...
November 14, 2024
FLEXDEPLOY-13546 - FlexDeploy ships with a version of False Positive - A security scanner indicated that nimbus-jose-jwt that is 9.37.2 was vulnerable to CVE-2023-52428. This will be addressed in a future FlexDeploy versionwas a false positive. It is possible that your scanner may find the same result, but it is incorrect. 9.37.2 was the version that had the fix for this CVE.
FLEXDEPLOY-13547 - FlexDeploy ships with a version of commons-io that is vulnerable to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47554. This will be addressed in a future FlexDeploy version.
...
FLEXDEPLOY-12040 - The versions of Joda Time that ship with FlexDeploy and the AWS, Anchore, Dependency Check, Docker, and EC2 plugins is vulnerable to CVE-2024-23080. This vulnerability is that a NPE can be thrown if a bad argument is passed. This case shouldn’t be possible to hit from FlexDeploy, and if hit, it would be handled, so this issue is considered to be minor. This will be addressed in future FlexDeploy releasesThe CVE is disputed by the package maintainers, and likely not relevant. The 9.0.0.0 version of FlexDeploy has a newer version of joda time, but this is likely irrelevant as the package maintainers are not attempting to address the issue.
March 15, 2024
FLEXDEPLOY-11432 - A path traversal vulnerability was discovered in FlexDeploy that affected versions 6.0.0.0-6.0.0.9, 6.5.0.0-6.5.0.15,7.0.0.0-7.0.0.3. This vulnerability is patched in versions 6.0.0.10, 6.5.0.16, 7.0.0.4, and 8.0.0.0. Upgrading to one of those versions is recommended.
...
FlexDeploy-10871 - The version of Apache Mina SSHD that FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. SVNKit plans to modify their dependencies in a future release, but it isn’t available yet. This will is expected to be addressed in a future FlexDeploy Version 9.0.0.2.
FlexDeploy-10872 - The version of Trilead SSH2 that ships with SVNKit FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. SVNKit plans to modify their dependencies in a future release, but it isn’t available yet. This will be addressed in a future FlexDeploy Version.
...
FLEXDEPLOY-7748 - SVNKit reports that it is not affected by CVE-2022-45047 as it doesn’t use Apache SSHD library to load or save private key - key data is loaded externally. Nevertheless, SVNKit 1.10.11 will include newer version of Apache SSHD library (2.9.2) with that vulnerability fixed. FlexDeploy will consider upgrading upgraded to that version of SVNKitin 8.0.0.0.
February 27, 2023
Snake YAML vulnerability CVE-2022-1471 does not affect FlexDeploy due to our constructor usage.
SVNKit ships with a version of Apache SSHD that may be affected by CVE-2022-45047. Flexagon is in communication with TMateSoft to determine if they are upgrading to a newer version, or if they consider the issue to not be concerning due to their usage. This page will be updated when we know moreHowever, FlexDeploy was updated in 8.0.0.0.
FLEXDEPLOY-7681 - The version of GraphQL that ships with FlexDeploy is vulnerable to CVE-2022-37734. Resolved in 7.0.0.0
...