From 1f72fdeff02bee0489c2104dca627e047fe66944 Mon Sep 17 00:00:00 2001
From: Forrest Evans <fdevans@gmail.com>
Date: Wed, 27 Aug 2025 14:04:44 -0700
Subject: [PATCH 1/2] False finding for CVE-2025-41242

---
 docs/history/cves/CVE-2025-41242.md | 13 +++++++++++++
 docs/history/cves/CVE-2025-48924.md |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 docs/history/cves/CVE-2025-41242.md

diff --git a/docs/history/cves/CVE-2025-41242.md b/docs/history/cves/CVE-2025-41242.md
new file mode 100644
index 000000000..a210aecaf
--- /dev/null
+++ b/docs/history/cves/CVE-2025-41242.md
@@ -0,0 +1,13 @@
+---
+order: 51
+---
+
+# CVE-2025-41242
+
+## Path traversal vulnerability on non-compliant Servlet containers
+
+::: danger FALSE POSITIVE
+ Rundeck and Runbook Automation are not vulnerable to this CVE.
+:::
+
+This is a Spring vulnerability, but the [CVE article](https://spring.io/security/cve-2025-41242) says "deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration."  The Rundeck product does not disable disable the default security features.
\ No newline at end of file
diff --git a/docs/history/cves/CVE-2025-48924.md b/docs/history/cves/CVE-2025-48924.md
index 8c44dea2c..7e9cb0352 100644
--- a/docs/history/cves/CVE-2025-48924.md
+++ b/docs/history/cves/CVE-2025-48924.md
@@ -1,5 +1,5 @@
 ---
-order: 51
+order: 52
 ---
 
 # CVE-2025-48924

From f63d2fd085697afc716f11c6a048b9ce8a0cd899 Mon Sep 17 00:00:00 2001
From: Forrest Evans <fdevans@gmail.com>
Date: Wed, 27 Aug 2025 14:07:34 -0700
Subject: [PATCH 2/2] add to index and fixup some other links

---
 docs/history/cves/index.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/history/cves/index.md b/docs/history/cves/index.md
index d454fde91..3648cfc7e 100644
--- a/docs/history/cves/index.md
+++ b/docs/history/cves/index.md
@@ -53,4 +53,6 @@ These are the Security Advisories Rundeck has issued in the past.  It is always
 * [CVE-2024-38819 Path traversal vulnerability in functional web frameworks #2](cve-2024-38819.md).
 * [CVE-2024-38820 Spring Framework's DataBinder false positive](cve-2024-38820.md).
 * [CVE-2024-38827 Locale-sensitive string case conversion methods](cve-2024-38827.md).
-* [CVE-2024-45338 golang/x/net 0.20.0](cve-2024-38819.md).
\ No newline at end of file
+* [CVE-2024-45338 golang/x/net 0.20.0](cve-2024-38819.md).
+* [CVE-2025-41242 Spring Path traversal](cve-2025-41242.md).
+* [CVE-2025-48924 Issue in Apache Commons Lang](cve-2025-48924.md)
\ No newline at end of file