{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3164", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-04-03T07:10:46.905Z", "datePublished": "2025-04-03T15:31:06.610Z", "dateUpdated": "2025-04-03T19:56:47.515Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-04-03T15:31:06.610Z"}, "title": "Tencent Music Entertainment SuperSonic H2 Database Connection testConnect code injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "Tencent Music Entertainment", "product": "SuperSonic", "versions": [{"version": "0.9.0", "status": "affected"}, {"version": "0.9.1", "status": "affected"}, {"version": "0.9.2", "status": "affected"}, {"version": "0.9.3", "status": "affected"}, {"version": "0.9.4", "status": "affected"}, {"version": "0.9.5", "status": "affected"}, {"version": "0.9.6", "status": "affected"}, {"version": "0.9.7", "status": "affected"}, {"version": "0.9.8", "status": "affected"}], "modules": ["H2 Database Connection Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Tencent Music Entertainment SuperSonic up to 0.9.8. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/semantic/database/testConnect of the component H2 Database Connection Handler. The manipulation leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "de", "value": "Eine kritische Schwachstelle wurde in Tencent Music Entertainment SuperSonic bis 0.9.8 ausgemacht. Davon betroffen ist unbekannter Code der Datei /api/semantic/database/testConnect der Komponente H2 Database Connection Handler. Mittels dem Manipulieren mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P"}}], "timeline": [{"time": "2025-04-03T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-04-03T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-04-03T09:16:13.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "startr4ck (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.303110", "name": "VDB-303110 | Tencent Music Entertainment SuperSonic H2 Database Connection testConnect code injection", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.303110", "name": "VDB-303110 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.542528", "name": "Submit #542528 | tencentmusic supersonic 0.9.8 Code Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/tencentmusic/supersonic/issues/2193", "tags": ["issue-tracking"]}, {"url": "https://github.com/tencentmusic/supersonic/issues/2193#issue-2945884387", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"references": [{"url": "https://github.com/tencentmusic/supersonic/issues/2193", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-03T19:56:23.863997Z", "id": "CVE-2025-3164", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-03T19:56:47.515Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3164", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-03T19:56:23.863997Z"}}}], "references": [{"url": "https://github.com/tencentmusic/supersonic/issues/2193", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-03T19:56:39.777Z"}}], "cna": {"title": "Tencent Music Entertainment SuperSonic H2 Database Connection testConnect code injection", "credits": [{"lang": "en", "type": "reporter", "value": "startr4ck (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P"}}], "affected": [{"vendor": "Tencent Music Entertainment", "modules": ["H2 Database Connection Handler"], "product": "SuperSonic", "versions": [{"status": "affected", "version": "0.9.0"}, {"status": "affected", "version": "0.9.1"}, {"status": "affected", "version": "0.9.2"}, {"status": "affected", "version": "0.9.3"}, {"status": "affected", "version": "0.9.4"}, {"status": "affected", "version": "0.9.5"}, {"status": "affected", "version": "0.9.6"}, {"status": "affected", "version": "0.9.7"}, {"status": "affected", "version": "0.9.8"}]}], "timeline": [{"lang": "en", "time": "2025-04-03T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-04-03T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-04-03T09:16:13.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.303110", "name": "VDB-303110 | Tencent Music Entertainment SuperSonic H2 Database Connection testConnect code injection", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.303110", "name": "VDB-303110 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.542528", "name": "Submit #542528 | tencentmusic supersonic 0.9.8 Code Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/tencentmusic/supersonic/issues/2193", "tags": ["issue-tracking"]}, {"url": "https://github.com/tencentmusic/supersonic/issues/2193#issue-2945884387", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Tencent Music Entertainment SuperSonic up to 0.9.8. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/semantic/database/testConnect of the component H2 Database Connection Handler. The manipulation leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "de", "value": "Eine kritische Schwachstelle wurde in Tencent Music Entertainment SuperSonic bis 0.9.8 ausgemacht. Davon betroffen ist unbekannter Code der Datei /api/semantic/database/testConnect der Komponente H2 Database Connection Handler. Mittels dem Manipulieren mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-04-03T15:31:06.610Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3164", "state": "PUBLISHED", "dateUpdated": "2025-04-03T19:56:47.515Z", "dateReserved": "2025-04-03T07:10:46.905Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-04-03T15:31:06.610Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tencentmusic:supersonic:*:*:*:*:*:*:*:*", "matchCriteriaId": "CBBA7FEF-6F7B-4EFD-82BB-C60A1558D934", "versionEndIncluding": "0.9.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Tencent Music Entertainment SuperSonic up to 0.9.8. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/semantic/database/testConnect of the component H2 Database Connection Handler. The manipulation leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Tencent Music Entertainment SuperSonic hasta la versi\u00f3n 0.9.8. Se ha clasificado como cr\u00edtica. Este problema afecta a una funcionalidad desconocida del archivo /api/semantic/database/testConnect del componente H2 Database Connection Handler. La manipulaci\u00f3n provoca la inyecci\u00f3n de c\u00f3digo. El ataque puede ejecutarse remotamente. Se ha hecho p\u00fablico el exploit y puede que sea utilizado."}], "id": "CVE-2025-3164", "lastModified": "2025-04-23T15:18:08.857", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-04-03T16:15:37.337", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/tencentmusic/supersonic/issues/2193"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/tencentmusic/supersonic/issues/2193#issue-2945884387"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.303110"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.303110"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.542528"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/tencentmusic/supersonic/issues/2193"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}