You are viewing the documentation for Blueriq 14. Documentation for other versions is available in our documentation directory.

Identifier

Component

Issue

Solution

BQ-15678

Customer Data Service, DCM Lists Service, JAVA Runtime

With this issue it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
In Blueriq, user input is sanitized and such input is never used by the out-of-the-box functionality to create SpEL expressions. Meaning Blueriq is not affected by this CVE.

The fix provided in the Spring Framework is applied to Blueriq 14 and 13 by upgrading Spring Framework to a newer patch version. For other Blueriq versions no patch is provided by the Spring Framework.

BQ-15586

Customer Data Service, DCM Lists Service, JAVA Runtime

CVE-2022-22965 was found. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment.

Fixed by upgrading spring framework to newer patch versions

BQ-15505

Customer Data Service, DCM Lists Service, JAVA Runtime

CVE-2020-36518 was detected on jackson-databind before 2.13.2.1

Fixed by upgrading to the latest version of jackson-databind which does not contain the vulnerability.

  • No labels

Didn't find the answer you were looking for? Try the advanced search