Tip |
---|
Did you know you can subscribe to updates to security issues and release notes? Right click and copy this link and paste it into Outlook RSS Feeds or your feed reader of choice. |
November 26, 2024
FLEXDEPLOY-13642 - The PowerBI plugin ships with a version of Bouncy Castle that is vulnerable to CVE-2024-29857 and CVE-2024-34447. This will be addressed in a FlexDeploy 9.0.0.1.
FLEXDEPLOY-13643 - The version of Spring-Core that ships with FlexDeploy is vulnerable to CVE-2024-38820. This vulnerability is likely not relevant to FlexDeploy in operation, but it will be address in a future FlexDeploy version.
November 14, 2024
FLEXDEPLOY-13546 - False Positive - A security scanner indicated that nimbus-jose-jwt 9.37.2 was vulnerable to CVE-2023-52428. This was a false positive. It is possible that your scanner may find the same result, but it is incorrect. 9.37.2 was the version that had the fix for this CVE.
FLEXDEPLOY-13547 - FlexDeploy ships with a version of commons-io that is vulnerable to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47554. This will be addressed in a future FlexDeploy version.
October 21, 2024
FLEXDEPLOY-13177 - In versions 6.5.0.0-6.5.0.20, 7.0.0.0-7.0.0.11 and 8.0.0.0-8.0.0.6, password hashes were visible in a GraphQL query. Upgrading to 6.5.0.21, 7.0.0.12 or 8.0.0.7 is recommended.
September 27,2024
FLEXDEPLOY-12743 - The version of Guava shipped with the Jenkins plugin is vulnerable to CVE-2023-2976. This is resolved in plugin version 8.0.0.7 and 9.0.0.0. The plugin now requires Java 8.
September 17, 2024
FLEXDEPLOY-12828 - Internal testing found that XXE injection was possible in the FlexDeploy application as well as the HPTest, Junit, Oats, ApexSec, ODB, Soapui, and TestNG plugins. The FlexDeploy application was patched for version 9.0.0.0. The plugins were patched in version 8.0.0.6 and 9.0.0.0.
August 23, 2024
FLEXDEPLOY-12739 - The version of Jackson Databind in the Automation Anywhere, JUnit, Oracle Apex Sec, and Tricentis Tosca plugins is vulnerable to CVE-2022-42004 and
CVE-2022-42003. Version 8.0.0.5 updates this version resolving these vulnerabilities.
FLEXDEPLOY-12747 - CVE-2024-40094 - GraphQL Java before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. This will be resolved in a future version.
FLEXDEPLOY-12748 - CVE-2024-34750 - Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat 9 through 9.0.89. This will be resolved in a future version. FlexDeploy does not ship with HTTP/2 turned on, so it doesn’t affect most installations.
May 22,2014
FLEXDEPLOY-12343 - The version of Jackson Databind that ships with The EBS plugin in versions 8.0.0.0 and 8.0.0.1 has several vulnerabilities. Version 8.0.0.2 updates this version resolving those CVEs.
April 15, 2024
FLEXDEPLOY-12039 - The versions of Bouncy Castle that ship with FlexDeploy and its plugins are vulnerable to
CVE-2024-29857 - Importing an EC certificate with specially crafted F2m parameters can cause high CPU usage during parameter evaluation.
CVE-2024-30171 - Possible timing based leakage in RSA based handshakes due to exception processing eliminated.
CVE-2024-30172 - Crafted signature and public key can be used to trigger an infinite loop in the Ed25519 verification code.
CVE-2024-301XX - When endpoint identification is enabled and an SSL socket is not created with an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address. This has been fixed.
These issues likely do not affect customers in any way based on the way Bouncy Castle is used in FlexDeploy, but a future release will contain updated versions.
FLEXDEPLOY-12040 - The versions of Joda Time that ship with FlexDeploy and the AWS, Anchore, Dependency Check, Docker, and EC2 plugins is vulnerable to CVE-2024-23080. This vulnerability is that a NPE can be thrown if a bad argument is passed. This case shouldn’t be possible to hit from FlexDeploy, and if hit, it would be handled, so this issue is considered to be minor. The CVE is disputed by the package maintainers, and likely not relevant. The 9.0.0.0 version of FlexDeploy has a newer version of joda time, but this is likely irrelevant as the package maintainers are not attempting to address the issue.
March 15, 2024
FLEXDEPLOY-11432 - A path traversal vulnerability was discovered in FlexDeploy that affected versions 6.0.0.0-6.0.0.9, 6.5.0.0-6.5.0.15,7.0.0.0-7.0.0.3. This vulnerability is patched in versions 6.0.0.10, 6.5.0.16, 7.0.0.4, and 8.0.0.0. Upgrading to one of those versions is recommended.
March 13, 2024
FLEXDEPLOY-11605 - The versions of Apache Tomcat that ships with FlexDeploy are vulnerable to CVE-2024-24549 and CVE-2024-23672. CVE-2024-24549 is regarding HTTP/2, which Flexagon has not recommended, so no customers should be affected. CVE-2024-23672 is in regards to WebSockets, which FlexDeploy does not use. This vulnerability is patched in version 8.0.0.0.
February 29, 2024
FLEXDEPLOY-11369 - The version of oauth2-oidc-sdk that ships with FlexDeploy is vulnerable to an XXE attach identified by SNYK as SNYK-JAVA-COMNIMBUSDS-1243767. This jar will be updated in 8.0.0.0.
FLEXDEPLOY-11371 - The version of nimbus-jose-jwt that ships with FlexDeploy is vulnerable to SNYK-JAVA-COMNIMBUSDS-6247633. This jar will be updated in 9.0.0.0.
February 27, 2024
FLEXDEPLOY-11330 - The Postgres JDBC driver that ships in the FlexDeploy zip is vulnerable to CVE-2024-1597. This vulnerability requires conditions that are not met by FlexDeploy, so FlexDeploy is not affected. However, this jar will be updated in future versions.
FLEXDEPLOY-11327 - Jackson-databind through 2.15.2 is affected by CVE-2023-35116 and allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker. A newer version will be included in FlexDeploy 8.0.0.0 and in the 7.0.0.4 plugins that use Java 8.
FLEXDEPLOY-11326 - Commons Compress versions that are vulnerable to CVE-2024-26308 and CVE-2024-25710 are included in FlexDeploy and may FlexDeploy plugins. Version 8.0.0.0 and plugins in 7.0.0.4 will be upgraded to resolve this vulnerabilities.
FLEXDEPLOY-11325 - The version on TestNG that is bundled in the groovy plugin is vulnerable to CVE-2022-4065. This is remedied in 7.0.0.4 and 8.0.0.0.
January 19,2024
The versions of Tomcat that shipped with older FlexDeploy versions earlier than 5.7 are affected by CVE-2023-21733. Update FlexDeploy to a newer version such as 6.5.0.14 or 7.0.0.2 if this affects you.
January 16, 2024
FLEXDEPLOY-10913 - The version of Amazon Ion that ships with the AWS, Docker, and EC2 plugins is vulnerable to CVE-2024-21634. Since the only source that is targeted with those plugins is Amazon’s trusted apis, the vulnerability does not affect FlexDeploy. This warning was resolved in 7.0.0.3.
January 10,2024
FLEXDEPLOY-10895 - FlexDeploy ships with a version of json-smart that is vulnerable to CVE-2023-1370. This will be addressed in a future FlexDeploy Version. This was resolved in 6.0.0.10, 6.5.0.15, 7.0.0.3.
FLEXDEPLOY-10898 - FlexDeploy ships with a version of junit that is vulnerable to CVE-2020-15250. This was resolved in 8.0.0.0.
January 9, 2024
FlexDeploy-10879 - The version of SSHJ that FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. This will be addressed in a future FlexDeploy Versionwas resolved in 7.0.0.2.
January 8, 2024
FlexDeploy-10871 - The version of Apache Mina SSHD that FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. SVNKit plans to modify their dependencies in a future release, but it isn’t available yet. This will is expected to be addressed in a future FlexDeploy Version 9.0.0.2.
FlexDeploy-10872 - The version of Trilead SSH2 that ships with SVNKit FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. SVNKit plans to modify their dependencies in a future release, but it isn’t available yet. This will be addressed in a future FlexDeploy Version.
FlexDeploy-10872 10873 - Json-path is vulnerable to stack overflow exceptions if improper input is parsed. https://nvd.nist.gov/vuln/detail/CVE-2023-51074 is assigned to this issue. The issue is undergoing research. No fix is available at this time. This was fixed in 7.0.0.3.
January 5, 2024
FLEXDEPLOY-10845 - Prevent a potential authentication bypass issue on REST calls. The calls were still authorized, but some REST calls allowed non-secured data to be read without authentication in certain cases.
Affects versions 6.0 < 6.0.0.10, 6.5 < 6.5.0.14, 7.0 < 7.0.0.2. This is fixed in versions 6.0.0.10, 6.5.0.14, 7.0.0.2, and 8.0.0.0. Versions < 6.0 are not affected.
...
FLEXDEPLOY-10814 FlexDeploy ships with a version of Shiro vulnerable to CVE-2023-46570. This will be was resolved in 7.0.0.3, 8.0.0.0.
FLEXDEPLOY-10839 FlexDeploy ships with a version of xmlsec vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-44483. This will be was resolved in 7.0.0.3, 8.0.0.0.
January 2, 2024
FLEXDEPLOY-10826 FlexDeploy ships with JSON JAVA (org.json) that is vulnerable to CVE-2023-5072, https://github.com/advisories/GHSA-4jq9-2xhw-jpx7 , and CVE-2022-45688. This will be addressed in a future FlexDeploy versionwas resolved in 7.0.0.2.
December 11, 2023
FLEXDEPLOY-10663 (FlexDeploy) and FLEXDEPLOY-10715 (HTTPS Agent) The version of Tomcat that FlexDeploy and the FlexDeploy HTTPS agent ship with is vulnerable to CVE-2023-46589. Tomcat will be upgraded to version 9.0.83+ in future releases. The HTTPS agent is updated as of 7.0.0.1/8.0.0.0. FlexDeploy is updated in 7.0.0.2, 6.5.0.14, and 8.0.0.0.
...
FLEXDEPLOY-7790 The version of cucumber-core that ships with the cucumber plugin includes several outdated JavaScript libraries that are vulnerable to CVE-2022-31129, CVE-2017-18214, CVE-2022-24785, and CVE-2023-22467. This will be updated in a future plugin versionwas resolved in 8.0.0.0.
FLEXDEPLOY-10658 The version of Gradle shipped with the Gradle plugin is vulnerable to CVE-2023-42445 and CVE-2023-44387. Resolved in 7.0.0.2.
...
FLEXDEPLOY-7790 The version of Jquery that ships in the cucumber plugin is vulnerable to CVE-2020-23064. This will be updated in a future plugin versionis resolved in version 8.0.0.0.
October 9, 2023
FLEXDEPLOY-9935 The versions of JGit that ships with FlexDeploy and the FlexDeploy git plugin is vulnerable to CVE-2023-4759. FlexDeploy only uses JGit to parse urls. Command-line git is used for actual git operations, so it is not affected.
...
FLEXDEPLOY-9153 - The version of Guava that ships with the FlexagonAzurePlugin, FlexagonJenkinsPlugin, FlexagonOCIPlugin, FlexagonOracleSaaSFSMPlugin, FlexDeployOracleAPIGatewayPlugin, FlexDeploySiebelPlugin are affected by CVE 2023-2976. This vulnerability is not thought to affect these plugins, but the dependency will be upgraded in the futurethought to affect these plugins, but the dependency will be upgraded in the future. This was resolved for all but the Jenkins plugin in version 8.0.0.0 or earlier. The Jenkins plugin version was updated in 9.0.0.0.
FLEXDEPLOY-9154 - The version of Jackson Databind that ships with FlexagonAWSPlugin, FlexagonDockerPlugin, FlexagonEC2Plugin, FlexagonJenkinsPlugin is affected by CVE-2017-17485, CVE-2018-11307, and CVE-2023-35116. Because these are running on the plugin instead of the server, the risk is low, but the dependency will be upgraded in the future.
...
FLEXDEPLOY-8803 - The version of jQuery that ships with the utPLSQL plugin is vulnerable to CVE-2020-7656. A new plugin version will be released. Resolved in 8.0.0.0
FLEXDEPLOY-8806 - The version of MySqlConnector that ships with the PeopleSoft plugin is vulnerable to CVE-2022-21363, CVE-2019-2692, CVE-2021-2471, CVE-2020-2934, and CVE-2020-2875. Resolved in 6.5.0.4+.
...
FLEXDEPLOY-7883 - The version of json-smart that ships with the ServiceNow and XPath plugins is vulnerable to CVE-2023-1370. A new plugin version will be released. Resolved in 7.0.0.0.
March 10, 2023
FLEXDEPLOY-7798 - The version of Jackson-dataformat-cbor that is shipped with the AWS plugin is vulnerable to CVE-2020-28491. A new plugin version will be released. Resolved in 7.0.0.0.
FLEXDEPLOY-7800 - The version of jackson-mapper that ships with the Siebel, Salesforce, ApexSec, OracleForms, Cucumber, EBS, OBIESS, Junit, TricentisTosca, and AutomationAnywhere plugins is vulnerable to CVE-2019-10172. New plugin versions will be released.
FLEXDEPLOY-7799 - The version of jQuery that is included in the utplsql plugin is vulnerable to CVEs CVE-2012-6708, CVE-2015-9251, CVE-2019-11358, and CVE-2011-49692011-4969. Resolved in 8.0.0.0.
FLEXDEPLOY-7764 - The version of jsch that is shipped with the Git plugin is vulnerable to CVE-2016-5725. Resolved in 7.0.0.0.
...
FLEXDEPLOY-7788 - The Jenkins plugin ships with a dom4j jar that is vulnerable to CVEs CVE-2020-10683 and CVE-2018-1000632. A new version of the plugin will be released. Resolved in 7.0.0.3 and 8.0.0.0.
FLEXDEPLOY-7793 - The several plugins ship with a version of common-beanutils is that vulnerable to CVE-2014-0114. The plugins were patched for in version 6.5.0.6+.
...
FLEXDEPLOY-7790 - The cucumber plugin ships with a version of jQuery that is vulnerable to CVEs CVE-2020-11022 and CVE-2020-11023. A new version of the plugin will be releasedResolved in 8.0.0.0.
FLEXDEPLOY-7792 - The versions of bouncy castle shipped with the FlexagonPeopleSoftPlugin, FlexDeployOpenShiftPlugin, FlexDeployArtifactoryXrayPlugin, FlexagonOracleCPQPlugin, FlexagonPMDPlugin, FlexDeploySiebelPlugin, FlexagonCheckmarxPlugin, FlexagonOWASPDependencyCheckPlugin, FlexagonAcunetixPlugin, FlexagonJenkinsPlugin, and FlexagonDockerPlugin are vulnerable to CVEs CVE-2020-26939, CVE-2020-15522, CVE-2020-0187, CVE-2016-1000338, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352, CVE-2016-1000341, CVE-2016-1000345, CVE-2017-13098, CVE-2020-15522, CVE-2015-7940, CVE-2018-5382, CVE-2013-1624, CVE-2016-1000346, and CVE-2016-1000339. The 7.0+ versions of these plugins will contain newer bouncy castle jars.
...
FLEXDEPLOY-7748 - SVNKit reports that it is not affected by CVE-2022-45047 as it doesn’t use Apache SSHD library to load or save private key - key data is loaded externally. Nevertheless, SVNKit 1.10.11 will include newer version of Apache SSHD library (2.9.2) with that vulnerability fixed. FlexDeploy will consider upgrading upgraded to that version of SVNKitin 8.0.0.0.
February 27, 2023
Snake YAML vulnerability CVE-2022-1471 does not affect FlexDeploy due to our constructor usage.
SVNKit ships with a version of Apache SSHD that may be affected by CVE-2022-45047. Flexagon is in communication with TMateSoft to determine if they are upgrading to a newer version, or if they consider the issue to not be concerning due to their usage. This page will be updated when we know moreHowever, FlexDeploy was updated in 8.0.0.0.
FLEXDEPLOY-7681 - The version of GraphQL that ships with FlexDeploy is vulnerable to CVE-2022-37734. Resolved in 7.0.0.0
...