3.4 - Security fixes

Security fixes provided in 3.4.5-funcrel

CAST serviceCVESeverityDescription/PackageAffected CAST release
admin-centerCVE-2025-4949Criticalorg.eclipse.jgit:org.eclipse.jgit3.4.4-funcrel
admin-centerCVE-2020-36843Highnet.i2p.crypto:eddsa3.4.4-funcrel
admin-centerCVE-2025-46392Highcommons-configuration:commons-configuration3.4.4-funcrel
admin-centerCVE-2025-48924Highorg.apache.commons:commons-lang3, commons-lang:commons-lang3.4.4-funcrel
ai-serviceCVE-2025-7709Criticallibsqlite3-03.4.4-funcrel
ai-serviceCVE-2025-9230Criticalopenssl, libssl3t64, openssl-provider-legacy3.4.4-funcrel
ai-serviceCVE-2025-3262Hightransformers3.4.4-funcrel
ai-serviceCVE-2025-6921Hightransformers3.4.4-funcrel
ai-serviceCVE-2025-8941Highlibpam0g, libpam-runtime, libpam-modules, libpam-modules-bin3.4.4-funcrel
ai-serviceCVE-2025-9231Highopenssl, libssl3t64, openssl-provider-legacy3.4.4-funcrel
ai-serviceCVE-2025-9232Highopenssl, libssl3t64, openssl-provider-legacy3.4.4-funcrel
ai-serviceCVE-2025-3263Mediumtransformers3.4.4-funcrel
ai-serviceCVE-2025-3264Mediumtransformers3.4.4-funcrel
ai-serviceCVE-2025-3777Mediumtransformers3.4.4-funcrel
ai-serviceCVE-2025-3933Mediumtransformers3.4.4-funcrel
ai-serviceCVE-2025-5197Mediumtransformers3.4.4-funcrel
ai-serviceCVE-2025-6051Mediumtransformers3.4.4-funcrel
ai-serviceCVE-2025-6638Mediumtransformers3.4.4-funcrel
ai-serviceCVE-2025-8869Mediumpip3.4.4-funcrel
analysis-nodeCVE-2025-48924Highorg.apache.commons:commons-lang33.4.4-funcrel
analysis-nodeCVE-2022-45787Mediumorg.apache.james:apache-mime4j3.4.4-funcrel
analysis-nodeCVE-2023-4218Mediumorg.eclipse.platform:org.eclipse.core.runtime3.4.4-funcrel
analysis-nodeCVE-2025-8869Mediumpip3.4.4-funcrel
authCVE-2025-46392Highcommons-configuration:commons-configuration3.4.4-funcrel
authCVE-2025-48924Highorg.apache.commons:commons-lang3, commons-lang:commons-lang3.4.4-funcrel
gatewayCVE-2025-22227Highio.projectreactor.netty:reactor-netty-http3.4.4-funcrel
gatewayCVE-2025-41249Highorg.springframework:spring-core3.4.4-funcrel
gatewayCVE-2025-46392Highcommons-configuration:commons-configuration3.4.4-funcrel
gatewayCVE-2025-48924Highorg.apache.commons:commons-lang3, commons-lang:commons-lang3.4.4-funcrel
gatewayCVE-2020-13956Highorg.apache.httpcomponents:httpclient3.4.4-funcrel
gatewayCVE-2025-41242Highorg.springframework:spring-webmvc3.4.4-funcrel
neo4jCVE-2025-22227Highio.projectreactor.netty:reactor-netty-http3.4.4-funcrel
neo4jCVE-2025-48924Highorg.apache.commons:commons-lang33.4.4-funcrel
neo4jCVE-2025-53864Highcom.nimbusds:nimbus-jose-jwt3.4.4-funcrel
sso-serviceCVE-2025-48924Highorg.apache.commons:commons-lang33.4.4-funcrel
imaging-viewerCVE-2025-9230Criticallibssl3, libcrypto33.4.4-funcrel
imaging-viewerCVE-2025-9231Highlibssl3, libcrypto33.4.4-funcrel
imaging-viewerCVE-2025-9232Highlibssl3, libcrypto33.4.4-funcrel

Security fixes provided in 3.4.4-funcrel

CAST serviceCVESeverityDescriptionAffected CAST release
admin-centerCVE-2025-41249HIGHorg.springframework/spring-core: Spring Framework Annotation Detection Vulnerability3.4.1-funcrel
admin-centerCVE-2025-48989HIGHtomcat: http/2 “MadeYouReset” DoS attack through HTTP/2 control frames3.4.1-funcrel
admin-centerCVE-2025-55163HIGHnetty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability3.4.1-funcrel
authCVE-2025-41248HIGHorg.springframework.security/spring-security-core: Spring Security authorization bypass3.4.1-funcrel
authCVE-2025-41249HIGHorg.springframework/spring-core: Spring Framework Annotation Detection Vulnerability3.4.1-funcrel
authCVE-2025-55163HIGHnetty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability3.4.1-funcrel
consoleCVE-2025-55163HIGHnetty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability3.4.1-funcrel
dashboardsCVE-2025-41249HIGHorg.springframework/spring-core: Spring Framework Annotation Detection Vulnerability3.4.1-funcrel
dashboardsCVE-2025-48989HIGHtomcat: http/2 “MadeYouReset” DoS attack through HTTP/2 control frames3.4.1-funcrel
neo4jCVE-2025-5115HIGHjetty: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to “MadeYouReset” DoS attack through HTTP/2 control frames3.4.4
nodeCVE-2025-48989HIGHtomcat: http/2 “MadeYouReset” DoS attack through HTTP/2 control frames3.4.1-funcrel
sso-serviceCVE-2025-41249HIGHorg.springframework/spring-core: Spring Framework Annotation Detection Vulnerability3.4.1-funcrel
sso-serviceCVE-2025-55163HIGHnetty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability3.4.1-funcrel
viewerCVE-2025-22868HIGHgolang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws3.4.1-funcrel
viewerCVE-2025-22869HIGHgolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh3.4.1-funcrel
viewerCVE-2025-22874HIGHcrypto/x509: Usage of ExtKeyUsageAny disables policy validation in crypto/x5093.4.1-funcrel
viewerCVE-2025-47907HIGHdatabase/sql: Postgres Scan Race Condition3.4.1-funcrel
viewerCVE-2025-6984HIGHlangchain-community: Langchain-community insecure XML parsing3.4.1-funcrel

Security fixes provided in 3.4.1-funcrel

CAST serviceCVESeverityDescriptionAffected CAST release
analysis-nodeCVE-2021-3572HIGHpython-pip: Incorrect handling of unicode separators in git references3.4.0-funcrel
analysis-nodeCVE-2022-40897HIGHpypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py3.4.0-funcrel
analysis-nodeCVE-2022-41404HIGHorg.ini4j: unspecified DoS3.4.0-funcrel
analysis-nodeCVE-2024-6345HIGHpypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools3.4.0-funcrel
analysis-nodeCVE-2025-47273HIGHsetuptools: Path Traversal Vulnerability in setuptools PackageIndex3.4.0-funcrel
dashboardsCVE-2022-41404HIGHorg.ini4j: unspecified DoS3.4.0-funcrel
sso-serviceCVE-2025-49146HIGHpgjdbc: pgjdbc insecure authentication in channel binding3.4.0-funcrel

Security fixes provided in 3.4.0-funcrel

CAST serviceCVEDescriptionAffected CAST release
admin-centerCVE-2025-48988tomcat: Apache Tomcat DoS in multipart upload3.3.0-funcrel
admin-centerCVE-2025-49146pgjdbc: pgjdbc insecure authentication in channel binding3.3.0-funcrel
analysis-nodeCVE-2025-48734commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum’s declaredClass property by default3.3.0-funcrel
analysis-nodeCVE-2025-48988tomcat: Apache Tomcat DoS in multipart upload3.3.0-funcrel
analysis-nodeCVE-2025-49146pgjdbc: pgjdbc insecure authentication in channel binding3.3.0-funcrel
auth-serviceCVE-2025-41235Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies3.3.0-funcrel
consoleCVE-2025-41235Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies3.3.0-funcrel
dashboardsCVE-2025-22235org.springframework.boot/spring-boot: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed3.3.0-funcrel
dashboardsCVE-2025-48988tomcat: Apache Tomcat DoS in multipart upload3.3.0-funcrel
dashboardsCVE-2025-49146pgjdbc: pgjdbc insecure authentication in channel binding3.3.0-funcrel
gatewayCVE-2025-41235Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies3.3.0-funcrel
gatewayCVE-2025-48988tomcat: Apache Tomcat DoS in multipart upload3.3.0-funcrel
imaging-viewerCVE-2025-4565python-protobuf: Unbounded recursion in Python Protobuf3.3.0-funcrel
neo4jCVE-2025-1948jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability3.3.0-funcrel
sso-serviceCVE-2025-3501org.keycloak.protocol.services: Keycloak hostname verification3.3.0-funcrel