Category: security

News and posts from security category

SCM-Manager 3.3.0 and an important vulnerability bugfix

Posted on 2024-07-08 by Thomas Zerr


Dear SCM-Manager Community,

today we released the new version of the SCM-Manager 3.3.0. This release focuses primarily on an important vulnerability bugfix, that prevents users from escalating their privileges in a namespace of repositories. Additionally, some new features and…


Posted in scm-manager, release, security


XML-Parser Expat (CVE-2022-23852)

Posted on 2022-02-02 by Eduard Heimbuch


Hey SCM-Manager Community,

Maybe you have heard about a new vulnerability regarding Expat which is likely as dangerous as Log4Shell.

The SCM-Manager is only affected if you have the PlantUML-Plugin installed. We highly recommend uninstalling this plugin until we can provide a fixed version. If your SCM-Manager is running inside the Cloudogu Ecosystem you also need to take down the PlantUML Dogu


Posted in scm-manager, security


SCM-Manager 2.30.0

Posted on 2022-01-24 by Eduard Heimbuch


Hey SCM-Manager Community,

you may have read our last blog post warning you about a Path Traversal vulnerability in SCM-Manager. If you haven't already, please update your instance to the latest SCM-Manager version as soon as possible to fix this issue.

Alerting

We have already…


Posted in scm-manager, release, security


Path Traversal Vulnerability

Posted on 2022-01-17 by René Pfeuffer


Hey SCM-Manager Community,

thanks to an attentive user, we got notice of a path traversal vulnerability in SCM-Manager. Affected are all versions from 2.0.0 up to 2.29.0.

We released a hotfix 2.29.1.

Update now!

Your SCM-Manager Team


Posted in scm-manager, release, security


Log4Shell

Posted on 2021-12-13 by René Pfeuffer


Hey SCM-Manager Community,

We're sure you've heard about the vulnerability in log4j called Log4Shell. As far as we can say, SCM-Manager is not affected by this, because log4j is not used in SCM-Manager (for logging, we use Logback).

However, if you have installed plugins from external sources, you can check whether log4j is used somewhere by running this little script using the script plugin


Posted in scm-manager, security, release


CVE-2014-9390

Posted on 2014-12-23 by Sebastian Sdorra


CVE-2014-9390 affects git systems on case-insensitive filesystems, such as Windows and Mac OS. For more informations of CVE-2014-9390 please have a look at the git mailing list.

There are only two parts of SCM-Manager which are affected by CVE-2014-9390, the new import…


Posted in scm-manager, security


SCM-Manager and the POODLE vulnerability

Posted on 2014-10-18 by Sebastian Sdorra


If you are using scm-server with a configured https connector, please be sure that you exclude the SSLv3 protocol to avoid the POODLE vulnerability.

Add the following xml elements to your https connector in your server-config.xml:

<Arg>
  <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
    <Set name="excludeProtocols">
      <Array type="java.lang.String">
        <Item>SSLv2Hello</Item>
        <Item>SSLv3</Item>
      </Array>
    </Set>
  </New>
</Arg>

The complete connector section should now be…


Posted in scm-manager, security