Blueriq 15.13.5 Bug Fixes

BQ-20797

Tomcat

The Tomcat server that was bundled with the Blueriq installer was vulnerable to CVE-2023-28709.

Tomcat has been updated to address the vulnerability.

BQ-20769

Runtime

CVE-2023-20862 was detected for Spring security

Fixed upgrading to the latest Spring boot version

BQ-20768

Runtime

CVE-20873 was detected for Spring boot

Fixed by upgrading Spring boot to the latest versions

BQ-20749

Studio

Various CVEs (CVE-2020-1045, CVE-2022-29117, CVE-2017-11770) were reported for the Studio backend, but none were applicable to the .NET version used by Blueriq

Suppressed the specific CVEs

BQ-20747

Audit Consumer, Customer Data Service, DCM Dashboard, DCM Lists Service, Gateway, Runtime, Maintenance App

CVE-2023-33201 detected for bouncy-castle lower than 1.73

Upgraded to version 1.76

CSD-4853

Audit Consumer, Customer Data Service, DCM Lists Service, Runtime, Maintenance App

CVE-2023-34034 was detected for Spring security

Blueriq is not affected by CVE-2023-34034 since we do not use '**' matchers and certainly not with Spring WebFlux. Nevertheless we have upgrade the Spring dependencies to version that are no longer affected by this CVE.

BQ-20679

Encore

After removing the root node in a content item, the buttons for adding an inline text item node or an image nod did not add the node.

The buttons correctly add the root node when clicked.

CSD-4810

Encore

Complex aggregates were prone to infinite cycles, crashing the application

Introduced better checks for infinite cycles, preventing crashes

BQ-20565

Case engine

When a non-existent case is tried to read, the service does not end in the "caseNotFound" exit of the service call. Instead, it logs: "Could not load aggregate into profile because the aggregate does not exist in the case" and continues the default exit node

Case Engine returns proper error code and HTTP status