.. _vulnerabilityManagement_skip_registry_33x_CVE-2025-10492:

CVE-2025-10492
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Data: 2025-10-05

Severity: High

CVSS Score:  8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

Riferimenti:  

- `https://nvd.nist.gov/vuln/detail/CVE-2025-10492 <https://nvd.nist.gov/vuln/detail/CVE-2025-10492>`_
- `https://ossindex.sonatype.org/vulnerability/CVE-2025-10492 <https://ossindex.sonatype.org/vulnerability/CVE-2025-10492>`_
- `https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-september-16-2025-jaspersoft-library-cve-2025-10492-r6/ <https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-september-16-2025-jaspersoft-library-cve-2025-10492-r6/>`_

Libreria: net.sf.jasperreports:jasperreports < 7.0.3

**Descrizione**

[CVE-2025-10492] CWE-502: Deserialization of Untrusted Data

A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library

**Falso Positivo per GovWay**

Per generare i report nel progetto: 

- vengono usati solo dati interni (non influenzabili dagli utenti); 
- i template dei report sono tutti fidati (nessuno può caricarli/modificarli); 
- non vengono esposti endpoint o funzioni che accettino oggetti/stream serializzati provenienti dall’esterno. 

In questi scenari la CVE non è raggiungibile in pratica. 

Configuration File: `false-positive.xml <https://raw.githubusercontent.com/link-it/govway/master/mvn/dependencies/owasp/falsePositives/CVE-2025-10492.xml>`_