Security:Security Advisories/BSSA-2026-01: Difference between revisions

Latest revision as of 12:52, 4 March 2026



Date	2026-01-29
Severity	reported "high", BlueSpice assessment: low
Affected	Services in current LTS version < 5.1.4
Fixed in	5.2.1, 5.1.5
CVE	CVE-2025-14847

Problem

Service collabpads-database (image name: mongo ) - CVE-2025-14847

Impact assessment

Service collabpads-database (image name: mongo )
- A unauthenticated MongoDB client can attack the service if reachable. By default BlueSpice setup, the service runs only in the background and can not be accessed from outside the virtual network. So not even unauthenticated access is possible from any external location.

Solution

To mitigate CVE-2025-14847 use one of the following options:

Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups.
Update the mongo docker image via BlueSpice's deploy tool: bluespice-deploy pull collabpads-database && bluespice-deploy up -d
Update to version >=5.1.5 or >=5.2.1 of the BlueSpice images

@@ Line 14: / Line 14: @@
 |-
 |Fixed in
-|
+|5.2.1, 5.1.5
 |-
 |CVE
-|
+| [https://avd.aquasec.com/nvd/2025/cve-2025-14847 CVE-2025-14847]
-* [https://avd.aquasec.com/nvd/2025/cve-2025-14847 CVE-2025-14847]
-* [https://avd.aquasec.com/nvd/2025/cve-2025-15467/ CVE-2025-15467]
 |}
 ==Problem==
-{| class="wikitable"
+* Service <code>collabpads-database</code> (image name: <code>mongo</code> ) - [https://avd.aquasec.com/nvd/2025/cve-2025-14847 CVE-2025-14847]
-!'''CVE'''
-!'''Component'''
-!'''Type of vulnerability'''
-!'''BlueSpice 5'''
-!'''BlueSpice 4'''
-|-
-|CVE-2025-14847
-|<code>container collabpads-database(image:mongo:8.0)</code>
-|Information Disclosure
-| style="" class="col-purple-bg" |affected
-| style="" class="col-purple-bg" |affected
-|-
-|CVE-2025-15467
-|Container <code>bluespice/database</code>
-|Buffer Overflow
-| style="" class="col-purple-bg" |affected
-| style="" class="col-purple-bg" |affected
-|}
 ==Impact assessment==
 * Service <code>collabpads-database</code> (image name: <code>mongo</code> )
 ** A unauthenticated MongoDB client can attack the service if reachable.  By default BlueSpice setup, the service runs only in the background and can not be accessed from outside the virtual network. So not even unauthenticated access is possible from any external location.
-{| class="wikitable" style="width: 100%;"
-!CVE
-!Assessment
-!Mitigation without update
-|-
-| style="vertical-align:middle;text-align:left;" |CVE-2025-14847
-| style="vertical-align:middle;text-align:left;" class="col-orange-bg" |Low
-| style="vertical-align:middle;text-align:left;" |Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups
-|-
-|CVE-2025-15467
-| style="" class="col-orange-bg" |Low
-|Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups
-|}
 == Solution ==
@@ Line 64: / Line 31: @@
 # Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups.
 # Update the <code>mongo</code> docker image via BlueSpice's deploy tool: <code>bluespice-deploy pull collabpads-database && bluespice-deploy up -d</code>
+# Update to version >=5.1.5 or >=5.2.1  of the BlueSpice images