[QUESTION] -CVE-2025-59250 fix for 13.2.1.jre11

[PookiPok]

Question

Our company scanning found this CVE https://nvd.nist.gov/vuln/detail/CVE-2025-59250 coming from 13.2.1.jre11, i see this should be fix for 13.2.1.jre8 so the question is this False/Positive or this was not fix for 13.2.1.jre11, same question also for 12.8.2.jre11

[machavan]

Hi @PookiPok ,

This vulnerability has been addressed in the mentioned hotfix release versions : 13.2.1 and also in 12.8.2 (and also in other supported JDBC versions)

[jakub-czajkowski]

I wonder if the question @PookiPok about potential false positive didn't come from the issue about the scanners interpretation of version number (because in Manifests, it is without "jre" suffix): aquasecurity/trivy#9745

[machavan]

@jakub-czajkowski , there has been no change in the versioning.

[rutuja120190]

@machavan Even i have updated to 13.2.1.jre11, but trivy is still failing, here is report:

"Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network."

[concreted]

@machavan Same as @rutuja120190, I am still getting the Trivy CVE report for this even though I have installed 12.2.1 which should be fixed.

According to Trivy dev feedback on aquasecurity/trivy#9745, this is due to metadata file that contains the version 12.2.1 without the .jre suffix.

For example, when I installed 12.2.0.jre11, the Installed Version correclty lists 12.2.0.jre11:

┌──────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────┐
│                   Library                    │ Vulnerability  │ Severity │ Status │ Installed Version │                    Fixed Version                    │                          Title                           │
├──────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ com.microsoft.sqlserver:mssql-jdbc (app.jar) │ CVE-2025-59250 │ HIGH     │ fixed  │ 12.2.0.jre11      │ 10.2.4.jre8, 11.2.4.jre8, 12.2.1.jre8, 12.6.5.jre8, │ JDBC Driver for SQL Server has improper input validation │
│                                              │                │          │        │                   │ 12.8.2.jre8, 12.10.2.jre8, 13.2.1.jre8              │ issue                                                    │
│                                              │                │          │        │                   │                                                     │ https://avd.aquasec.com/nvd/cve-2025-59250               │
└──────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────┘

However when I installed 12.2.1.jre11, the Installed Version seen by Trivy lacks the .jre11 suffix:

┌──────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────┐
│                   Library                    │ Vulnerability  │ Severity │ Status │ Installed Version │                    Fixed Version                    │                          Title                           │
├──────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ com.microsoft.sqlserver:mssql-jdbc (app.jar) │ CVE-2025-59250 │ HIGH     │ fixed  │ 12.2.1            │ 10.2.4.jre8, 11.2.4.jre8, 12.2.1.jre8, 12.6.5.jre8, │ JDBC Driver for SQL Server has improper input validation │
│                                              │                │          │        │                   │ 12.8.2.jre8, 12.10.2.jre8, 13.2.1.jre8              │ issue                                                    │
│                                              │                │          │        │                   │                                                     │ https://avd.aquasec.com/nvd/cve-2025-59250               │
└─────────────────────────────

According to aquasecurity/trivy#9745 (comment), the missing suffix is what causes Trivy to think the fix version is not being used.

The conclusion on Trivy's side is this is an issue with the vendor package, not with Trivy (see aquasecurity/trivy#9745 (reply in thread)).

Do you have any ideas what could be causing the difference in versioning seen by Trivy, between 12.2.0 and 12.2.1? They say it is taken directly from the package manifests.

[rutuja120190]

Anyone got solution to this? Please help us with it.

[jxf684]

For the time being, until MS fixes the issue, I am using a .trivyignore

[stranljip]

This still causes problems with scanners, aside from trivy, JFrog XRay is also still reporting this error.

[machavan]

We will be making a change in the main branch to update the bundle-version in the manifest file to include the jre suffix so that it matches the jar file names. This change will be available in the upcoming 13.3.1 (preview) release.