3.3 - Security fixes

Security fixes provided in 3.3.0-funcrel

CAST serviceCVESeverityDescriptionAffected CAST release
admin-centerCVE-2016-1000027CRITICALspring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserialization3.2.0-funcrel
admin-centerCVE-2019-17495CRITICALCross-site scripting in Swagger-UI3.2.0-funcrel
admin-centerCVE-2022-1471HIGHSnakeYaml: Constructor Deserialization Remote Code Execution3.2.0-funcrel
admin-centerCVE-2024-38816HIGHspring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource3.2.0-funcrel
admin-centerCVE-2024-38819HIGHorg.springframework:spring-webmvc: Path traversal vulnerability in functional web frameworks3.2.0-funcrel
admin-centerCVE-2024-41909HIGHmina-sshd: integrity check bypass vulnerability3.2.0-funcrel
admin-centerCVE-2025-22228HIGHspring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length3.2.0-funcrel
admin-centerCVE-2025-22235HIGHorg.springframework.boot/spring-boot: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed3.2.0-funcrel
admin-centerCVE-2025-24813CRITICALtomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT3.2.0-funcrel
admin-centerCVE-2025-24970HIGHio.netty:netty-handler: SslHandler doesn’t correctly validate packets which can lead to native crash when using native SSLEngine3.2.0-funcrel
auth-serviceCVE-2024-10039HIGHkeycloak-core: mTLS passthrough3.2.0-funcrel
auth-serviceCVE-2024-57699HIGHjson-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)3.2.0-funcrel
auth-serviceCVE-2025-22228HIGHspring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length3.2.0-funcrel
auth-serviceCVE-2025-22235HIGHorg.springframework.boot/spring-boot: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed3.2.0-funcrel
auth-serviceCVE-2025-24970HIGHio.netty:netty-handler: SslHandler doesn’t correctly validate packets which can lead to native crash when using native SSLEngine3.2.0-funcrel
consoleCVE-2016-1000027CRITICALspring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserialization3.2.0-funcrel
consoleCVE-2022-1471HIGHSnakeYaml: Constructor Deserialization Remote Code Execution3.2.0-funcrel
consoleCVE-2024-38816HIGHspring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource3.2.0-funcrel
consoleCVE-2024-38819HIGHorg.springframework:spring-webmvc: Path traversal vulnerability in functional web frameworks3.2.0-funcrel
consoleCVE-2025-22228HIGHspring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length3.2.0-funcrel
consoleCVE-2025-22235HIGHorg.springframework.boot/spring-boot: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed3.2.0-funcrel
consoleCVE-2025-24970HIGHio.netty:netty-handler: SslHandler doesn’t correctly validate packets which can lead to native crash when using native SSLEngine3.2.0-funcrel
dashboardsCVE-2024-38816HIGHspring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource3.2.0-funcrel
dashboardsCVE-2024-38819HIGHorg.springframework:spring-webmvc: Path traversal vulnerability in functional web frameworks3.2.0-funcrel
dashboardsCVE-2024-38821CRITICALSpring-WebFlux: Authorization Bypass of Static Resources in WebFlux Applications3.2.0-funcrel
dashboardsCVE-2024-47072HIGHcom.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream3.2.0-funcrel
dashboardsCVE-2024-50379HIGHtomcat: RCE due to TOCTOU issue in JSP compilation3.2.0-funcrel
dashboardsCVE-2024-56337HIGHtomcat: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation3.2.0-funcrel
dashboardsCVE-2024-57699HIGHjson-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)3.2.0-funcrel
dashboardsCVE-2025-22228HIGHspring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length3.2.0-funcrel
dashboardsCVE-2025-24813CRITICALtomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT3.2.0-funcrel
gatewayCVE-2025-22228HIGHspring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length3.2.0-funcrel
gatewayCVE-2025-22235HIGHorg.springframework.boot/spring-boot: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed3.2.0-funcrel
gatewayCVE-2025-24813CRITICALtomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT3.2.0-funcrel
gatewayCVE-2025-24970HIGHio.netty:netty-handler: SslHandler doesn’t correctly validate packets which can lead to native crash when using native SSLEngine3.2.0-funcrel
sso-serviceCVE-2024-10039HIGHkeycloak-core: mTLS passthrough3.2.0-funcrel
sso-serviceCVE-2024-10270HIGHorg.keycloak:keycloak-services: Keycloak Denial of Service3.2.0-funcrel
sso-serviceCVE-2024-10451HIGHorg.keycloak:keycloak-quarkus-server: Sensitive Data Exposure in Keycloak Build Process3.2.0-funcrel
sso-serviceCVE-2024-12397HIGHio.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling3.2.0-funcrel
sso-serviceCVE-2025-24970HIGHio.netty:netty-handler: SslHandler doesn’t correctly validate packets which can lead to native crash when using native SSLEngine3.2.0-funcrel
analysis-nodeCVE-2016-1000027CRITICALspring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserialization3.2.0-funcrel
analysis-nodeCVE-2022-1471HIGHSnakeYaml: Constructor Deserialization Remote Code Execution3.2.0-funcrel
analysis-nodeCVE-2022-41404HIGHorg.ini4j: unspecified DoS3.2.0-funcrel
analysis-nodeCVE-2024-38807HIGHApplications that use spring-boot-loaderor spring-boot-loader-classica …3.2.0-funcrel
analysis-nodeCVE-2024-38816HIGHspring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource3.2.0-funcrel
analysis-nodeCVE-2024-38819HIGHorg.springframework:spring-webmvc: Path traversal vulnerability in functional web frameworks3.2.0-funcrel
analysis-nodeCVE-2024-47554HIGHapache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader3.2.0-funcrel
analysis-nodeCVE-2024-57699HIGHjson-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)3.2.0-funcrel
analysis-nodeCVE-2024-7254HIGHprotobuf: StackOverflow vulnerability in Protocol Buffers3.2.0-funcrel
analysis-nodeCVE-2025-22228HIGHspring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length3.2.0-funcrel
analysis-nodeCVE-2025-24813CRITICALtomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT3.2.0-funcrel
ai-serviceCVE-2024-34069HIGHpython-werkzeug: user may execute code on a developer’s machine3.2.0-funcrel
neo4jCVE-2024-57699HIGHjson-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)3.2.0-funcrel
neo4jCVE-2024-7254HIGHprotobuf: StackOverflow vulnerability in Protocol Buffers3.2.0-funcrel
neo4jCVE-2025-24970HIGHio.netty:netty-handler: SslHandler doesn’t correctly validate packets which can lead to native crash when using native SSLEngine3.2.0-funcrel
viewerCVE-2023-29403HIGHgolang: runtime: unexpected behavior of setuid/setgid binaries3.2.0-funcrel
viewerCVE-2023-39325HIGHgolang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)3.2.0-funcrel
viewerCVE-2023-45283HIGHThe filepath package does not recognize paths with a ??\ prefix as sp …3.2.0-funcrel
viewerCVE-2023-45288HIGHgolang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS3.2.0-funcrel
viewerCVE-2024-24790CRITICALgolang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses3.2.0-funcrel
viewerCVE-2024-34156HIGHencoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion3.2.0-funcrel
viewerCVE-2024-45337CRITICALgolang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in3.2.0-funcrel

Security fixes provided in 3.3.0-beta1

CAST serviceCVESeverityDescriptionAffected CAST release
admin-centerCVE-2025-24970HIGHio.netty:netty-handler: SslHandler doesn’t correctly validate packets which can lead to native crash when using native SSLEngine3.2.0-funcrel
admin-centerCVE-2019-17495CRITICALCross-site scripting in Swagger-UI3.2.0-funcrel
admin-centerCVE-2024-41909HIGHmina-sshd: integrity check bypass vulnerability3.2.0-funcrel
admin-centerCVE-2025-24813CRITICALtomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT3.2.0-funcrel
admin-centerCVE-2025-22228HIGHspring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length3.2.0-funcrel
admin-centerCVE-2016-1000027CRITICALspring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserialization3.2.0-funcrel
admin-centerCVE-2024-38816HIGHspring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource3.2.0-funcrel
admin-centerCVE-2024-38819HIGHorg.springframework:spring-webmvc: Path traversal vulnerability in functional web frameworks3.2.0-funcrel
admin-centerCVE-2024-38816HIGHspring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource3.2.0-funcrel
admin-centerCVE-2024-38819HIGHorg.springframework:spring-webmvc: Path traversal vulnerability in functional web frameworks3.2.0-funcrel
admin-centerCVE-2022-1471HIGHSnakeYaml: Constructor Deserialization Remote Code Execution3.2.0-funcrel
analysis-nodeCVE-2024-7254HIGHprotobuf: StackOverflow vulnerability in Protocol Buffers3.2.0-funcrel
analysis-nodeCVE-2024-47554HIGHapache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader3.2.0-funcrel
analysis-nodeCVE-2024-57699HIGHjson-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)3.2.0-funcrel
analysis-nodeCVE-2025-24813CRITICALtomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT3.2.0-funcrel
analysis-nodeCVE-2022-41404HIGHorg.ini4j: unspecified DoS3.2.0-funcrel
analysis-nodeCVE-2024-38807HIGHApplications that use spring-boot-loaderor spring-boot-loader-classica …3.2.0-funcrel
analysis-nodeCVE-2025-22228HIGHspring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length3.2.0-funcrel
analysis-nodeCVE-2016-1000027CRITICALspring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserialization3.2.0-funcrel
analysis-nodeCVE-2024-38816HIGHspring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource3.2.0-funcrel
analysis-nodeCVE-2024-38819HIGHorg.springframework:spring-webmvc: Path traversal vulnerability in functional web frameworks3.2.0-funcrel
analysis-nodeCVE-2022-1471HIGHSnakeYaml: Constructor Deserialization Remote Code Execution3.2.0-funcrel
analysis-nodeCVE-2022-1471HIGHSnakeYaml: Constructor Deserialization Remote Code Execution3.2.0-funcrel
auth-serviceCVE-2025-24970HIGHio.netty:netty-handler: SslHandler doesn’t correctly validate packets which can lead to native crash when using native SSLEngine3.2.0-funcrel
auth-serviceCVE-2024-57699HIGHjson-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)3.2.0-funcrel
auth-serviceCVE-2024-10039HIGHkeycloak-core: mTLS passthrough3.2.0-funcrel
auth-serviceCVE-2025-22228HIGHspring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length3.2.0-funcrel
consoleCVE-2025-24970HIGHio.netty:netty-handler: SslHandler doesn’t correctly validate packets which can lead to native crash when using native SSLEngine3.2.0-funcrel
consoleCVE-2025-22228HIGHspring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length3.2.0-funcrel
consoleCVE-2016-1000027CRITICALspring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserialization3.2.0-funcrel
consoleCVE-2024-38816HIGHspring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource3.2.0-funcrel
consoleCVE-2024-38819HIGHorg.springframework:spring-webmvc: Path traversal vulnerability in functional web frameworks3.2.0-funcrel
consoleCVE-2024-38816HIGHspring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource3.2.0-funcrel
consoleCVE-2024-38819HIGHorg.springframework:spring-webmvc: Path traversal vulnerability in functional web frameworks3.2.0-funcrel
consoleCVE-2022-1471HIGHSnakeYaml: Constructor Deserialization Remote Code Execution3.2.0-funcrel
gatewayCVE-2025-24970HIGHio.netty:netty-handler: SslHandler doesn’t correctly validate packets which can lead to native crash when using native SSLEngine3.2.0-funcrel
gatewayCVE-2025-24813CRITICALtomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT3.2.0-funcrel
gatewayCVE-2025-22228HIGHspring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length3.2.0-funcrel
sso-serviceCVE-2025-24970HIGHio.netty:netty-handler: SslHandler doesn’t correctly validate packets which can lead to native crash when using native SSLEngine3.2.0-funcrel
sso-serviceCVE-2024-12397HIGHio.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling3.2.0-funcrel
sso-serviceCVE-2024-10039HIGHkeycloak-core: mTLS passthrough3.2.0-funcrel
sso-serviceCVE-2024-10451HIGHorg.keycloak:keycloak-quarkus-server: Sensitive Data Exposure in Keycloak Build Process3.2.0-funcrel
sso-serviceCVE-2024-10270HIGHorg.keycloak:keycloak-services: Keycloak Denial of Service3.2.0-funcrel
dashboardsCVE-2020-36518HIGHjackson-databind: denial of service via a large depth of nested objects3.2.0-funcrel
dashboardsCVE-2021-46877HIGHjackson-databind: Possible DoS if using JDK serialization to serialize JsonNode3.2.0-funcrel
dashboardsCVE-2022-42003HIGHjackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS3.2.0-funcrel
dashboardsCVE-2022-42004HIGHjackson-databind: use of deeply nested arrays3.2.0-funcrel
dashboardsCVE-2021-22569HIGHprotobuf-java: potential DoS in the parsing procedure for binary data3.2.0-funcrel
dashboardsCVE-2021-22570HIGHprotobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference3.2.0-funcrel
dashboardsCVE-2022-3509HIGHprotobuf-java: Textformat parsing issue leads to DoS3.2.0-funcrel
dashboardsCVE-2022-3510HIGHprotobuf-java: Message-Type Extensions parsing issue leads to DoS3.2.0-funcrel
dashboardsCVE-2024-7254HIGHprotobuf: StackOverflow vulnerability in Protocol Buffers3.2.0-funcrel
dashboardsCVE-2024-47554HIGHapache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader3.2.0-funcrel
dashboardsCVE-2021-35515HIGHapache-commons-compress: infinite loop when reading a specially crafted 7Z archive3.2.0-funcrel
dashboardsCVE-2021-35516HIGHapache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive3.2.0-funcrel
dashboardsCVE-2021-35517HIGHapache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive3.2.0-funcrel
dashboardsCVE-2021-36090HIGHapache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive3.2.0-funcrel
dashboardsCVE-2022-45688HIGHjson stack overflow vulnerability3.2.0-funcrel
dashboardsCVE-2023-5072HIGHJSON-java: parser confusion leads to OOM3.2.0-funcrel
dashboardsCVE-2022-1471HIGHSnakeYaml: Constructor Deserialization Remote Code Execution3.2.0-funcrel
dashboardsCVE-2022-25857HIGHsnakeyaml: Denial of Service due to missing nested depth limitation for collections3.2.0-funcrel
imaging-serviceCVE-2024-24790CRITICALgolang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses3.2.0-funcrel
imaging-serviceCVE-2023-29403HIGHgolang: runtime: unexpected behavior of setuid/setgid binaries3.2.0-funcrel
imaging-serviceCVE-2023-39325HIGHgolang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)3.2.0-funcrel
imaging-serviceCVE-2023-45283HIGHThe filepath package does not recognize paths with a ??\ prefix as sp …3.2.0-funcrel
imaging-serviceCVE-2023-45288HIGHgolang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS3.2.0-funcrel
imaging-serviceCVE-2024-34156HIGHencoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion3.2.0-funcrel
imaging-serviceCVE-2024-45337CRITICALgolang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto3.2.0-funcrel
imaging-serviceCVE-2025-22869HIGHgolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh3.2.0-funcrel
imaging-serviceCVE-2024-34156HIGHencoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion3.2.0-funcrel
imaging-serviceCVE-2024-45337CRITICALgolang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto3.2.0-funcrel
imaging-serviceCVE-2025-22869HIGHgolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh3.2.0-funcrel
imaging-serviceCVE-2024-34156HIGHencoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion3.2.0-funcrel
neo4jCVE-2024-7254HIGHprotobuf: StackOverflow vulnerability in Protocol Buffers3.2.0-funcrel
neo4jCVE-2025-24970HIGHio.netty:netty-handler: SslHandler doesn’t correctly validate packets which can lead to native crash when using native SSLEngine3.2.0-funcrel
neo4jCVE-2024-57699HIGHjson-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)3.2.0-funcrel
neo4jCVE-2024-57699HIGHjson-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)3.2.0-funcrel
neo4jCVE-2024-57699HIGHjson-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)3.2.0-funcrel
neo4jCVE-2024-57699HIGHjson-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)3.2.0-funcrel
open-ai-servicesCVE-2024-34069HIGHpython-werkzeug: user may execute code on a developer’s machine3.2.0-funcrel