CVE-2025-45939
BaseFortify
Publication date: 2025-07-25
Last updated on: 2025-10-10
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apwide | golive | 10.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apwide Golive 10.2.0 Jira plugin is a Server-Side Request Forgery (SSRF) issue that allows users with Golive Administrator permissions to configure automation rule endpoints without restrictions. This means an attacker could exploit the test webhook function to make unauthorized requests from the server, potentially accessing internal or restricted resources. [1]
How can this vulnerability impact me? :
The vulnerability can allow an attacker to perform SSRF attacks, which may lead to unauthorized access to internal systems, data leakage, or further exploitation within the network. This can compromise confidentiality, integrity, and availability of affected systems. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-45939, upgrade Apwide Golive to version 10.5.2 or later, which enforces that automation rule endpoints must be explicitly allowed through Jira's outgoing URL allowlist. Ensure that only trusted endpoints are included in this allowlist. This security check can only be disabled by a Jira administrator, maintaining centralized control consistent with Jira's native security controls. [1]