| Tip |
|---|
Did you know you can subscribe to updates to security issues and release notes? Right click and copy this link and paste it into Outlook RSS Feeds or your feed reader of choice. |
March 10, 2025
FLEXDEPLOY-14213 - The version of Tomcat included with FlexDeploy is considered vulnerable to CVE-2025-24813. This vulnerability would not have been possible on a default install of FlexDeploy. Tomcat is being upgraded to 9.0.102 in versions 8.0.0.12, 9.0.0.4, and 10.0.0.0.
March 4, 2025
FLEXDEPLOY-14026 - The version of Netty that is included with the Azure Power-BI plugin includes a version of Netty that is vulnerable to CVE-2025-24970. This shouldn’t affect the plugin for what it is used for, but this will be resolved in the future to prevent it showing up in security scans.
February 26, 2025
FLEXDEPLOY-12301 - Introduced several password security features for FlexDeploy local users: * Passwords now have an expiry date, configurable in system settings. * A limit is now set on the number of previous passwords that cannot be repeated, also configurable in system settings. * A "Forgot Password" link has been added to the login form, allowing users to reset their passwords independently. This was released in 9.0.0.3.
January 14, 2025
FLEXDEPLOY-13849 - The Jenkins plugin ships with a version of json-lib that is vulnerable to CVE-2024-47855. This CVE may show up in a vulnerability scan, but would not be relevant to FlexDeploy as it is we are not allowing user input or running it as a server. It will be resolved in a future version.
January 7, 2025
FLEXDEPLOY-13800 - The FSM plugin ships with async-http-client-2.12.3.jar which is vulnerable to CVE-2024-53990. This CVE may show up in a vulnerability scan, but would not be relevant to FlexDeploy as there would never be a second user. Resolved in 9.0.0.3.
January 2, 2025
FLEXDEPLOY-13773 - The HTTPS agent also shows the same vulnerabilities as FlexDeploy had before FLEXDEPLOY-13712. Additionally, 2 other CVEs were addressed in this ticket. Updated Tomcat to 9.0.98, commons-compress to 1.26.0, and commons-configuration2 to 2.10.1 for CVE-2024-56337, CVE-2024-50379, CVE-2024-29131, and CVE-2024-29133. Resolved in HTTPS Agent versions 8.0.0.10, 9.0.0.2.
...
FLEXDEPLOY-12343 - The version of Jackson Databind that ships with The EBS plugin in versions 8.0.0.0 and 8.0.0.1 has several vulnerabilities. Version 8.0.0.2 updates this version resolving those CVEsvulnerabilities. Version 8.0.0.2 updates this version resolving those CVEs. Several other vulnerabilities exist in the plugin until version 10.0.0.0 when the EBS plugin Java requirement is raised to Java 7.
April 15, 2024
FLEXDEPLOY-12039 - The versions of Bouncy Castle that ship with FlexDeploy and its plugins are vulnerable to
...
FlexDeploy-10871 - The version of Apache Mina SSHD that FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. This is addressed in FlexDeploy Version 8.0.0.10/9.0.0.2.
FlexDeploy-10872 - The version of Trilead SSH2 that ships with SVNKit FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. SVNKit plans to modify their dependencies in a future release, but it isn’t available yet. This will be addressed in a future FlexDeploy Version.
...
FLEXDEPLOY-7800 - The version of jackson-mapper that ships with the Siebel, Salesforce, ApexSec, OracleForms, Cucumber, EBS, OBIESS, Junit, TricentisTosca, and AutomationAnywhere plugins is vulnerable to CVE-2019-10172. New plugin versions will be releasedAs the plugins are moved to require higher java versions, this issue is being resolved.
FLEXDEPLOY-7799 - The version of jQuery that is included in the utplsql plugin is vulnerable to CVEs CVE-2012-6708, CVE-2015-9251, CVE-2019-11358, and CVE-2011-4969. Resolved in 8.0.0.0.
...
FLEXDEPLOY-7795 - The EC2, AWS, Jenkins, and Docker plugin ship with versions of Jackson-databind that are vulnerable to CVES CVE-2018-7489, CVE-2017-7525, CVE-2020-10650, CVE-2020-35490, CVE-2020-35491, CVE-2020-36518, CVE-2022-42003, CVE-2022-42004, CVE-2018-1000873, CVE-2019-14379, CVE-2019-14540, CVE-2019-14892, CVE-2019-14893, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267, CVE-2019-17531, CVE-2019-20330, CVE-2020-8840, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-14195, CVE-2020-24616, CVE-2020-24750, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188, CVE-2020-36189, CVE-2021-20190, CVE-2019-12086, CVE-2019-14439, CVE-2020-25649 , CVE-2019-12384, and CVE-2019-12814. New versions of the plugins will be releasedAs the minimum Java version is updated, the vulnerabilities are being resolved.
March 8, 2023
FLEXDEPLOY-5761 - CVE-2021-44878 - If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value. All versions of FlexDeploy ship with an affected version of pac4j. The remediation for this issue is to not connect FlexDeploy to an insecure provider. No standard providers support the “none” algorithm.
...
FLEXDEPLOY-7748 - SVNKit reports that it is not affected by CVE-2022-45047 as it doesn’t use Apache SSHD library to load or save private key - key data is loaded externally. Nevertheless, SVNKit 1.10.11 will include newer version of Apache SSHD library (2.9.2) with that vulnerability fixed. FlexDeploy upgraded to that version in 8.0.0.0. Updated again in 8.0.0.10/9.0.0.2.
February 27, 2023
Snake YAML vulnerability CVE-2022-1471 does not affect FlexDeploy due to our constructor usage.
...