank` class, potentially causing the Elasticsearch node to crash. To address this issue, users should upgrade Elasticsearch to versions 8.15.1 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-52980.

In Kibana versions 7.17.0 to 7.17.22 and versions 8.0.0 to 8.15.0 a medium severity vulnerability CVE-2024-52974 was detected. This vulnerability allows attackers with read permissions for Observability to crash the Kibana server by sending specially crafted requests to the Observability API. To address this issue, users should upgrade Kibana to versions 8.15.1 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-52974.

In Kibana versions 8.16.1 up to and including 8.17.1 a high severity vulnerability CVE-2024-12556 was detected. This vulnerability allows attackers to perform prototype pollution leading to potential code injection by exploiting unrestricted file uploads combined with path traversal. To address this issue, users should upgrade Kibana to versions 8.16.4, 8.17.2 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12556.

In Fluent Bit version 3.7.2 a medium severity vulnerability CVE-2025-29478 was detected. This vulnerability allows a local attacker to cause a denial of service using the cfl_list_size function. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-29478.

In SQLite version 3.49.0 a critical severity vulnerability CVE-2025-29087 was detected. This vulnerability allows attackers to trigger an integer overflow using the concat function. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-29087.