You are viewing the documentation for Blueriq 13. Documentation for other versions is available in our documentation directory.
Identifier |
Component |
Issue |
Solution |
---|---|---|---|
BQ-15678 |
Customer Data Service, DCM Lists Service, JAVA Runtime |
With this issue it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. |
The fix provided in the Spring Framework is applied to Blueriq 14 and 13 by upgrading Spring Framework to a newer patch version. For other Blueriq versions no patch is provided by the Spring Framework. |
BQ-15579 |
Customer Data Service, DCM Lists Service, JAVA Runtime |
CVE-2022-22965 was found. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. |
Fixed by upgrading spring framework to newer patch versions |
BQ-15505 |
Customer Data Service, DCM Lists Service, JAVA Runtime |
CVE-2020-36518 was detected on jackson-databind before 2.13.2 |
Fixed by upgrading to the latest version of jackson-databind which does not contain the vulnerability. |
CSD-3955 |
|
||
CSD-3889 |
JAVA Runtime |
Blueriq didn't offer a security property to enable session fixation protection |
Blueriq now offers a property to enable session fixation protection: |