Pexip security bulletins

The following security bulletins are published by Pexip for issues affecting our own products — Pexip Infinity, the Pexip apps, the VMR self-service portal, and Enhanced Room Management. There are currently no security bulletins for any other Pexip products, including the Reverse Proxy and TURN Server, Pexip Justice, or AIMS.

For information about external issues arising in third-party software and operating systems that may impact these Pexip products, see https://www.pexip.com/trust-center. Where relevant, updates will be incorporated into each Pexip product, so we recommend that you frequently check for and always run the latest versions of each product. If you have deployed Pexip's VMR self-service portal, Reverse Proxy and TURN Server, Pexip Justice or AIMS products, you should also ensure that the appliance's operating system is regularly patched against the latest security bugs.

More information specific for each of the vulnerabilities can be found via the NIST National Vulnerability Database: http://nvd.nist.gov/.

Pexip Infinity

This list covers issues addressed in Pexip Infinity v35.0 and later. For issues addressed in v34.x or earlier, see our documentation for previous releases.

Each bulletin addresses a number of vulnerabilities in the operating system software used by Pexip Infinity. The bulletins include an assessment of the issues, the impact to the Pexip Infinity platform, and resolution details.

In the table below, "Severity" reflects the severity of the issue as calculated from the CVSS Base Score. "Risk" reflects the risk associated with each vulnerability in the context of the Pexip Infinity product environment.

Reference Description Severity Risk Updated Impacted versions Addressed in version
CVE-2025-48704

Insufficient input validation in the signalling implementation(s) allows a malicious attacker to trigger a software abort resulting in a denial of service.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity v38

 High High July 2025 35.0 - v37.2 38.0
CVE-2025-24855

numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.

CVSS 3.1 base score: 8.7 (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H)

Discussion: Infinity versions before 27 do not expose this component to untrusted input and are thus not directly impacted by this issue (although it is still present in the versions of the component contained in pre-27 Infinity releases). Infinity versions from 27 up to 38 do process untrusted input using the affected component as part of the Single Sign-On functionality.

Mitigation: Administrators should ensure that only trusted Identity Providers are configured.

Resolution: Upgrade to Pexip Infinity v38.

 High High July 2025 All before v38.0 38.0
CVE-2024-55549

xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.

CVSS3.1 base score: 8.7 (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H)

Discussion: Infinity versions before 27 do not expose this component to untrusted input and are thus not directly impacted by this issue (although it is still present in the versions of the component contained in pre-27 Infinity releases). Infinity versions from 27 up to 38 do process untrusted input using the affected component as part of the Single Sign-On functionality.

Mitigation: Administrators should ensure that only trusted Identity Providers are configured.

Resolution: Upgrade to Pexip Infinity v38.

 High High July 2025 All before v38.0 38.0
Multiple Resolved minor issues: CVE-2011-10007, CVE-2022-49043, CVE-2023-29383, CVE-2023-4039, CVE-2023-4641, CVE-2023-48795, CVE-2023-51385, CVE-2023-51767, CVE-2024-56171, CVE-2024-56406, CVE-2024-7347, CVE-2025-0938, CVE-2025-1390, CVE-2025-22247, CVE-2025-22866, CVE-2025-22870, CVE-2025-24928, CVE-2025-26699, CVE-2025-27113, CVE-2025-31115, CVE-2025-32415, CVE-2025-32728, CVE-2025-32873, CVE-2025-4207, CVE-2025-4598, CVE-2025-46836, CVE-2025-48432, CVE-2025-6199     July 2025   38.0
CVE-2025-49088

Insufficient input validation in the One Touch Join service allows a remote attacker to trigger a software abort leading to a denial of service.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Discussion: A crafted calendar invite allows a remote attacker to trigger a software abort.

Mitigation: This vulnerability requires the configuration of an OTJ Profile, an associated OTJ Endpoint Group which contains at least one OTJ Endpoint, and an associated OTJ Meeting Processing Rule of type "Microsoft Teams SIP Guest Join". The attacker needs to be able to send a calendar invite to the OTJ Endpoint Room resource email. For OTJ Exchange and OTJ Graph Integrations, it is possible to set the ProcessExternalMeetingMessages flag to $false, which will cause meeting requests from external senders to be rejected.

Resolution: Upgrade to Pexip Infinity 37.2

 High High June 2025 32.0 - 37.1 37.2
CVE-2025-32096

Insufficient input validation in the signaling implementation(s) allows a malicious attacker to trigger a software abort resulting in a denial of service.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 37.1

 High High May 2025 33.0 - 37.0 37.1
CVE-2025-32095

Insufficient input validation in the signalling implementation(s) allows a remote attacker to trigger a software abort resulting in a denial of service.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Discussion: A crafted signalling message allows a remote attacker to trigger a software abort.

Mitigation: None

Resolution: Upgrade to Pexip Infinity v37.0

 High High March 2025 All before 37.0 37.0
CVE-2025-30080

Insufficient input validation in the signalling implementation(s) allows a malicious attacker to trigger a software abort resulting in a temporary denial of service.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity v37.0

 High High March 2025 29 - 36.2 37.0
CVE-2024-12084

A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.

CVSS 3.1 base score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Discussion: Exploitation of this vulnerability requires access to the operating system on an Infinity node as the rsync daemon is not exposed to the network outside the Infinity deployment. Therefore, the risk to Infinity is reduced from Critical to High.

Mitigation: Ensure only trusted users have operating system access to the Infinity deployment.

Resolution: Upgrade to Pexip Infinity v37.0

 Critical High March 2025 All before 37.0 37.0
Multiple Resolved minor issues: CVE-2023-0187, CVE-2023-0188, CVE-2023-0190, CVE-2023-0194, CVE-2023-0195, CVE-2023-0199, CVE-2023-28370, CVE-2023-31022, CVE-2023-31124, CVE-2023-31147, CVE-2023-49081, CVE-2023-49082, CVE-2023-52920, CVE-2024-0075, CVE-2024-0078, CVE-2024-0092, CVE-2024-5197, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747, CVE-2024-25629, CVE-2024-26686, CVE-2024-27011, CVE-2024-27017, CVE-2024-36478, CVE-2024-41810, CVE-2024-43835, CVE-2024-45336, CVE-2024-45341, CVE-2024-46678, CVE-2024-46679, CVE-2024-46695, CVE-2024-46711, CVE-2024-46713, CVE-2024-46717, CVE-2024-46721, CVE-2024-46735, CVE-2024-46737, CVE-2024-46738, CVE-2024-46739, CVE-2024-46744, CVE-2024-46746, CVE-2024-46750, CVE-2024-46762, CVE-2024-46763, CVE-2024-46777, CVE-2024-46782, CVE-2024-46783, CVE-2024-46784, CVE-2024-46787, CVE-2024-46794, CVE-2024-46800, CVE-2024-46826, CVE-2024-46828, CVE-2024-46829, CVE-2024-46830, CVE-2024-46848, CVE-2024-46855, CVE-2024-46858, CVE-2024-47660, CVE-2024-47668, CVE-2024-47674, CVE-2024-47678, CVE-2024-47679, CVE-2024-47682, CVE-2024-47684, CVE-2024-47685, CVE-2024-47693, CVE-2024-47701, CVE-2024-47705, CVE-2024-47706, CVE-2024-47707, CVE-2024-47710, CVE-2024-47727, CVE-2024-47728, CVE-2024-47734, CVE-2024-47739, CVE-2024-47742, CVE-2024-47743, CVE-2024-47745, CVE-2024-47748, CVE-2024-49568, CVE-2024-49850, CVE-2024-49851, CVE-2024-49855, CVE-2024-49856, CVE-2024-49858, CVE-2024-49860, CVE-2024-49861, CVE-2024-49863, CVE-2024-49870, CVE-2024-49878, CVE-2024-49881, CVE-2024-49882, CVE-2024-49883, CVE-2024-49884, CVE-2024-49889, CVE-2024-49925, CVE-2024-49926, CVE-2024-49927, CVE-2024-49933, CVE-2024-49934, CVE-2024-49935, CVE-2024-49948, CVE-2024-49949, CVE-2024-49952, CVE-2024-49954, CVE-2024-49959, CVE-2024-49960, CVE-2024-49973, CVE-2024-49975, CVE-2024-49978, CVE-2024-49983, CVE-2024-49994, CVE-2024-50000, CVE-2024-50001, CVE-2024-50002, CVE-2024-50006, CVE-2024-50009, CVE-2024-50010, CVE-2024-50012, CVE-2024-50013, CVE-2024-50014, CVE-2024-50015, CVE-2024-50019, CVE-2024-50022, CVE-2024-50024, CVE-2024-50036, CVE-2024-50038, CVE-2024-50039, CVE-2024-50045, CVE-2024-50046, CVE-2024-50048, CVE-2024-50055, CVE-2024-50058, CVE-2024-50060, CVE-2024-50063, CVE-2024-50067, CVE-2024-50082, CVE-2024-50083, CVE-2024-50093, CVE-2024-50095, CVE-2024-50110, CVE-2024-50115, CVE-2024-50126, CVE-2024-50127, CVE-2024-50131, CVE-2024-50135, CVE-2024-50141, CVE-2024-50142, CVE-2024-50143, CVE-2024-50147, CVE-2024-50153, CVE-2024-50154, CVE-2024-50162, CVE-2024-50163, CVE-2024-50164, CVE-2024-50182, CVE-2024-50184, CVE-2024-50185, CVE-2024-50189, CVE-2024-50191, CVE-2024-50195, CVE-2024-50199, CVE-2024-50200, CVE-2024-50211, CVE-2024-50226, CVE-2024-50250, CVE-2024-50251, CVE-2024-50256, CVE-2024-50257, CVE-2024-50258, CVE-2024-50261, CVE-2024-50262, CVE-2024-50264, CVE-2024-50271, CVE-2024-50272, CVE-2024-50278, CVE-2024-50279, CVE-2024-50280, CVE-2024-50301, CVE-2024-50302, CVE-2024-50304, CVE-2024-52533, CVE-2024-53042, CVE-2024-53052, CVE-2024-53057, CVE-2024-53079, CVE-2024-53082, CVE-2024-53085, CVE-2024-53091, CVE-2024-53093, CVE-2024-53099, CVE-2024-53105, CVE-2024-53124, CVE-2024-53125, CVE-2024-53128, CVE-2024-53141, CVE-2024-53142, CVE-2024-53164, CVE-2024-53166, CVE-2024-53170, CVE-2024-53175, CVE-2024-53194, CVE-2024-53198, CVE-2024-53214, CVE-2024-53224, CVE-2024-53233, CVE-2024-53240, CVE-2024-53241, CVE-2024-53907, CVE-2024-53908, CVE-2024-54683, CVE-2024-56374, CVE-2024-56566, CVE-2024-56569, CVE-2024-56570, CVE-2024-56583, CVE-2024-56584, CVE-2024-56587, CVE-2024-56592, CVE-2024-56600, CVE-2024-56601, CVE-2024-56606, CVE-2024-56611, CVE-2024-56614, CVE-2024-56615, CVE-2024-56631, CVE-2024-56633, CVE-2024-56636, CVE-2024-56637, CVE-2024-56640, CVE-2024-56641, CVE-2024-56644, CVE-2024-56658, CVE-2024-56662, CVE-2024-56664, CVE-2024-56672, CVE-2024-56675, CVE-2024-56693, CVE-2024-56703, CVE-2024-56709, CVE-2024-56718, CVE-2024-56720, CVE-2024-56739, CVE-2024-56745, CVE-2024-56751, CVE-2024-56756, CVE-2024-56763, CVE-2024-56770, CVE-2024-56780, CVE-2024-56786, CVE-2024-57843, CVE-2024-57882, CVE-2024-57883, CVE-2024-57884, CVE-2024-57888, CVE-2024-57890, CVE-2024-57900, CVE-2024-57903, CVE-2024-57917, CVE-2024-57924, CVE-2024-57929, CVE-2024-57931, CVE-2024-57940, CVE-2025-21648, CVE-2025-21653, CVE-2025-21664, CVE-2025-21665, CVE-2025-21666, CVE-2025-21667, CVE-2025-21669, CVE-2025-21680, CVE-2025-21681, CVE-2025-21683, CVE-2025-21700, CVE-2025-21701     March 2025   37.0
Multiple Resolved minor issues: CVE-2023-3019, CVE-2023-3301, CVE-2023-52596, CVE-2023-52619, CVE-2023-52621, CVE-2023-52622, CVE-2023-52889, CVE-2023-6683, CVE-2024-2004, CVE-2024-2398, CVE-2024-24789, CVE-2024-2511, CVE-2024-26327, CVE-2024-26328, CVE-2024-26581, CVE-2024-26601, CVE-2024-26602, CVE-2024-26603, CVE-2024-26621, CVE-2024-26622, CVE-2024-26626, CVE-2024-26627, CVE-2024-26640, CVE-2024-26641, CVE-2024-26642, CVE-2024-26643, CVE-2024-26665, CVE-2024-26671, CVE-2024-26673, CVE-2024-26676, CVE-2024-26679, CVE-2024-26687, CVE-2024-26688, CVE-2024-26698, CVE-2024-26704, CVE-2024-26718, CVE-2024-26720, CVE-2024-26731, CVE-2024-26733, CVE-2024-26735, CVE-2024-26737, CVE-2024-26739, CVE-2024-26740, CVE-2024-26759, CVE-2024-26760, CVE-2024-26761, CVE-2024-26763, CVE-2024-26764, CVE-2024-26769, CVE-2024-26772, CVE-2024-26773, CVE-2024-26774, CVE-2024-26775, CVE-2024-26782, CVE-2024-26783, CVE-2024-26798, CVE-2024-26803, CVE-2024-26804, CVE-2024-26805, CVE-2024-26809, CVE-2024-26810, CVE-2024-26812, CVE-2024-26815, CVE-2024-26816, CVE-2024-26835, CVE-2024-26840, CVE-2024-26844, CVE-2024-26845, CVE-2024-26851, CVE-2024-26852, CVE-2024-26857, CVE-2024-26862, CVE-2024-26865, CVE-2024-26878, CVE-2024-26880, CVE-2024-26882, CVE-2024-26883, CVE-2024-26884, CVE-2024-26885, CVE-2024-26891, CVE-2024-26894, CVE-2024-26898, CVE-2024-26900, CVE-2024-26901, CVE-2024-26906, CVE-2024-26907, CVE-2024-26920, CVE-2024-26921, CVE-2024-26923, CVE-2024-26924, CVE-2024-26925, CVE-2024-26935, CVE-2024-26953, CVE-2024-26960, CVE-2024-26976, CVE-2024-26983, CVE-2024-26987, CVE-2024-26988, CVE-2024-26992, CVE-2024-26993, CVE-2024-27013, CVE-2024-27014, CVE-2024-27015, CVE-2024-27016, CVE-2024-27019, CVE-2024-27020, CVE-2024-27022, CVE-2024-27024, CVE-2024-27047, CVE-2024-27065, CVE-2024-27389, CVE-2024-27393, CVE-2024-27403, CVE-2024-27415, CVE-2024-27437, CVE-2024-31076, CVE-2024-3447, CVE-2024-35255, CVE-2024-35803, CVE-2024-35860, CVE-2024-35875, CVE-2024-35904, CVE-2024-35929, CVE-2024-35939, CVE-2024-35945, CVE-2024-35947, CVE-2024-35961, CVE-2024-35974, CVE-2024-35995, CVE-2024-36000, CVE-2024-36017, CVE-2024-36028, CVE-2024-36244, CVE-2024-36270, CVE-2024-36286, CVE-2024-36489, CVE-2024-36881, CVE-2024-36882, CVE-2024-36883, CVE-2024-36889, CVE-2024-36890, CVE-2024-36891, CVE-2024-36901, CVE-2024-36902, CVE-2024-36903, CVE-2024-36904, CVE-2024-36905, CVE-2024-36908, CVE-2024-36909, CVE-2024-36910, CVE-2024-36911, CVE-2024-36912, CVE-2024-36913, CVE-2024-36916, CVE-2024-36917, CVE-2024-36918, CVE-2024-36927, CVE-2024-36929, CVE-2024-36933, CVE-2024-36938, CVE-2024-36971, CVE-2024-36974, CVE-2024-36978, CVE-2024-36979, CVE-2024-37356, CVE-2024-37370, CVE-2024-37371, CVE-2024-37568, CVE-2024-38538, CVE-2024-38555, CVE-2024-38556, CVE-2024-38557, CVE-2024-38564, CVE-2024-38576, CVE-2024-38577, CVE-2024-38580, CVE-2024-38586, CVE-2024-38588, CVE-2024-38596, CVE-2024-38598, CVE-2024-38601, CVE-2024-38612, CVE-2024-38615, CVE-2024-38627, CVE-2024-39276, CVE-2024-39298, CVE-2024-39329, CVE-2024-39330, CVE-2024-39371, CVE-2024-39474, CVE-2024-39476, CVE-2024-39482, CVE-2024-39487, CVE-2024-39489, CVE-2024-39490, CVE-2024-39494, CVE-2024-39499, CVE-2024-39500, CVE-2024-39501, CVE-2024-39508, CVE-2024-39509, CVE-2024-39614, CVE-2024-40900, CVE-2024-40905, CVE-2024-40906, CVE-2024-40908, CVE-2024-40914, CVE-2024-40919, CVE-2024-40931, CVE-2024-40935, CVE-2024-40937, CVE-2024-40938, CVE-2024-40945, CVE-2024-40947, CVE-2024-40953, CVE-2024-40954, CVE-2024-40957, CVE-2024-40958, CVE-2024-40959, CVE-2024-40960, CVE-2024-40961, CVE-2024-40966, CVE-2024-40972, CVE-2024-40980, CVE-2024-40982, CVE-2024-40984, CVE-2024-40990, CVE-2024-40995, CVE-2024-40997, CVE-2024-40998, CVE-2024-41000, CVE-2024-41001, CVE-2024-41005, CVE-2024-41007, CVE-2024-41009, CVE-2024-41012, CVE-2024-41020, CVE-2024-41027, CVE-2024-41031, CVE-2024-41040, CVE-2024-41041, CVE-2024-41042, CVE-2024-41048, CVE-2024-41049, CVE-2024-41050, CVE-2024-41057, CVE-2024-41058, CVE-2024-41073, CVE-2024-41077, CVE-2024-41079, CVE-2024-41081, CVE-2024-41090, CVE-2024-41091, CVE-2024-41096, CVE-2024-41098, CVE-2024-41989, CVE-2024-41991, CVE-2024-42005, CVE-2024-42063, CVE-2024-42067, CVE-2024-42068, CVE-2024-42080, CVE-2024-42098, CVE-2024-42106, CVE-2024-42131, CVE-2024-42135, CVE-2024-42136, CVE-2024-42145, CVE-2024-42152, CVE-2024-42154, CVE-2024-42159, CVE-2024-42229, CVE-2024-42232, CVE-2024-42239, CVE-2024-42241, CVE-2024-42243, CVE-2024-42245, CVE-2024-42247, CVE-2024-42265, CVE-2024-42268, CVE-2024-42269, CVE-2024-42270, CVE-2024-42276, CVE-2024-42281, CVE-2024-42283, CVE-2024-42285, CVE-2024-42292, CVE-2024-42302, CVE-2024-42304, CVE-2024-42305, CVE-2024-42306, CVE-2024-42312, CVE-2024-42315, CVE-2024-42316, CVE-2024-42318, CVE-2024-42321, CVE-2024-42322, CVE-2024-4317, CVE-2024-43817, CVE-2024-43828, CVE-2024-43834, CVE-2024-43837, CVE-2024-43853, CVE-2024-43854, CVE-2024-43856, CVE-2024-43866, CVE-2024-43869, CVE-2024-43870, CVE-2024-43871, CVE-2024-43873, CVE-2024-43882, CVE-2024-43889, CVE-2024-43890, CVE-2024-43892, CVE-2024-43893, CVE-2024-43914, CVE-2024-44934, CVE-2024-44940, CVE-2024-44944, CVE-2024-44946, CVE-2024-44947, CVE-2024-45490, CVE-2024-4603, CVE-2024-4741, CVE-202024-5535, CVE-2024-6119, CVE-2024-8008     November 2024   36.0
CVE-2024-37917

Insufficient input validation in the signalling implementation(s) allows a remote attacker to trigger a software abort resulting in a denial of service.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Discussion: A crafted signalling message allows a remote attacker to trigger a software abort.

Mitigation: None

Resolution: Upgrade to Pexip Infinity v35.0 or later

 High High July 2024 All before 35.0 35.0
Multiple Resolved minor issues: CVE-2021-22959, CVE-2021-22960, CVE-2021-44532, CVE-2021-44533, CVE-2022-0597, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-3523, CVE-2022-35256, CVE-2022-3567, CVE-2023-1637, CVE-2023-30588, CVE-2023-3161, CVE-2023-39326, CVE-2023-4459, CVE-2023-48795, CVE-2023-48795, CVE-2023-52435, CVE-2023-52458, CVE-2024-0450, CVE-2024-27086, CVE-2024-28102, CVE-2024-28219, CVE-2024-29992, CVE-2024-35255, CVE-2023-50387, CVE-2023-50868, CVE-2024-34397, CVE-2024-2961, CVE-2022-4864, CVE-2024-32487, CVE-2024-24806, CVE-2024-2511, CVE-2024-4603, CVE-2024-4741, CVE-2023-28405, CVE-2023-6597, CVE-2024-28085, CVE-2022-3566, CVE-2023-3640, CVE-2023-4387, CVE-2023-52452, CVE-2023-52476, CVE-2023-52492, CVE-2023-52498, CVE-2024-26589     July 2024   35.0

Pexip apps

Each bulletin addresses a number of vulnerabilities in the software used by the Pexip apps. The bulletins include an assessment of the issues, the impact on the Pexip app, and resolution details.

Bulletin Description Risk Updated Impacted versions Addressed in version
CVE-2024-38392

Insufficient authenticity checks in loading resources allow an attacker to cause the application to run untrusted code.

CVSS3.1 base score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.13.0 and Connect mobile app v1.13.0

Credit: This issue was responsibly disclosed by Mand Consulting Group

 Medium July 2024   1.13.0
CVE-2022-2478

Use after free in PDF in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

 High March 2023 Unknown 1.12
CVE-2022-2295

Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

 High March 2023

Unknown

 1.12
CVE-2022-2294

Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

 High March 2023 Unknown 1.12
CVE-2022-2162

Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 103.0.5060.53 allowed a remote attacker to bypass file system access via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

High

 March 2023 Unknown 1.12
CVE-2022-2011

Use after free in ANGLE in Google Chrome prior to 102.0.5005.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect desktop app v1.12

 High March 2023 Unknown 1.12
 

Resolved minor issue: CVE-2022-1867

 

   March 2023   1.12

VMR self-service portal

Each bulletin addresses a number of vulnerabilities in the software used by the VMR self-service portal. The bulletins include an assessment of the issues, the impact on the VMR portal, and resolution details.

Bulletin Description Risk Updated Impacted versions Addressed in version
CVE-2023-40236

The Pexip VMR self-service portal before v3 uses the same SSH host keys across different customers' installations, which allows man-in-the-middle attackers to spoof fake instances by leveraging these keys.

CVSS 3.1 base score: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: Manually remove and regenerate the SSH host keys on each VMR Portal instance.

Resolution: Upgrade to VMR portal v3.

 High October 2023 All prior to version 3 3

Enhanced Room Management

Each bulletin addresses a number of vulnerabilities in the software used by ERM. The bulletins include an assessment of the issues, the impact on the VMR portal, and resolution details.

Bulletin Description Risk Updated Impacted versions Addressed in version
CVE-2024-6387

A race condition was found in OpenSSH's server. If a client does not authenticate within 120 seconds then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe. An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code with root privileges.

CVSS3.1 base score: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Mitigation: The mitigation for older versions (prior to v2.0.1) is to disable the Proxy service in the ERM Installer and redeploy, however we recommend upgrading to v2.0.1 as soon as practicable.

Resolution: Install v2.0.1 security upgrade 2024-07-09.

 High July 2024 All prior to version 2.0.1 2.0.1 security upgrade 2024-07-09