Versions Compared

Old Version 68

changes.mady.by.user Karl Henselin

Saved on

compared with

New Version 69

changes.mady.by.user Karl Henselin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

FLEXDEPLOY-11369 - The version of oauth2-oidc-sdk that ships with FlexDeploy is vulnerable to an XXE attach identified by SNYK as SNYK-JAVA-COMNIMBUSDS-1243767. This jar will be updated in future versions8.0.0.0.

FLEXDEPLOY-11371 - The version of nimbus-jose-jwt that ships with FlexDeploy is vulnerable to SNYK-JAVA-COMNIMBUSDS-6247633. This jar will be updated in future versions.

...

FLEXDEPLOY-10913 - The version of Amazon Ion that ships with the AWS, Docker, and EC2 plugins is vulnerable to CVE-2024-21634. Since the only source that is targeted with those plugins is Amazon’s trusted apis, the vulnerability does not affect FlexDeploy. This warning will be addressed in a future FlexDeploy Versionwas resolved in 7.0.0.3.

January 10,2024

FLEXDEPLOY-10895 - FlexDeploy ships with a version of json-smart that is vulnerable to CVE-2023-1370. This will be addressed in a future FlexDeploy Versionwas resolved in 6.0.0.10, 6.5.0.15, 7.0.0.3.

FLEXDEPLOY-10898 - FlexDeploy ships with a version of junit that is vulnerable to CVE-2020-15250. This will be addressed in a future FlexDeploy Versionwas resolved in 8.0.0.0.

January 9, 2024

FlexDeploy-10879 - The version of SSHJ that FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. This will be addressed in a future FlexDeploy Versionwas resolved in 7.0.0.2.

January 8, 2024

FlexDeploy-10871 - The version of Apache Mina SSHD that FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. SVNKit plans to modify their dependencies in a future release, but it isn’t available yet. This will be addressed in a future FlexDeploy Version.

FlexDeploy-10872 - The version of Trilead SSH2 that ships with SVNKit FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. SVNKit plans to modify their dependencies in a future release, but it isn’t available yet. This will be addressed in a future FlexDeploy Version.

FlexDeploy-10872 10873 - Json-path is vulnerable to stack overflow exceptions if improper input is parsed. https://nvd.nist.gov/vuln/detail/CVE-2023-51074 is assigned to this issue. The issue is undergoing research. No fix is available at this timethis issue. This was fixed in 7.0.0.3.

January 5, 2024

FLEXDEPLOY-10845 - Prevent a potential authentication bypass issue on REST calls. The calls were still authorized, but some REST calls allowed non-secured data to be read without authentication in certain cases.
Affects versions 6.0 < 6.0.0.10, 6.5 < 6.5.0.14, 7.0 < 7.0.0.2. This is fixed in versions 6.0.0.10, 6.5.0.14, 7.0.0.2, and 8.0.0.0. Versions < 6.0 are not affected.

...

FLEXDEPLOY-10814 FlexDeploy ships with a version of Shiro vulnerable to CVE-2023-46570. This will be was resolved in 7.0.0.3, 8.0.0.0.

FLEXDEPLOY-10839 FlexDeploy ships with a version of xmlsec vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-44483. This will be was resolved in 7.0.0.3, 8.0.0.0.

January 2, 2024

FLEXDEPLOY-10826 FlexDeploy ships with JSON JAVA (org.json) that is vulnerable to CVE-2023-5072, https://github.com/advisories/GHSA-4jq9-2xhw-jpx7 , and CVE-2022-45688. This will be addressed in a future FlexDeploy versionwas resolved in 7.0.0.2.

December 11, 2023

FLEXDEPLOY-10663 (FlexDeploy) and FLEXDEPLOY-10715 (HTTPS Agent) The version of Tomcat that FlexDeploy and the FlexDeploy HTTPS agent ship with is vulnerable to CVE-2023-46589. Tomcat will be upgraded to version 9.0.83+ in future releases. The HTTPS agent is updated as of 7.0.0.1/8.0.0.0. FlexDeploy is updated in 7.0.0.2, 6.5.0.14, and 8.0.0.0.

...

FLEXDEPLOY-7790 The version of cucumber-core that ships with the cucumber plugin includes several outdated JavaScript libraries that are vulnerable to CVE-2022-31129, CVE-2017-18214, CVE-2022-24785, and CVE-2023-22467. This will be updated in a future plugin versionwas resolved in 8.0.0.0.

FLEXDEPLOY-10658 The version of Gradle shipped with the Gradle plugin is vulnerable to CVE-2023-42445 and CVE-2023-44387. Resolved in 7.0.0.2.

...

FLEXDEPLOY-7790 The version of Jquery that ships in the cucumber plugin is vulnerable to CVE-2020-23064. This will be updated in a future plugin versionis resolved in version 8.0.0.0.

October 9, 2023

FLEXDEPLOY-9935 The versions of JGit that ships with FlexDeploy and the FlexDeploy git plugin is vulnerable to CVE-2023-4759. FlexDeploy only uses JGit to parse urls. Command-line git is used for actual git operations, so it is not affected.

...

FLEXDEPLOY-7883 - The version of json-smart that ships with the ServiceNow and XPath plugins is vulnerable to CVE-2023-1370. A new plugin version will be releasedResolved in 7.0.0.0.

March 10, 2023

FLEXDEPLOY-7798 - The version of Jackson-dataformat-cbor that is shipped with the AWS plugin is vulnerable to CVE-2020-28491. A new plugin version will be released. Resolved in 7.0.0.0.

FLEXDEPLOY-7800 - The version of jackson-mapper that ships with the Siebel, Salesforce, ApexSec, OracleForms, Cucumber, EBS, OBIESS, Junit, TricentisTosca, and AutomationAnywhere plugins is vulnerable to CVE-2019-10172. New plugin versions will be released.

...

FLEXDEPLOY-7788 - The Jenkins plugin ships with a dom4j jar that is vulnerable to CVEs CVE-2020-10683 and CVE-2018-1000632. A new version of the plugin will be released. Resolved in 7.0.0.3 and 8.0.0.0.

FLEXDEPLOY-7793 - The several plugins ship with a version of common-beanutils is that vulnerable to CVE-2014-0114. The plugins were patched for in version 6.5.0.6+.

...

FLEXDEPLOY-7790 - The cucumber plugin ships with a version of jQuery that is vulnerable to CVEs CVE-2020-11022 and CVE-2020-11023. A new version of the plugin will be released. Resolved in 8.0.0.0.

FLEXDEPLOY-7792 - The versions of bouncy castle shipped with the FlexagonPeopleSoftPlugin, FlexDeployOpenShiftPlugin, FlexDeployArtifactoryXrayPlugin, FlexagonOracleCPQPlugin, FlexagonPMDPlugin, FlexDeploySiebelPlugin, FlexagonCheckmarxPlugin, FlexagonOWASPDependencyCheckPlugin, FlexagonAcunetixPlugin, FlexagonJenkinsPlugin, and FlexagonDockerPlugin are vulnerable to CVEs CVE-2020-26939, CVE-2020-15522, CVE-2020-0187, CVE-2016-1000338, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352, CVE-2016-1000341, CVE-2016-1000345, CVE-2017-13098, CVE-2020-15522, CVE-2015-7940, CVE-2018-5382, CVE-2013-1624, CVE-2016-1000346, and CVE-2016-1000339. The 7.0+ versions of these plugins will contain newer bouncy castle jars.

...