|
|
|
| Date
|
2026-01-29
|
| Severity
|
reported "high", BlueSpice assessment: low
|
| Affected
|
Services in current LTS version < 5.1.4
|
| Fixed in
|
|
| CVE
|
|
Problem
| CVE
|
Component
|
Type of vulnerability
|
BlueSpice 5
|
BlueSpice 4
|
| CVE-2025-14847
|
container collabpads-database(image:mongo:8.0)
|
Information Disclosure
|
affected
|
affected
|
| CVE-2025-15467
|
Container bluespice/database
|
Buffer Overflow
|
affected
|
affected
|
Impact assessment
- Service
collabpads-database (image name: mongo )
- A unauthenticated MongoDB client can attack the service if reachable. By default BlueSpice setup, the service runs only in the background and can not be accessed from outside the virtual network. So not even unauthenticated access is possible from any external location.
| CVE
|
Assessment
|
Mitigation without update
|
| CVE-2025-14847
|
Low
|
Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups
|
| CVE-2025-15467
|
Low
|
Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups
|
Solution
To mitigate CVE-2025-14847 use one of the following options:
- Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups.
- Update the
mongo docker image via BlueSpice's deploy tool: bluespice-deploy pull collabpads-database && bluespice-deploy up -d
