Fixes
| Release 10.12.0 | |||
|---|---|---|---|
| Version | Issue ID | Release Date | Description |
| 10.12.0.3 | SCI-5925 | 8 June 2022 | Erroneous date and time format. In the User profile page, the date format was wrong, which is now fixed. |
| 10.12.0.3 | SCI-5715 | 8 June 2022 | Vulnerable 3rd Party Component in Spring framework. In Spring framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that can cause a denial of service condition. See https://tanzu.vmware.com/security/cve-2022-22950. Upgraded the application to the safest version of Spring-core (5.3.18). |
| 10.12.0.3 | SCI-5836 | 8 June 2022 | Vulnerable 3rd Party Component busybox. BusyBox through 1.35.0 allows remote
attackers to run arbitrary code if netstat is used to print a DNS PTR record's value to a VT
compatible workstation. Alternatively, the attacker might choose to change the workstation's colors.
See - https://nvd.nist.gov/vuln/detail/CVE-2022-28391. Upgraded the application to
the safest version of BusyBox 1.36.0. |
| 10.12.0.3 | SCI-5838 | 8 June 2022 | Vulnerable 3rd Party Component spring-core. In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older versions, disallowedFields patterns on a DataBinder are case-sensitive. Fields are protected only if listed with both uppercase and lowercase for the first character, including nested fields. See https://nvd.nist.gov/vuln/detail/CVE-2022-22968. Upgraded the application to the safest version of Spring-core (5.3.19). |
| 10.12.0.3 | SCI-5839 | 8 June 2022 | Vulnerable 3rd Party Component liquibase-core. Improper restriction of XML External Entity Reference in the GitHub repository liquibase or liquibase before 4.8.0. See https://nvd.nist.gov/vuln/detail/CVE-2022-0839. Upgraded the application to the safest version of iquibase-core 4.8.0. |
| 10.12.0.3 | SCI-5840 | 8 June 2022 | Vulnerable 3rd Party Component jackson-databind. jackson-databind before 2.13.0 allows a Java™ StackOverflow exception and denial of service through a large depth of nested objects. See https://nvd.nist.gov/vuln/detail/CVE-2020-36518. Upgraded the application to the safest version of jackson-databind 2.13.2.2. |
| 10.12.0.3 | SCI-5842 | 8 June 2022 | Vulnerable 3rd Party Component commons-beanutils. In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added, which allows suppressing the ability for an attacker to access the classloader through the class property available on all Java objects. It is not used by default characteristic of the PropertyUtilsBean. See https://nvd.nist.gov/vuln/detail/CVE-2019-10086 Upgraded the application to the safest version of commons-beanutils 1.9.4. |
| 10.12.0.3 | SCI-5843 | 8 June 2022 | Vulnerable 3rd Party Component spring-webmvc, spring-beans, and spring-web. A Spring MVC or Spring WebFlux application that runs on JDK 9+ can be vulnerable to remote code execution (RCE) through data binding. The specific use requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable compress, that is, the default, it is not vulnerable to the use. However, the nature of the vulnerability is more general. See https://nvd.nist.gov/vuln/detail/CVE-2022-22965. Upgraded the application to the safest version of spring-beans 5.3.19. |
| 10.12.0.2 | SCI-5952 | 16 May 2022 | Change field name in Signup Page(Basic and Advanced) - Work email to email. |
| 10.12.0.1 | SCI-5273 | 2 May 2022 | Updated the Privacy Policy and Impressum pages links to the recent version. |
| 10.12.0.1 | SCI-5712 | 2 May 2022 | Security fix on 3rd party components (Spring-core) In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that can cause a denial of service condition. Refer - cve-2022-22950 Spring Expression DoS Vulnerability. Upgraded the application to the safest version of Spring-core (5.3.18). |
| 10.12.0.1 | SCI-5798 | 2 May 2022 | Security fix on 3rd party components (Spring Security OAuth) Spring Security OAuth versions 2.5.x before 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack. This vulnerability occurs through the initiation of the authorization request in an OAuth 2.0 client application. Refer CVE-2022-22969 Spring Security OAuth Denial-of-Service Vulnerability. Upgraded the application to the safest version of Spring Security OAuth (2.5.2.RELEASE). |