{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/vex/2025/cve-2025-43014-els_os-almalinux9_2esu.json" } ], "title": "Security update on CVE-2025-43014", "tracking": { "current_release_date": "2026-01-19T22:22:54Z", "generator": { "date": "2026-01-19T22:22:54Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2025-43014-ELS_OS-ALMALINUX9.2ESU", "initial_release_date": "2025-04-17T16:16:00Z", "revision_history": [ { "date": "2025-04-17T16:16:00Z", "number": "1", "summary": "Initial version" }, { "date": "2025-11-29T11:34:26Z", "number": "2", "summary": "Official Publication" }, { "date": "2025-12-23T19:08:30Z", "number": "3", "summary": "Update document" }, { "date": "2026-01-19T22:22:54Z", "number": "4", "summary": "Update document" } ], "status": "final", "version": "4" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" }, { "branches": [ { "category": "product_version", "name": "toolbox-0:0.0.99.3-10.el9.x86_64", "product": { "name": "toolbox-0:0.0.99.3-10.el9.x86_64", "product_id": "toolbox-0:0.0.99.3-10.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/almalinux/toolbox@0.0.99.3-10.el9?arch=x86_64" } } }, { "category": "product_version", "name": "toolbox-tests-0:0.0.99.3-10.el9.x86_64", "product": { "name": "toolbox-tests-0:0.0.99.3-10.el9.x86_64", "product_id": "toolbox-tests-0:0.0.99.3-10.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/almalinux/toolbox-tests@0.0.99.3-10.el9?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "product": { "name": "toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "product_id": "toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/toolbox@0.0.99.3-10.el9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "product": { "name": "toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "product_id": "toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/toolbox-tests@0.0.99.3-10.el9.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" }, "product_reference": "toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "toolbox-0:0.0.99.3-10.el9.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.x86_64" }, "product_reference": "toolbox-0:0.0.99.3-10.el9.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" }, "product_reference": "toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "toolbox-tests-0:0.0.99.3-10.el9.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.x86_64" }, "product_reference": "toolbox-tests-0:0.0.99.3-10.el9.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-43014", "cwe": { "id": "CWE-304", "name": "Missing Critical Step in Authentication" }, "notes": [ { "category": "description", "text": "In JetBrains Toolbox App before 2.6 the SSH plugin established connections without sufficient user confirmation", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.x86_64", "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-43014" }, { "category": "external", "summary": "https://www.jetbrains.com/privacy-security/issues-fixed/", "url": "https://www.jetbrains.com/privacy-security/issues-fixed/" } ], "release_date": "2025-04-17T16:16:00Z", "remediations": [ { "category": "no_fix_planned", "details": "This issue only affects machines with JetBrains Toolbox App prior to 2.6 using its SSH plugin; hosts without this desktop client installed are not impacted. It relaxes an extra confirmation step for outbound SSH sessions within the app and does not provide code execution or privilege escalation on the host, with only low confidentiality/integrity impact and no availability impact. Because headless server and cloud VM base images do not include this desktop application by default, exposure in managed enterprise VM/server fleets is limited, so this can be safely deprioritized.", "product_ids": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.x86_64", "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.x86_64", "AlmaLinux-9.2:toolbox-0:0.0.99.3-10.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.x86_64", "AlmaLinux-9.2:toolbox-tests-0:0.0.99.3-10.el9.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }