{
  "threat_severity" : "Important",
  "public_date" : "2025-10-15T12:39:35Z",
  "bugzilla" : {
    "description" : "dotnet: .NET Information Disclosure Vulnerability",
    "id" : "2403083",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2403083"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-319",
  "details" : [ "Inadequate encryption strength in .NET, .NET Framework, Visual Studio allows an authorized attacker to disclose information over a network.", "A flaw exists in certain .NET builds  where a man-in-the-middle (MITM) attacker can prevent or downgrade TLS between a client and an SMTP server. This may cause the client to send credentials or message data over an unencrypted connection, exposing sensitive information to the attacker." ],
  "statement" : "The Red Hat Product Security team has assessed the severity of this vulnerability as High, given that it can be remotely exploited by a man-in-the-middle attacker without authentication or user interaction. Successful exploitation allows an attacker to disable TLS protection between a .NET client and an SMTP server, leading to exposure of credentials and message contents over an unencrypted connection. The vulnerability results from insufficient enforcement of TLS during SMTP session negotiation in the affected .NET runtime.\n```\n.NET 6.0 for RHEL-8, RHEL-9 and RHIVOS has reached its End of Life as of November 12, 2024, and is no longer supported. No fixes will be provided for this stream. For additional information about lifecycle for .NET on Red Hat Enterprise Linux, please refer to: https://access.redhat.com/support/policy/updates/net-core”\n```",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18152",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "dotnet8.0-0:8.0.121-1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18153",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "dotnet9.0-0:9.0.111-1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18148",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet8.0-0:8.0.121-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18150",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet9.0-0:9.0.111-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18149",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet8.0-0:8.0.121-1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-10-15T00:00:00Z",
    "advisory" : "RHSA-2025:18151",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet9.0-0:9.0.111-1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-10-16T00:00:00Z",
    "advisory" : "RHSA-2025:18256",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "dotnet8.0-0:8.0.121-1.el9_4"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-20T00:00:00Z",
    "advisory" : "RHSA-2026:9080",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "dotnet8-0-main-8.0.126-1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-21T00:00:00Z",
    "advisory" : "RHSA-2026:9205",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "dotnet9-0-main-9.0.116-1.hum1"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces (RHOSDS) 3.25",
    "release_date" : "2025-12-15T00:00:00Z",
    "advisory" : "RHSA-2025:23225",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.25::el9",
    "package" : "devspaces/udi-rhel9:3.25.0-1765582207"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "dotnet10.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "dotnet10.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Out of support scope",
    "package_name" : "dotnet6.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Out of support scope",
    "package_name" : "dotnet7.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Not affected",
    "package_name" : "dotnet10.0",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-55248\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-55248" ],
  "name" : "CVE-2025-55248",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}