| Date | 2026-01-29 |
| Severity | reported "high", BlueSpice assessment: low |
| Affected | Services in current LTS version < 5.1.4 |
| Fixed in | 5.2.1, 5.1.5 |
| CVE | CVE-2025-14847 |
Problem
- Service
collabpads-database(image name:mongo) - CVE-2025-14847
Impact assessment
- Service
collabpads-database(image name:mongo)- A unauthenticated MongoDB client can attack the service if reachable. By default BlueSpice setup, the service runs only in the background and can not be accessed from outside the virtual network. So not even unauthenticated access is possible from any external location.
Solution
To mitigate CVE-2025-14847 use one of the following options:
- Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups.
- Update the
mongodocker image via BlueSpice's deploy tool:bluespice-deploy pull collabpads-database && bluespice-deploy up -d - Update to version >=5.1.5 or >=5.2.1 of the BlueSpice images
