| Release 10.12.0 |
| Version |
Issue ID |
Release Date |
Description |
| 10.12.0.3 |
SCI-5925 |
June 08, 2022 |
Erroneous date and time format. In the Administration > User profile page,
the date format was wrong, which is now fixed. |
| 10.12.0.3 |
SCI-5715 |
June 08, 2022 |
Vulnerable 3rd Party Component in Spring framework. In Spring framework
versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a
specially crafted SpEL expression that may cause a denial of service condition. See:
https://tanzu.vmware.com/security/cve-2022-22950. Upgraded the application to the safest version of
Spring-core (5.3.18). |
| 10.12.0.3 |
SCI-5836 |
June 08, 2022 |
Vulnerable 3rd Party Component busybox. BusyBox through 1.35.0 allows remote
attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT
compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. See:
https://nvd.nist.gov/vuln/detail/CVE-2022-28391. Upgraded the application to the safest version of
BusyBox 1.36.0. |
| 10.12.0.3 |
SCI-5838 |
June 08, 2022 |
Vulnerable 3rd Party Component spring-core. In Spring Framework versions
5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on
a DataBinder are case sensitive which means that a field is not effectively protected, unless it is
listed with both upper and lower case for the first character of the field, including upper and
lower case for the first character of all nested fields within the property path. See:
https://nvd.nist.gov/vuln/detail/CVE-2022-22968. Upgraded the application to the safest version of
Spring-core (5.3.19). |
| 10.12.0.3 |
SCI-5839 |
June 08, 2022 |
Vulnerable 3rd Party Component liquibase-core. Improper restriction of XML
External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0. See:
https://nvd.nist.gov/vuln/detail/CVE-2022-0839. Upgraded the application to the safest version of
iquibase-core 4.8.0. |
| 10.12.0.3 |
SCI-5840 |
June 08, 2022 |
Vulnerable 3rd Party Component jackson-databind. jackson-databind before 2.13.0 allows a Java™ StackOverflow exception and denial of service via a large depth of nested objects. See: https://nvd.nist.gov/vuln/detail/CVE-2020-36518. Upgraded the application to the safest version of jackson-databind 2.13.2.2. |
| 10.12.0.3 |
SCI-5842 |
June 08, 2022 |
Vulnerable 3rd Party Component commons-beanutils. In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added, which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We however were not using this by default characteristic of the PropertyUtilsBean. See: https://nvd.nist.gov/vuln/detail/CVE-2019-10086 Upgraded the application to the safest version of commons-beanutils 1.9.4. |
| 10.12.0.3 |
SCI-5843 |
June 08, 2022 |
Vulnerable 3rd Party Component spring-webmvc, spring-beans and spring-web. A
Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code
execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as
a WAR deployment. If the application is deployed as a Spring Boot executable jar, that is, the
default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more
general, and there may be other ways to exploit it. See:
https://nvd.nist.gov/vuln/detail/CVE-2022-22965. Upgraded the application to the safest version of
spring-beans 5.3.19. |
| 10.12.0.2 |
SCI-5952 |
May 16, 2022 |
Change field name in Signup Page(Basic and Advanced) - Work email to Email. |
| 10.12.0.1 |
SCI-5273 |
May 02, 2022 |
Updated the Privacy Policy and Impressum pages links to the latest version. |
| 10.12.0.1 |
SCI-5712 |
May 02, 2022 |
Security fix on 3rd party components (Spring-core) In Spring Framework
versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a
specially crafted SpEL expression that may cause a denial of service condition. Refer:
cve-2022-22950: Spring Expression DoS Vulnerability. Upgraded the application to the safest version
of Spring-core (5.3.18). |
| 10.12.0.1 |
SCI-5798 |
May 02, 2022 |
Security fix on 3rd party components (Spring Security OAuth) Spring Security
OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a
Denial-of-Service (DoS) attack through initiation of the authorization request in an OAuth 2.0
client application. Refer: CVE-2022-22969: Spring Security OAuth Denial-of-Service Vulnerability.
Upgraded the application to the safest version of Spring Security OAuth (2.5.2.RELEASE). |