Tip |
---|
Did you know you can subscribe to updates to security issues and release notes? Right click and copy this link and paste it into Outlook RSS Feeds or your feed reader of choice. |
November
...
26, 2024
FLEXDEPLOY-13546 - FlexDeploy ships with a version of nimbus-jose-jwt that is -13642 - The PowerBI plugin ships with a version of Bouncy Castle that is vulnerable to CVE-2024-29857 and CVE-2024-34447. This will be addressed in a FlexDeploy 9.0.0.1.
FLEXDEPLOY-13643 - The version of Spring-Core that ships with FlexDeploy is vulnerable to CVE-2024-38820. This vulnerability is likely not relevant to FlexDeploy in operation, but it will be address in a future FlexDeploy version.
November 14, 2024
FLEXDEPLOY-13546 - False Positive - A security scanner indicated that nimbus-jose-jwt 9.37.2 was vulnerable to CVE-2023-52428. This will be addressed in a future FlexDeploy versionwas a false positive. It is possible that your scanner may find the same result, but it is incorrect. 9.37.2 was the version that had the fix for this CVE.
FLEXDEPLOY-13547 - FlexDeploy ships with a version of commons-io that is vulnerable to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47554. This will be addressed in a future FlexDeploy version.
...
FLEXDEPLOY-12040 - The versions of Joda Time that ship with FlexDeploy and the AWS, Anchore, Dependency Check, Docker, and EC2 plugins is vulnerable to CVE-2024-23080. This vulnerability is that a NPE can be thrown if a bad argument is passed. This case shouldn’t be possible to hit from FlexDeploy, and if hit, it would be handled, so this issue is considered to be minor. This will be addressed in future FlexDeploy releases.be handled, so this issue is considered to be minor. The CVE is disputed by the package maintainers, and likely not relevant. The 9.0.0.0 version of FlexDeploy has a newer version of joda time, but this is likely irrelevant as the package maintainers are not attempting to address the issue.
March 15, 2024
FLEXDEPLOY-11432 - A path traversal vulnerability was discovered in FlexDeploy that affected versions 6.0.0.0-6.0.0.9, 6.5.0.0-6.5.0.15,7.0.0.0-7.0.0.3. This vulnerability is patched in versions 6.0.0.10, 6.5.0.16, 7.0.0.4, and 8.0.0.0. Upgrading to one of those versions is recommended.
...
FlexDeploy-10871 - The version of Apache Mina SSHD that FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. SVNKit plans to modify their dependencies in a future release, but it isn’t available yet. This will is expected to be addressed in a future FlexDeploy Version 9.0.0.2.
FlexDeploy-10872 - The version of Trilead SSH2 that ships with SVNKit FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. SVNKit plans to modify their dependencies in a future release, but it isn’t available yet. This will be addressed in a future FlexDeploy Version.
...
FLEXDEPLOY-9153 - The version of Guava that ships with the FlexagonAzurePlugin, FlexagonJenkinsPlugin, FlexagonOCIPlugin, FlexagonOracleSaaSFSMPlugin, FlexDeployOracleAPIGatewayPlugin, FlexDeploySiebelPlugin are affected by CVE 2023-2976. This vulnerability is not thought to affect these plugins, but the dependency will be upgraded in the future. This was resolved for all but the Jenkins plugin in version 8.0.0.0 or earlier. The Jenkins plugin version will be was updated in the future9.0.0.0.
FLEXDEPLOY-9154 - The version of Jackson Databind that ships with FlexagonAWSPlugin, FlexagonDockerPlugin, FlexagonEC2Plugin, FlexagonJenkinsPlugin is affected by CVE-2017-17485, CVE-2018-11307, and CVE-2023-35116. Because these are running on the plugin instead of the server, the risk is low, but the dependency will be upgraded in the future.
...
FLEXDEPLOY-7748 - SVNKit reports that it is not affected by CVE-2022-45047 as it doesn’t use Apache SSHD library to load or save private key - key data is loaded externally. Nevertheless, SVNKit 1.10.11 will include newer version of Apache SSHD library (2.9.2) with that vulnerability fixed. FlexDeploy will consider upgrading upgraded to that version of SVNKitin 8.0.0.0.
February 27, 2023
Snake YAML vulnerability CVE-2022-1471 does not affect FlexDeploy due to our constructor usage.
SVNKit ships with a version of Apache SSHD that may be affected by CVE-2022-45047. Flexagon is in communication with TMateSoft to determine if they are upgrading to a newer version, or if they consider the issue to not be concerning due to their usage. This page will be updated when we know moreHowever, FlexDeploy was updated in 8.0.0.0.
FLEXDEPLOY-7681 - The version of GraphQL that ships with FlexDeploy is vulnerable to CVE-2022-37734. Resolved in 7.0.0.0
...