Pexip security bulletins
The following security bulletins are published by Pexip for issues affecting Pexip Infinity, the Pexip Connect apps, and the VMR self-service portal.
Please contact your Pexip authorized support representative for more information about these issues. This list covers issues addressed in Pexip Infinity v32.0 and later. For issues addressed in v31.x or earlier, see our documentation for previous releases.
More information specific for each of the vulnerabilities can be found via the NIST National Vulnerability Database: http://nvd.nist.gov/.
Pexip Infinity
Each bulletin addresses a number of vulnerabilities in the operating system software used by Pexip Infinity. The bulletins include an assessment of the issues, the impact to the Pexip Infinity platform, and resolution details.
In the table below, "Severity" reflects the severity of the issue as calculated from the CVSS Base Score. "Risk" reflects the risk associated with each vulnerability in the context of the Pexip Infinity product environment.
Reference | Description | Severity | Risk | Updated | Impacted versions | Addressed in version |
---|---|---|---|---|---|---|
CVE-2023-34058 |
VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted Guest Operation Privileges CVSS3.1 base score: 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Discussion: Exploitation of this vulnerability requires that the VMware administrator has issued SAML SSO credentials for a user to perform VM Guest Operations and to also have assigned one or more Guest Aliases to the Infinity virtual machines. Mitigation: Pexip neither recommends, nor supports, the assignment of Guest Aliases to Infinity virtual machines. Ensure that no Guest Aliases have been inadvertently assigned to Infinity virtual machines: https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html Resolution: Upgrade to Pexip Infinity v34 |
High | High | March 2024 | All before 34.0 | 34.0 |
Multiple | Resolved minor issues: CVE-2016-10744, CVE-2023-4911, CVE-2023-44487, CVE-2023-45284, CVE-2023-46218, CVE-2023-46219, CVE-2023-5363, CVE-2023-5678, CVE-2023-6237, CVE-2023-6780, CVE-2024-0727 | March 2024 | 34.0 | |||
Multiple |
Resolved minor issues: CVE-2020-36516, CVE-2021-32292, CVE-2022-20572, CVE-2022-3107, CVE-2022-3435, CVE-2022-3524, CVE-2022-3543, CVE-2022-3623, CVE-2022-3707, CVE-2022-4378, CVE-2022-48554, CVE-2023-0179, CVE-2023-0386, CVE-2023-0458, CVE-2023-0459, CVE-2023-0461, CVE-2023-0465, CVE-2023-0466, CVE-2023-0590, CVE-2023-1095, CVE-2023-1206, CVE-2023-1249, CVE-2023-1252, CVE-2023-1255, CVE-2023-1998, CVE-2023-20588, CVE-2023-20900, CVE-2023-22998, CVE-2023-23006, CVE-2023-23931, CVE-2023-2650, CVE-2023-2975, CVE-2023-31130, CVE-2023-31248, CVE-2023-3138, CVE-2023-32233, CVE-2023-3390, CVE-2023-3446, CVE-2023-36053, CVE-2023-3609, CVE-2023-3610, CVE-2023-3611, CVE-2023-3772, CVE-2023-3773, CVE-2023-3776, CVE-2023-38039, CVE-2023-3817, CVE-2023-38633, CVE-2023-39318, CVE-2023-39319, CVE-2023-4004, CVE-2023-40217, CVE-2023-4128, CVE-2023-4147, CVE-2023-4569, CVE-2023-4622, CVE-2023-4911 |
October 2023 | 33.0 | |||
CVE-2023-29331 |
A vulnerability exists in .NET when processing malicious X.509 client certificates that may consume excessive CPU and lead to a denial of service. CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Mitigation: None Resolution: Upgrade to Pexip Infinity 32.1 |
High | High | July 2023 | 27.0 - 32.0 | 32.1 |
CVE-2023-37225 |
Cross-site scripting vulnerability in legacy webapp ("Webapp1") when using preconfigured links. CVSS3.1 base score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) Discussion: An attacker may achieve cross-site scripting by convincing a user to activate a crafted preconfigured link using the legacy Infinity Connect web app ("Webapp1").
Mitigation:
Resolution: Upgrade to Pexip Infinity 32.0. For deployments running Infinity v30.x and v31.x, contact your authorized Pexip support representative for a software bundle fix. Credit: This issue was responsibly disclosed by https://github.com/40826d. |
High | High | July 2023 | 5 through 31.3 | 32.0 |
Multiple |
Resolved minor issues: CVE-2022-3515, CVE-2022-3736, CVE-2022-3924, CVE-2022-4203, CVE-2022-4304, CVE-2022-32221, CVE-2022-38725, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-1255, CVE-2023-2650, CVE-2023-23916, CVE-2023-26463, CVE-2023-27537, CVE-2023-28484, CVE-2023-29469 |
June 2023 | 32.0 |
Connect app
Each bulletin addresses a number of vulnerabilities in the software used by the Connect apps. The bulletins include an assessment of the issues, the impact on the Connect app, and resolution details.
VMR self-service portal
Each bulletin addresses a number of vulnerabilities in the software used by the VMR self-service portal. The bulletins include an assessment of the issues, the impact on the VMR portal, and resolution details.