CVE-2025-47222
Class name enumeration
Issue summary
Setting any chosen class name to any of the properties requiring a class path and the provided class is not expected to return different errors if the class exists in deployment or not. This returns information about the classes loaded in the application or not to the clientside.
Severity
Keyfactor rates the severity as low with a CVSS score of CVSS 2.4. Assigned CVE-2025-47222.
Who is affected?
All SignServer users prior to 7.3.2.
Risk assessment
An authorized Admin user can get information on the client side if the provided class has been loaded into the application.
Mitigation
Upgrade to SignServer 7.3.2 or later.
Additional information
Should you have any additional questions, please reach out to support@keyfactor.com.
Was this article helpful?
7 out of 7 found this helpful
Articles in this section
- EJBCA compliance issue: Potential CA/B Forum compliance issue for customers using EJBCA ACME and MPIC functionality
- SignServer CVE-2025-47222: Class name enumeration
- SignServer CVE-2025-47221: Arbitrary file write
- SignServer CVE-2025-47220: Local file enumeration
- SignServer security advisory: Container vulnerability CVE-2025-26787 fixed in version 7.2
- EJBCA security advisory: EJBCA standalone CMP CLI client
- Security Advisory: EJBCA - Partial denial of service attack on certificate distribution servlet /ejbca/ra/cert
- Security Advisory: SignServer - Cross-site scripting issue in Admin Web
Add comment
Article is closed for comments.