Versions Compared

Version Old Version 86 New Version Current
Changes made by

Karl Henselin

Karl Henselin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Tip

Did you know you can subscribe to updates to security issues and release notes? Right click and copy this link and paste it into Outlook RSS Feeds or your feed reader of choice.

January 14, 2025

FLEXDEPLOY-13849 - The Jenkins plugin ships with a version of json-lib that is vulnerable to CVE-2024-47855. This CVE may show up in a vulnerability scan, but would not be relevant to FlexDeploy as it is we are not allowing user input or running it as a server. It will be resolved in a future version.

January 7, 2025

FLEXDEPLOY-13800 - The FSM plugin ships with async-http-client-2.12.3.jar which is vulnerable to CVE-2024-53990. This CVE may show up in a vulnerability scan, but would not be relevant to FlexDeploy as there would never be a second user. It will be resolved in a future version.

January 2, 2025

FLEXDEPLOY-13773 - The HTTPS agent also shows the same vulnerabilities as FlexDeploy had before FLEXDEPLOY-13712. Additionally, 2 other CVEs were addressed in this ticket. Updated Tomcat to 9.0.98, commons-compress to 1.26.0, and commons-configuration2 to 2.10.1 for CVE-2024-56337, CVE-2024-50379, CVE-2024-29131, and CVE-2024-29133. Resolved in HTTPS Agent versions 8.0.0.10, 9.0.0.2.

December 17, 2024

FLEXDEPLOY-13712 - Apache Tomcat before 9.0.98 is affected by CVE-2024-54677 Apache Tomcat - DoS in examples web application and CVE-2024-50379 Apache Tomcat - RCE via write-enabled default servlet. FlexDeploy does not ship the examples web application so CVE-2024-54677 does not apply. FlexDeploy does not ship the default servlet, so CVE-2024-50379 does not apply. Resolved these CVEs for vulnerability scanners in 8.0.0.9/9.0.0.1.

November 26, 2024

FLEXDEPLOY-13642 - The PowerBI plugin ships with a version of Bouncy Castle that is vulnerable to CVE-2024-29857 and CVE-2024-34447. This will be addressed in a FlexDeploy 9.0.0.1.

FLEXDEPLOY-13643 - The version of Spring-Core that ships with FlexDeploy is vulnerable to CVE-2024-38820. This vulnerability is likely not relevant to FlexDeploy in operation, but it will be address in a future FlexDeploy version.

November 14, 2024

FLEXDEPLOY-13546 - False Positive - A security scanner indicated that nimbus-jose-jwt 9.37.2 was vulnerable to CVE-2023-52428. This was a false positive. It is possible that your scanner may find the same result, but it is incorrect. 9.37.2 was the version that had the fix for this CVE.

FLEXDEPLOY-13547 - FlexDeploy ships with a version of commons-io that is vulnerable to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47554. This is addressed in FlexDeploy 9.0.0.2.

October 21, 2024

FLEXDEPLOY-13177 - In versions 6.5.0.0-6.5.0.20, 7.0.0.0-7.0.0.11 and 8.0.0.0-8.0.0.6, password hashes were visible in

...

a GraphQL query. Upgrading to 6.5.0.21, 7.0.0.12 or 8.0.0.7 is recommended.

September 27,2024

FLEXDEPLOY-12743 - The version of Guava shipped with the Jenkins plugin is vulnerable to CVE-2023-2976. This is resolved in plugin version 8.0.0.7 and 9.0.0.0. The plugin now requires Java 8.

...

FLEXDEPLOY-12747 - CVE-2024-40094 - GraphQL Java before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. This will be resolved in a future versionqueries. This was resolved in 8.0.0.6 / 9.0.0.0.

FLEXDEPLOY-12748 - CVE-2024-34750 - Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat 9 through 9.0.89. This will be resolved in a future version. FlexDeploy does not ship with HTTP/2 turned on, so it doesn’t affect most installations. This was resolved in 8.0.0.6 / 9.0.0.0.

May 22,2014

FLEXDEPLOY-12343 - The version of Jackson Databind that ships with The EBS plugin in versions 8.0.0.0 and 8.0.0.1 has several vulnerabilities. Version 8.0.0.2 updates this version resolving those CVEs.

...

FLEXDEPLOY-12040 - The versions of Joda Time that ship with FlexDeploy and the AWS, Anchore, Dependency Check, Docker, and EC2 plugins is vulnerable to CVE-2024-23080. This vulnerability is that a NPE can be thrown if a bad argument is passed. This case shouldn’t be possible to hit from FlexDeploy, and if hit, it would be handled, so this issue is considered to be minor. This will be addressed in future FlexDeploy releases. The CVE is disputed by the package maintainers, and likely not relevant. The 9.0.0.0 version of FlexDeploy has a newer version of joda time, but this is likely irrelevant as the package maintainers are not attempting to address the issue.

March 15, 2024

FLEXDEPLOY-11432 - A path traversal vulnerability was discovered in FlexDeploy that affected versions 6.0.0.0-6.0.0.9, 6.5.0.0-6.5.0.15,7.0.0.0-7.0.0.3. This vulnerability is patched in versions 6.0.0.10, 6.5.0.16, 7.0.0.4, and 8.0.0.0. Upgrading to one of those versions is recommended.

...

FLEXDEPLOY-11330 - The Postgres JDBC driver that ships in the FlexDeploy zip is vulnerable to CVE-2024-1597. This vulnerability requires conditions that are not met by FlexDeploy, so FlexDeploy is not affected. However, this jar will be updated in future versionsThis jar was updated in 8.0.0.0.

FLEXDEPLOY-11327 - Jackson-databind through 2.15.2 is affected by CVE-2023-35116 and allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker. A newer version will be included in FlexDeploy 8.0.0.0 and in the 7.0.0.4 plugins that use Java 8.

...

FlexDeploy-10871 - The version of Apache Mina SSHD that FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. SVNKit plans to modify their dependencies in a future release, but it isn’t available yet. This will be addressed in a future FlexDeploy VersionThis is addressed in FlexDeploy Version 9.0.0.2.

FlexDeploy-10872 - The version of Trilead SSH2 that ships with SVNKit FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. SVNKit plans to modify their dependencies in a future release, but it isn’t available yet. This will be addressed in a future FlexDeploy Version.

...

FLEXDEPLOY-10663 (FlexDeploy) and FLEXDEPLOY-10715 (HTTPS Agent) The version of Tomcat that FlexDeploy and the FlexDeploy HTTPS agent ship with is vulnerable to CVE-2023-46589. Tomcat will be was upgraded to version 9.0.83+ in future releases. The HTTPS agent is updated as of 7.0.0.1/8.0.0.0. FlexDeploy is updated in 7.0.0.2, 6.5.0.14, and 8.0.0.0.

...

FLEXDEPLOY-10386 The version of dom4j included in the Jenkins plugin is vulnerable to CVE-2023-45960. This will be updated in a future plugin versionResolved in 7.0.0.3.

The version of Selenium in the FSM plugin may flag as vulnerable to CVE-2023-5590. However the plugin does not ship with the IE Driver, so it is not vulnerable.

...

The version of Tomcat that FlexDeploy and the FlexDeploy HTTPS agent ship with is vulnerable to CVE-2023-45648, CVE-2023-44487, CVE-2023-42795, CVE-2023-42794, and CVE-2023-41080. CVE-2023-41080 is not applicable because the root application doesn’t ship with FlexDeploy. The other vulnerabilities likely do affect FlexDeploy depending on the configuration in your server.xml. Tomcat will be was upgraded to version 9.0.81+ in the 7.0 and future 6.5 and 6.0 releases. Resolved in 7.0.0.0, 6.5.0.14.

FlexDeploy has recommended the HTTP/1.1 protocol in the past e.g. Enabling HTTPS on FlexDeploy (Tomcat), so unless you have selected HTTP/2 in your server.xml, CVE-2023-44487 does not apply. Check your server.xml to see what you have active. Using vim will color-code the connectors so that you can easily see which connectors are active. If they are set to HTTP/2, you can switch them to HTTP/1.1 to mitigate the Rapid Reset issue.

...

FLEXDEPLOY-9153 - The version of Guava that ships with the FlexagonAzurePlugin, FlexagonJenkinsPlugin, FlexagonOCIPlugin, FlexagonOracleSaaSFSMPlugin, FlexDeployOracleAPIGatewayPlugin, FlexDeploySiebelPlugin are affected by CVE 2023-2976. This vulnerability is not thought to affect these plugins, but the dependency will be upgraded in the future. This was resolved for all but the Jenkins plugin in version 8.0.0.0 or earlier. The Jenkins plugin version will be was updated in the future9.0.0.0.

FLEXDEPLOY-9154 - The version of Jackson Databind that ships with FlexagonAWSPlugin, FlexagonDockerPlugin, FlexagonEC2Plugin, FlexagonJenkinsPlugin is affected by CVE-2017-17485, CVE-2018-11307, and CVE-2023-35116. Because these are running on the plugin instead of the server, the risk is low, but the dependency will be was upgraded in the future7.0.0.0.

FLEXDEPLOY-9155 - The version of gradle that ships with the gradle plugin is vulnerable to CVE-2023-35947 and CVE-2023-35946. A new plugin version will be released. Resolved in 5.7.0.14, 6.0.0.8, 6.5.0.6+.

...

FLEXDEPLOY-8898 - The HTTPS Agent is affected by CVE-2022-45688. Protect your HTTPS agents within your corporate firewalls. A future version will contain a patched org json version. Resolved in 6.5.0.5+

May 26, 2023

...

FLEXDEPLOY-7773 - CVE-2018-10237 - Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. Don’t expose FlexDeploy to untrusted access. Flexagon will update updated the version of guava shipped in a future versionversion 7.0.0.0. The Docker, Seibel, and Jenkins plugins also contain guava jars that are vulnerable.

...

FLEXDEPLOY-7748 - SVNKit reports that it is not affected by CVE-2022-45047 as it doesn’t use Apache SSHD library to load or save private key - key data is loaded externally. Nevertheless, SVNKit 1.10.11 will include newer version of Apache SSHD library (2.9.2) with that vulnerability fixed. FlexDeploy will consider upgrading upgraded to that version of SVNKitin 8.0.0.0.

February 27, 2023

Snake YAML vulnerability CVE-2022-1471 does not affect FlexDeploy due to our constructor usage.

SVNKit ships with a version of Apache SSHD that may be affected by CVE-2022-45047. Flexagon is in communication with TMateSoft to determine if they are upgrading to a newer version, or if they consider the issue to not be concerning due to their usage. This page will be updated when we know moreHowever, FlexDeploy was updated in 8.0.0.0.

FLEXDEPLOY-7681 - The version of GraphQL that ships with FlexDeploy is vulnerable to CVE-2022-37734. Resolved in 7.0.0.0

...