-
Notifications
You must be signed in to change notification settings - Fork 5
Important Security Updates
Michael Lochead edited this page Apr 19, 2022
·
5 revisions
The following advisory notice is intended to communicate important fixes that have been completed for a series of recently identified security vulnerabilities. Due to the critical nature of these fixes, it is advised that any users immediately deploy the latest version, specifically Release 3.0 HF5.
Impacted Version(s): all releases prior to Release 3.0 HF5
Fixed Version: Release 3.0 HF5.
The following security vulnerabilities are fixed in Release 3.0 HF5:
- 104458 (Critical) - Command injection on Docker Host
- 104441 (High) - Unauthorized editing of parent billing organization and other organization fields
- 104444 (High) - Artifactory account overwrite vulnerability
- 104446 (High) - Access to logs by newly unassigned registered users
- 104395 (Medium) - Insufficient session expiration
- 104406 (Medium) - Account creation and password reset emails vulnerable to phishing
- 104438 (Medium) - Insufficient Authorization
- 104439 (Medium) - Authorization bypass (alert receiver deletion)
- 104447 (Medium) - Disclosure of cluster and app instance information
- 104400 (Low) - Password change form does not require user to enter current password
- 104475 (Low) - No authorization check on API key deletion
- 104480 (Low) - Vulnerable software in use
- 104417 (Low) - Cross-site WebSocket hijacking
- 104485 (Low) - Application does not force HTTPS