CVE-2025-22234

medium

Red Hat

CVSS v3 Base Score

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Published: January 22, 2026

Last Modified: January 22, 2026

Vendor: Red Hat

Description

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.

CWE

CWE-208

Affected Products

OpenShift Developer Tools and ServicesRed Hat build of Apache Camel for Spring Boot 4Red Hat build of Apache Camel - HawtIO 4Red Hat Data Grid 8Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat OpenShift Dev SpacesRed Hat Process Automation 7

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 spring.io

CVE-2025-22234

Vulnerability Report

Description

CWE

Affected Products

References