CVE-2025-22234

medium

Red Hat

CVSS v3 Base Score

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score

0.0%

Exploitation probability in 30 days

Top 99% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Confidentiality

Low

Integrity

None

Availability

None

Published: January 22, 2026 (112 days ago)

Last Modified: January 22, 2026

Vendor: Red Hat

Description

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.

CWE

CWE-208

Affected Products

OpenShift Developer Tools and ServicesRed Hat build of Apache Camel for Spring Boot 4Red Hat build of Apache Camel - HawtIO 4Red Hat Data Grid 8Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat OpenShift Dev SpacesRed Hat Process Automation 7

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 spring.io

CVE-2025-22234

Vulnerability Report

Description

CWE

Affected Products

References