Release Notes: Solace MicroIntegration for SFTP, Version 1.6.1
Release History for Solace MicroIntegration for SFTP, Version 1.6.1
July 2026

New Features Introduced in Release 1.6.1 and Earlier Releases

This section lists the new features introduced in the Solace MicroIntegration for SFTP for release 1.6.1 and earlier releases.
Name Description Introduced in Version
Standard Error Handling in connector framework to handle processing and publishing errors without losing data

Micro-Integration Flows now support configurable error handling to prevent data loss when messages fail during processing or delivery. Two independent features are available:

  • Retry automatically re-attempts failed publishes using exponential backoff.
  • Flow Dead Message Queue (DMQ) captures messages that can't be processed or delivered so you can inspect, reprocess, or discard them without losing data.

Both are disabled by default and can be enabled in any combination per Flow.

The error handling logic distinguishes between two failure types:

  • Processing errors—such as validation failures or type mismatches—are considered unrecoverable and route directly to the DMQ without retrying, because retrying the same malformed message would always fail.
  • Publishing errors—such as network issues or a temporarily unavailable target—are treated as potentially transient, so retry triggers first, with the DMQ as a fallback after retries are exhausted.

This feature is designed for sources that lack built-in error handling, like Change Data Capture (CDC) and polling-based sources. If your source system already has its own error handling mechanism, we recommend that you choose between using the source system's error handling or the Micro-Integration error handling—avoid enabling both at the same time. You configure error handling in the Error Handling step when you create or edit a Flow in Solace Cloud.

1.6.0
Add support for XML samples to the transformation feature

You can now use XML payloads in addition to JSON payloads when you create data mappings in Micro-Integration Flows. This enhancement allows you to work with data from legacy systems that use XML formats and transform it for use with modern systems, or vice versa.

When you import a payload sample, you can now upload either a well-formed JSON file or a well-formed XML file. You can then map payload fields and apply transformation functions to modify the data as it flows through your Micro-Integration. This feature supports XML-to-XML, XML-to-JSON, and JSON-to-XML transformations, giving you the flexibility to repurpose your events by choosing different content types for your source and target systems.

1.4.0
New functions for MI transformations: base64 encode and decode | self and cloud managed
Added transformation functions for Base64 encoding and decoding with support for Standard, URL-safe, and MIME variants.
1.3.1
Spring Cloud Stream binder performance improvements to MIs

Performance improvements through architectural optimizations in message processing. These enhancements enable substantially higher message throughput and more efficient resource utilization, allowing for handling of larger workloads with the same infrastructure. In addition, further optimizations were done by enabling asynchronous publishing by default on Micro Integrations that support it, and disabling the default internal back-pressure for faster asynchronous publishing.

1.2.1
Connector Framework - per message payload identification and field-level transformations
A new configuration section and capabilities around transforming source headers and payload to desired mappings on the target headers and payload has been added. The mappings are expressed in the connector configuration using an expression language based on Spring Expression Language (SpEL).

This release supports JSON payloads only. Future releases will add other content formats such as XML. If your source and target payload is not JSON, you cannot map or transform the payload and it is passed through as is. However, you can still do header transforms and smart topic dynamic producer destinations.

This is a new capability and is not compatible with the "transform-headers" and "transform-payload" sections of the configuration available prior to this release. The "transform-headers" and "transform-payload" sections continue to work but are now deprecated and will be removed in a future release.

Existing connector configurations that rely on the legacy transform sections should not use the new transform capabilities. The legacy and new transform sections cannot be used together.

1.1.0
SCSt binder: Add support for NACK
Added support (internal) for NACK handling of messages not processed due to error. This is a breaking change regarding supported PubSub+ broker versions. The connectors now require a 10.2.1+ broker version to operate.
1.0.0
SFTP Micro-Integration
The initial release of the SFTP Micro-Integration, which enables seamless bidirectional data flow between SFTP servers and Solace. It lets you read files from SFTP, process and split their contents, then publish the data to Solace. Similarly, you can also write Solace events back to SFTP servers. For more details, check out the full documentation.
  • The use of various Spring Framework technologies allows for easy configuration of the connector, advanced logging capabilities, and export of live metrics data to external monitoring solutions.
  • Authentication Options: Supports both private key and basic password authentication (useful for local testing).
  • The SFTP Source Key Features:
    • Delimited Files: Split files based on a configurable delimiter.
    • JSON Files: Split JSON files using a configurable JSONPath expression.
    • XML Files: Split XML files using a configurable XPath expression.
    • Filter files using configurable expressions.
    • Supports for recursive processing of subdirectories.
  • The SFTP Target Key Features:
    • Automatic File Rotation: Automatically rotates files based on a configurable maximum file size or the number of events written.
    • Dynamic File Naming: Route events dynamically to target files using event metadata/headers (via scst_targetDestination).
1.0.0

Issues Resolved in Release 1.6.1 and Earlier Releases

This section lists the history of resolved issues in the Solace MicroIntegration for SFTP for release 1.6.1 and earlier releases.
Reference Number Description Resolved in Version
DATAGO-121267
As a result of an asynchronous publish failure, when negatively acknowledging the corresponding consumed message from Solace, queue retries were not respected. Similarly, when consuming from a non-Solace source, then negative acknowledgements to that source may potentially fail.
1.2.1
DATAGO-105471
Added destination header in Solace Source micro-integrations SMF metadata
1.1.13
DATAGO-67217
Added sanitizing of message payload and header values (header names remain visible) in Error logs from messaging exceptions. Potentially sensitive values will now appear as ******.
1.0.0
DATAGO-71588
You may see a discrepancy where the container's health status is reported as unhealthy despite the health endpoint confirming a status of "UP".
1.0.0
DATAGO-71738
StreamMessages are not supported by this version of the connector due to an issue within the Spring Framework. Solace is working with Spring to address this issue and will reinstate StreamMessage support in a future release. Attempted processing of StreamMessages will result in an “UnsupportedOperationException” in the connector.
1.0.0
DATAGO-69335
Fixed the issue in reading user property having value of type byte[] or ByteArray while mapping Solace Consumer message to Spring message.
1.0.0

Changed Functionality in Release 1.6.1 and Earlier Releases

This section lists the history of changed functionality in the Solace MicroIntegration for SFTP for release 1.6.1 and earlier releases.
Reference Number Description Introduced in Version
DATAGO-142303
Upgrade connector to Jackson 2.22.0
1.6.1
DATAGO-142090
Upgrade connector to Spring Boot 3.5.16
1.6.1
DATAGO-141701
Upgrade micro-integration to Eclipse Temurin 17.0.19_10-jre-alpine-3.23@02320dd4ce20
1.6.1
DATAGO-140269
Upgrade connector to Spring Cloud 2025.0.3
1.6.0
DATAGO-137805
Upgrade connector to Eclipse Temurin 17.0.19_10-jre-alpine-3.23@b0ae54a36f82
1.6.0
DATAGO-140010
Upgrade connector to Spring Boot 3.5.15
1.6.0
DATAGO-134580
Fixed publisher send failures after an unsolicited broker-side flow close — affected publishers now auto-recover without requiring an application restart.
1.6.0
DATAGO-138150
Upgrade connector to Solace Spring Cloud 4.11.1
1.6.0
DATAGO-133191
Upgrade connector to Spring Boot 3.5.14
1.5.1
DATAGO-132479
Upgrade connector base image to Eclipse Temurin 17.0.18_8-jre-alpine-3.23 (sha256:88c0002860cda56384d5ed3b2da4d0d9a2b44dc2ee4dc02344be985bd8b524bc)
1.5.1
DATAGO-130790
Upgrade connector to Spring Cloud 2025.0.2
1.5.0
DATAGO-130061
Upgrade connector to Spring Boot 3.5.13
1.5.0
DATAGO-130215
Upgrade connector to JCSMP 10.28.3
1.5.0
DATAGO-128563
Upgrade Spring Boot Admin to 3.5.8
1.5.0
DATAGO-128439
Add support for Prometheus Monitoring tooling for observability.
1.5.0
DATAGO-125812
Upgrade connector to Spring Boot 3.5.11
1.4.0
DATAGO-124658
Upgrade connector to Spring Boot Admin 3.5.7
1.3.1
DATAGO-120869
Upgrade connector to Spring Boot 3.5.10
1.3.1
DATAGO-124644
Upgrade connector base image to Eclipse Temurin 17.0.18_8-jre-alpine (sha256:7aa804a1824d18d06c68598fe1c2953b5b203823731be7b9298bb3e0f1920b0d).
1.3.1
DATAGO-108854
Enable the workflow’s asynchronous publishing configuration option by default for improved performance. The workflow’s acknowledgment.publish-async property now defaults to true.
1.2.1
DATAGO-118041
Upgrade connector to Spring Boot 3.5.8
1.2.1
DATAGO-119789
Upgrade connector to Netty 4.1.128.Final
1.2.1
DATAGO-120873
Upgrade connector to Spring Cloud 2025.0.1
1.2.1
DATAGO-117314
Upgrade connector to Eclipse Temurin 17.0.17_10-jre-alpine (sha256:f57e47e7a78ae1ff5019681d95a4964153b0d1078bdff2a2f288e4a5ee329c14)
1.2.1
DATAGO-114547
Added startup notice/banner regarding upcoming executable artifact renaming. Users should prepare to update automation scripts when this change takes effect in a future release.
1.2.1
DATAGO-116367
Upgrade connector to Solace JCSMP 10.28.2
1.1.26
DATAGO-116368
Upgrade connector to Spring Boot Admin 3.5.6
1.1.26
DATAGO-116369
Upgrade connector to Spring Boot 3.5.7
1.1.26
DATAGO-111022
Upgrade connector to Solace Spring Cloud 4.10.0
1.1.23
DATAGO-112062
Upgrade connector to Spring Boot 3.5.6 and Spring Cloud 2025.0.0
1.1.23
DATAGO-112077
Upgrade connector to Spring Boot Admin 3.5.5
1.1.23
DATAGO-109647
Upgrade connector to Spring Boot 3.4.9
1.1.20
DATAGO-110219
Upgrade connector to Solace JCSMP 10.28.1
1.1.20
DATAGO-108538
Upgrade connector to Solace Spring Cloud 4.8.1
1.1.20
DATAGO-109668
Disable the workflow’s back-pressure by default for improved performance. The workflow’s acknowledgment.back-pressure-threshold property now defaults to -1 (disabled). For flow control, consider using native client back-pressure mechanisms instead.
1.1.20
DATAGO-107408
Upgrade connector to JCSMP 10.27.3
1.1.16
DATAGO-107134
Upgrade connector to Spring Boot Admin 3.4.7
1.1.16
DATAGO-108120
Upgrade connector base image to Eclipse Temurin 17.0.16_8-jre-alpine (sha256:fc47f4a190b599de0835d98830976f5938588b4c17b07f19dba903d5b29f666e).
1.1.16
DATAGO-107376
Upgrade connector to Spring Boot 3.4.8
1.1.16
DATAGO-106868
Upgrade connector to Spring Cloud 2024.0.2
1.1.16
DATAGO-104715
Upgrade connector to Spring Boot 3.4.7
1.1.13
DATAGO-104989
Deprecate maskNumber() function in transformation capabilities
1.1.13
DATAGO-104294
Upgrade connector to JCSMP 10.27.2
1.1.13
DATAGO-105065
Upgrade SFTP connector to spring-cloud-stream-binder-camel 1.4.4
1.1.13
DATAGO-102718
Upgrade connector to Spring Boot Admin 3.4.6
1.1.9
DATAGO-102716
Upgrade connector to JCSMP 10.27.1
1.1.9
DATAGO-102715
Upgrade connector to Spring Boot 3.4.6
1.1.9
DATAGO-99526
Upgrade connector to Solace Spring Cloud 4.8.0
1.1.6
DATAGO-99525
Upgrade connector to JCSMP 10.27.0
1.1.6
DATAGO-99793
Upgrade connector base image to Eclipse Temurin 17.0.15_6-jre-alpine (sha256:b10e4fda9d71b3819a91fbb0dbb28512edbb37a45f6af2a301c780223bb42fb8).
1.1.6
DATAGO-99796
Upgrade connector to Spring Boot 3.4.5
1.1.6
DATAGO-97529
Upgrade connector to Spring Boot 3.4.4
1.1.3
DATAGO-97477
Upgrade connector to Spring Cloud 2024.0.1
1.1.3
DATAGO-97166
Upgrade connector to JCSMP 10.26.0
1.1.3
DATAGO-97063
Upgrade connector to Spring Boot Admin 3.4.5
1.1.3
DATAGO-95501
Upgrade connector base image to Eclipse Temurin 17.0.14_7-jre-alpine (sha256:865cca6d0b31f284a5fc4e8cbd8f9375f470fd07cf6e909cea62f2790d4187fe).
1.1.0
DATAGO-95206
Upgrade connector to Spring Boot Admin 3.4.2
1.1.0
DATAGO-95698
Upgrade connector to Spring Boot 3.4.3
1.1.0
DATAGO-92892
Upgrade connector to Camel Spring 4.9.0
1.0.2
DATAGO-93240
Upgrade connector to Spring Boot 3.4.2
1.0.2
DATAGO-93224
Upgrade connector base image to Eclipse Temurin 17.0.13_11-jre-alpine (sha256:8164ba7f332faf27462e055013c2aa518a2eba1ce6984e9ca60dadb899cab6bd).
1.0.2
DATAGO-93220
Upgrade connector to Solace Spring Cloud 4.7.0
1.0.2
DATAGO-92283
Upgrade connector base image to Eclipse Temurin 17.0.13_11-jre-alpine (sha256:04ea31625d7771f3272bdc533a2871c00a8268f1a6774528b2a7389515f7b5b1).
1.0.0
DATAGO-89778
Upgrade connector to Spring Boot 3.4.1 and Spring Cloud 2024.0.0
1.0.0
DATAGO-92733
Upgrade connector to JCSMP 10.25.2
1.0.0

Vulnerabilities Addressed in Release 1.6.1 and Earlier Releases

The following vulnerabilities have been resolved in the Solace MicroIntegration for SFTP for release 1.6.1 and earlier releases.
Resolved in Version Severity (CVSS v3 Score) Vulnerability ID Solace Reference Number Affected Products Description
1.6.1 CVSS v3: 5.3 (MEDIUM) DATAGO-140732 JAR
Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level. Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate. One of the parts of the Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA) key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new one. The 'id-it-rootCaKeyUpdate' messages are expected to be processed with OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot') to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name and the algorithm OIDs were verified by other parts of the verification code). An attacker who already has credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would accept as a new trust anchor. Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
1.6.1 CVSS v3: 7.4 (HIGH) DATAGO-140732 JAR
Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery. Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability. If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
1.6.1 CVSS v3: 7.5 (HIGH) DATAGO-140732 JAR
Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service. A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.
1.6.1 CVSS v3: 7.5 (HIGH) DATAGO-140732 JAR
Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.
1.6.1 CVSS v3: 7.5 (HIGH) DATAGO-140732 JAR
Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
1.6.1 CVSS v3: 5.9 (MEDIUM) DATAGO-140732 JAR
Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
1.6.1 CVSS v3: 8.8 (HIGH) DATAGO-140732 JAR
Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
1.6.1 CVSS v3: 7.5 (HIGH) DATAGO-140732 JAR
Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service. If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token. By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
1.6.1 CVSS v3: 9.1 (CRITICAL) DATAGO-140732 JAR
Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.
1.6.1 CVSS v3: 4.8 (MEDIUM) DATAGO-140732 JAR
Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.
1.6.1 CVSS v3: 7.5 (HIGH) DATAGO-140732 JAR
Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.
1.6.1 CVSS v3: 8.1 (HIGH) DATAGO-140732 JAR
Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
1.6.1 CVSS v3: 5.9 (MEDIUM) DATAGO-140732 JAR
Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
1.6.1 CVSS v3: 0.0 (LOW) DATAGO-134825 JAR
A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.
1.6.1 CVSS v3: 7.4 (HIGH) DATAGO-134825 JAR
A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.
1.6.1 CVSS v3: 0.0 (LOW) DATAGO-134825 JAR
A flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path.
1.6.1 CVSS v3: 9.1 (CRITICAL) DATAGO-134825 JAR
A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.
1.6.1 CVSS v3: 0.0 (LOW) DATAGO-134825 JAR
A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.
1.6.1 CVSS v3: 9.8 (CRITICAL) DATAGO-134825 JAR
A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.
1.6.1 CVSS v3: 0.0 (LOW) DATAGO-141864 JAR
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.
1.6.1 CVSS v3: 5.5 (MEDIUM) DATAGO-134443 JAR
Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.
1.6.1 CVSS v3: 8.9 (HIGH) DATAGO-134443 JAR
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.84.
1.6.1 CVSS v3: 6.3 (MEDIUM) DATAGO-132510 JAR
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modules). This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java, JcaContentVerfierProviderBuilder.Java. This issue affects BC-JAVA: from 1.67 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11.
1.6.0 CVSS v3: 7.5 (HIGH) DATAGO-135407 JAR
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
1.6.0 CVSS v3: 7.3 (HIGH) DATAGO-135407 JAR
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
1.6.0 CVSS v3: 5.8 (MEDIUM) DATAGO-135407 JAR
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
1.6.0 CVSS v3: 5.3 (MEDIUM) DATAGO-135407 JAR
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
1.6.0 CVSS v3: 6.5 (MEDIUM) DATAGO-135407 JAR
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
1.6.0 CVSS v3: 6.5 (MEDIUM) DATAGO-135407 JAR
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
1.6.0 CVSS v3: 8.9 (HIGH) DATAGO-134443 JAR
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.84.
1.6.0 CVSS v3: 5.5 (MEDIUM) DATAGO-134443 JAR
Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.
1.6.0 CVSS v3: 8.1 (HIGH) DATAGO-139625 JAR
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
1.6.0 CVSS v3: 7.5 (HIGH) DATAGO-139625 JAR
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
1.6.0 CVSS v3: 7.5 (HIGH) DATAGO-139625 JAR
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
1.6.0 CVSS v3: 7.5 (HIGH) DATAGO-135788 JAR
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
1.6.0 CVSS v3: 9.8 (CRITICAL) DATAGO-139205 JAR
A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.
1.6.0 CVSS v3: 7.4 (HIGH) DATAGO-139205 JAR
A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.
1.6.0 CVSS v3: 9.1 (CRITICAL) DATAGO-139205 JAR
A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.
1.6.0 CVSS v3: 7.5 (HIGH) DATAGO-135763 JAR
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
1.6.0 CVSS v3: 7.5 (HIGH) DATAGO-137948 JAR
Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
1.6.0 CVSS v3: 7.5 (HIGH) DATAGO-137948 JAR
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
1.6.0 CVSS v3: 9.1 (CRITICAL) DATAGO-137948 JAR
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
1.6.0 CVSS v3: 9.8 (CRITICAL) DATAGO-137948 JAR
Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
1.6.0 CVSS v3: 7.3 (HIGH) DATAGO-137948 JAR
Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.
1.6.0 CVSS v3: 9.8 (CRITICAL) DATAGO-137948 JAR
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
1.5.0 CVSS v3: 8.7 (HIGH) DATAGO-126998 JAR
### Summary The non-blocking (async) JSON parser in `jackson-core` bypasses the `maxNumberLength` constraint (default: 1000 characters) defined in `StreamReadConstraints`. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS). The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy. ### Details The root cause is that the async parsing path in `NonBlockingUtf8JsonParserBase` (and related classes) does not call the methods responsible for number length validation. - The number parsing methods (e.g., `_finishNumberIntegralPart`) accumulate digits into the `TextBuffer` without any length checks. - After parsing, they call `_valueComplete()`, which finalizes the token but does *not* call `resetInt()` or `resetFloat()`. - The `resetInt()`/`resetFloat()` methods in `ParserBase` are where the `validateIntegerLength()` and `validateFPLength()` checks are performed. - Because this validation step is skipped, the `maxNumberLength` constraint is never enforced in the async code path. ### PoC The following JUnit 5 test demonstrates the vulnerability. It shows that the async parser accepts a 5,000-digit number, whereas the limit should be 1,000. ```j
1.4.0 CVSS v3: 7.5 (HIGH) DATAGO-125854 JAR
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native:  from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue..
1.3.1 CVSS v3: 7.8 (HIGH) DATAGO-122787 JAR
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.
1.3.1 CVSS v3: 8.2 (HIGH) DATAGO-109708 JAR
A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.
1.3.1 CVSS v3: 6.5 netty-codec-http-4.1.128.Final.jar DATAGO-123652 JAR
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the "io.netty.handler.codec.http.HttpRequestEncoder" has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when "HttpRequestEncoder" is used without proper sanitization of the URI. Any application / framework using "HttpRequestEncoder" can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
1.3.1 CVSS v3: 6.9 logback-core-1.5.18.jar DATAGO-116834 JAR
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.
1.3.1 CVSS v3: 5.3 (MEDIUM) DATAGO-123188 Image
Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
1.3.1 CVSS v3: 9.8 (CRITICAL) DATAGO-123188 Image
Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
1.3.1 CVSS v3: 6.1 (MEDIUM) DATAGO-123751 JAR
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Ja
1.3.1 CVSS v3: 7.4 (HIGH) DATAGO-123751 JAR
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and
1.2.1 CVSS v3: 5.3 tomcat-embed-core-10.1.46.jar DATAGO-116515 JAR
Improper Resource Shutdown or Release vulnerability in Apache Tomcat.
1.2.1 CVSS v3: 6.5 (MEDIUM) DATAGO-120097 JAR
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
1.1.26 CVSS v3: 5.3 tomcat-embed-core-10.1.46.jar DATAGO-116515 JAR
Improper Resource Shutdown or Release vulnerability in Apache Tomcat.
1.1.26 CVSS v3: 6.9 logback-core-1.5.18.jar DATAGO-116525 JAR
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.
1.1.23 CVSS v3: 5.8 nimbus-jose-jwt-9.37.3.jar DATAGO-106713 JAR
Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.
1.1.23 CVSS v3: 7.5 spring-core-6.2.10.jar DATAGO-111876 JAR
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
1.1.23 CVSS v3: 7.5 spring-security-core-6.5.3.jar DATAGO-111875 JAR
Spring Security authorization bypass for method security annotations on parameterized types
1.1.23 CVSS v3: 7.5 netty-codec-4.1.124.Final.jar DATAGO-110853 JAR
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
1.1.20 CVSS v3: 5.9 spring-webmvc-6.2.9.jar DATAGO-109375 JAR
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
1.1.20 CVSS v3: 7.5 tomcat-embed-core-10.1.43.jar DATAGO-109131 JAR
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.
1.1.20 CVSS v3: 5.9 spring-beans-6.2.9.jar DATAGO-109374 JAR
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
1.1.16 CVSS v3: 5.3 commons-lang3-3.17.0.jar DATAGO-106220 JAR
Uncontrolled Recursion vulnerability in Apache Commons Lang.
1.1.13 CVSS v3: 6.5 spring-web-6.2.7.jar DATAGO-104295 JAR
In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.
1.1.13 CVSS v3: 6.5 tomcat-embed-core-10.1.41.jar DATAGO-104376 JAR
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
1.1.9 CVSS v3: 3.1 spring-context-6.2.6.jar DATAGO-102515 JAR
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
1.1.9 CVSS v3: 9.1 spring-security-core-6.4.5.jar DATAGO-102683 JAR
Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass.
1.1.6 CVSS v3: 7.5 (HIGH) DATAGO-100430 Image
In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory.
1.1.6 CVSS v3: 7.5 httpclient5-5.4.2.jar DATAGO-99888 JAR
A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release
1.1.3 CVSS v3: 5.3 spring-security-core-6.4.3.jar DATAGO-97533 JAR
Spring Security 6.4.0 through 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. Your application may be affected by this if the following are true:
1.1.3 CVSS v3: 7.4 spring-security-crypto-6.4.3.jar DATAGO-97534 JAR
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
1.1.3 CVSS v3: 0 (MEDIUM) DATAGO-96844 Image
Bypass/Injection vulnerability in Apache Camel-Bean component under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is only present in the following situation. The user is using one of the following HTTP Servers via one the of the following Camel components * camel-servlet * camel-jetty * camel-undertow * camel-platform-http * camel-netty-http and in the route, the exchange will be routed to a camel-bean producer. So ONLY camel-bean component is affected. In particular:u00a0 * The bean invocation (is only affected if you use any of the aboveu00a0together with camel-bean component). * The bean that can be called, hasu00a0more than 1 method implemented. In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean. The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with "Camel", "camel", or "org.apache.camel.".u00a0 Mitigation:u00a0You can easily work around this in your Camel applications by removing theu00a0headers in your Camel routes. There are many ways of doing this, alsou00a0globally or per route.
1.1.3 CVSS v3: 6.5 camel-support-4.9.0.jar DATAGO-96844 JAR
Bypass/Injection vulnerability in Apache Camel.
1.1.3 CVSS v3: 7.5 (HIGH) DATAGO-96240 Image
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn\'t correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
1.1.0 CVSS v3: 7.5 netty-handler-4.1.117.Final.jar DATAGO-94911 JAR
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
1.1.0 CVSS v3: 7.5 json-smart-2.5.1.jar DATAGO-94030 JAR
A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of an incomplete fix for CVE-2023-1370.
1.1.0 CVSS v3: 5.5 netty-common-4.1.117.Final.jar DATAGO-94912 JAR
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
1.0.0 CVSS v3: 5.5 tomcat-embed-core-10.1.24.jar DATAGO-79942 JAR
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
1.0.0 CVSS v3: 7.5 (HIGH) DATAGO-79942 Image
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
1.0.0 CVSS v3: 7.5 (HIGH) DATAGO-85256 Image
### Summary When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime. ### Severity [CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254) **High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication) This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. ### Proof of Concept For reproduction details, please refer to the unit tests (Protobuf Java [LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java) and [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java)) that identify the specific inputs that exercise this parsing weakness. ### Remediation and Mit
1.0.0 CVSS v3: 7.5 (HIGH) DATAGO-73977 JAR
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
1.0.0 CVSS v3: 6.5 spring-web-6.1.11.jar DATAGO-82871 JAR
Spring Framework is vulnerable DoS via conditional HTTP request. Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to Denial of Service attack. All versions before 5.3.38, 6.0.23 and 6.1.12 are affected.
1.0.0 CVSS v3: 4.4 logback-core-1.5.12.jar DATAGO-91429 JAR
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
1.0.0 CVSS v3: 4.7 (MEDIUM) DATAGO-67960 Image
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor\'s perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
1.0.0 CVSS v3: 5.5 (MEDIUM) DATAGO-74149 JAR
An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in use by the module, resulting in errors or potential information loss. NOTE: FIPS compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11.
1.0.0 CVSS v3: 4.8 spring-security-core-6.3.4.jar DATAGO-89424 JAR
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
1.0.0 CVSS v3: 5.9 bcprov-jdk18on-1.77.jar DATAGO-75573 JAR
BouncyCastle before version 1.78 is vulnerable to timing side-channel attacks against RSA decryption (both PKCS#1v1.5 and OAEP).
1.0.0 CVSS v3: 5.5 netty-common-4.1.114.Final.jar DATAGO-89346 JAR
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
1.0.0 CVSS v3: 6.6 logback-classic-1.5.12.jar DATAGO-91430 JAR
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
1.0.0 CVSS v3: 8.1 spring-web-6.1.5.jar DATAGO-75012 JAR
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input.
1.0.0 CVSS v3: 6.5 spring-security-config-6.3.1.jar DATAGO-83112 JAR
Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.
1.0.0 CVSS v3: 9.8 tomcat-embed-core-10.1.33.jar DATAGO-91084 JAR
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
1.0.0 CVSS v3: 5.5 (MEDIUM) DATAGO-78433 JAR
A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.
1.0.0 CVSS v3: 7.5 spring-webmvc-6.1.12.jar DATAGO-84986 JAR
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
1.0.0 CVSS v3: 7.5 spring-webmvc-6.1.13.jar DATAGO-87570 JAR
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

Known Issues in Release 1.6.1 and Earlier Releases

This section describes known issues in the Solace MicroIntegration for SFTP for release 1.6.1 and earlier releases.
Reference Number Description
DATAGO-136870
Solace Cloud Managed MI fails to start with a "Config property key collision" error when a property already exposed as a dedicated schema field (e.g. paramDelimiter) is also specified under Additional Properties. Workaround: set the property using only the dedicated field, not via Additional Properties.
For more details, refer to the Release Notes page for the individual Solace Messaging APIs.