...
November 14, 2024
FLEXDEPLOY-13546 - FlexDeploy ships with a version of False Positive - A security scanner indicated that nimbus-jose-jwt that is 9.37.2 was vulnerable to CVE-2023-52428. This will be addressed in a future FlexDeploy versionwas a false positive. It is possible that your scanner may find the same result, but it is incorrect. 9.37.2 was the version that had the fix for this CVE.
FLEXDEPLOY-13547 - FlexDeploy ships with a version of commons-io that is vulnerable to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47554. This will be addressed in a future FlexDeploy version.
...
FLEXDEPLOY-12040 - The versions of Joda Time that ship with FlexDeploy and the AWS, Anchore, Dependency Check, Docker, and EC2 plugins is vulnerable to CVE-2024-23080. This vulnerability is that a NPE can be thrown if a bad argument is passed. This case shouldn’t be possible to hit from FlexDeploy, and if hit, it would be handled, so this issue is considered to be minor. This was addressed in FlexDeploy . The CVE is disputed by the package maintainers, and likely not relevant. The 9.0.0.0 with the Pac4J upgrade. The older versions are likely still in some pluginsversion of FlexDeploy has a newer version of joda time, but this is likely irrelevant as the package maintainers are not attempting to address the issue.
March 15, 2024
FLEXDEPLOY-11432 - A path traversal vulnerability was discovered in FlexDeploy that affected versions 6.0.0.0-6.0.0.9, 6.5.0.0-6.5.0.15,7.0.0.0-7.0.0.3. This vulnerability is patched in versions 6.0.0.10, 6.5.0.16, 7.0.0.4, and 8.0.0.0. Upgrading to one of those versions is recommended.
...