You are viewing the documentation for Blueriq 13. Documentation for other versions is available in our documentation directory.

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Identifier

Component

Issue

Solution

BQ-15678

Customer Data Service, DCM Lists Service, JAVA Runtime

With this issue it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
In Blueriq, user input is sanitized and such input is never used by the out-of-the-box functionality to create SpEL expressions. Meaning Blueriq is not affected by this CVE.

The fix provided in the Spring Framework is applied to Blueriq 14 and 13 by upgrading Spring Framework to a newer patch version. For other Blueriq versions no patch is provided by the Spring Framework.

BQ-15579

Customer Data Service, DCM Lists Service, JAVA Runtime

CVE-2022-22965 was found. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment.

Fixed by upgrading spring framework to newer patch versions

BQ-15505

Customer Data Service, DCM Lists Service, JAVA Runtime

CVE-2020-36518 was detected on jackson-databind before 2.13.2

Fixed by upgrading to the latest version of jackson-databind which does not contain the vulnerability.

CSD-3955

 

CSD-3889

JAVA Runtime

Blueriq didn't offer a security property to enable session fixation protection

Blueriq now offers a property to enable session fixation protection: blueriq.security.session-fixation-protection.enabled = true
  • No labels

Didn't find the answer you were looking for? Try the advanced search