CLEANSTART-2026-EZ90321

See a problem?

Import Source

https://github.com/cleanstart-dev/cleanstart-security-advisories/blob/main/advisories/2026/CLEANSTART-2026-EZ90321.json

JSON Data

https://api.osv.dev/v1/vulns/CLEANSTART-2026-EZ90321

Upstream

CVE-2025-67735

CVE-2025-68161

CVE-2026-1225

CVE-2026-24281

CVE-2026-24308

CVE-2026-33870

CVE-2026-33871

ghsa-25qh-j22f-pwp8

ghsa-389x-839f-4rhx

ghsa-3p8m-j85q-pgmj

ghsa-4cx2-fc23-5wg6

ghsa-4g8c-wm8x-jfhw

ghsa-72hv-8253-57qq

ghsa-735f-pc8j-v9w8

ghsa-7xrh-hqfc-g7qr

ghsa-84h7-rjj3-6jx4

ghsa-crhr-qqj8-rpxc

ghsa-fghv-69vj-qj49

ghsa-prj3-ccx8-p6x4

ghsa-pwqr-wmgm-9rr8

ghsa-qqpg-mvqg-649v

ghsa-vc5p-v9hr-52mj

ghsa-w9fj-cfpg-grvv

ghsa-xq3w-v528-46rv

Published

2026-04-16T00:40:49.655378Z

Modified

2026-04-23T05:01:03.802601Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper s...

Details

Multiple security vulnerabilities affect the kserve-modelmesh package. Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. See references for individual vulnerability details.

References

Affected packages

CleanStart / kserve-modelmesh

Package

Name: kserve-modelmesh

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.12.0-r16

Database specific

source

"https://github.com/cleanstart-dev/cleanstart-security-advisories/blob/main/advisories/2026/CLEANSTART-2026-EZ90321.json"