3.3 - Security fixes


Security fixes provided in 3.3.0-funcrel

CAST image CVE Severity Description Affected CAST release
admin-center CVE-2024-8176 HIGH libexpat: expat: Improper Restriction of XML Entity Expansion Depth in libexpat 3.2.3
admin-center CVE-2025-22235 HIGH org.springframework.boot/spring-boot: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed 3.2.3
admin-center CVE-2025-27820 HIGH org.apache.httpcomponents.client5/httpclient5: Apache HttpComponents: PSL (Public Suffix List) validation bypass 3.2.3
admin-center CVE-2025-29087 HIGH sqlite: Integer Overflow in SQLite concat_ws Function 3.2.3
admin-center CVE-2025-31498 HIGH c-ares: c-ares has a use-after-free in read_answers() 3.2.3
auth-service CVE-2024-10039 HIGH keycloak-core: mTLS passthrough 3.2.3
auth-service CVE-2024-8176 HIGH libexpat: expat: Improper Restriction of XML Entity Expansion Depth in libexpat 3.2.3
auth-service CVE-2025-22235 HIGH org.springframework.boot/spring-boot: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed 3.2.3
auth-service CVE-2025-27820 HIGH org.apache.httpcomponents.client5/httpclient5: Apache HttpComponents: PSL (Public Suffix List) validation bypass 3.2.3
auth-service CVE-2025-29087 HIGH sqlite: Integer Overflow in SQLite concat_ws Function 3.2.3
auth-service CVE-2025-31498 HIGH c-ares: c-ares has a use-after-free in read_answers() 3.2.3
console CVE-2024-8176 HIGH libexpat: expat: Improper Restriction of XML Entity Expansion Depth in libexpat 3.2.3
console CVE-2025-22235 HIGH org.springframework.boot/spring-boot: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed 3.2.3
console CVE-2025-29087 HIGH sqlite: Integer Overflow in SQLite concat_ws Function 3.2.3
console CVE-2025-31498 HIGH c-ares: c-ares has a use-after-free in read_answers() 3.2.3
gateway CVE-2024-8176 HIGH libexpat: expat: Improper Restriction of XML Entity Expansion Depth in libexpat 3.2.3
gateway CVE-2025-22235 HIGH org.springframework.boot/spring-boot: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed 3.2.3
gateway CVE-2025-27820 HIGH org.apache.httpcomponents.client5/httpclient5: Apache HttpComponents: PSL (Public Suffix List) validation bypass 3.2.3
gateway CVE-2025-29087 HIGH sqlite: Integer Overflow in SQLite concat_ws Function 3.2.3
gateway CVE-2025-31498 HIGH c-ares: c-ares has a use-after-free in read_answers() 3.2.3
sso-service CVE-2024-10039 HIGH keycloak-core: mTLS passthrough 3.2.3
sso-service CVE-2024-10270 HIGH org.keycloak:keycloak-services: Keycloak Denial of Service 3.2.3
sso-service CVE-2024-10451 HIGH org.keycloak:keycloak-quarkus-server: Sensitive Data Exposure in Keycloak Build Process 3.2.3
sso-service CVE-2024-12397 HIGH io.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling 3.2.3
sso-service CVE-2025-24970 HIGH io.netty:netty-handler: SslHandler doesn’t correctly validate packets which can lead to native crash when using native SSLEngine 3.2.3
ai-service CVE-2025-31115 HIGH xz: XZ has a heap-use-after-free bug in threaded .xz decoder 3.2.3
ai-service CVE-2025-43859 CRITICAL h11: h11 accepts some malformed Chunked-Encoding bodies 3.2.3
viewer CVE-2025-21587 HIGH openjdk: Better TLS connection support (Oracle CPU 2025-04) 3.2.3
viewer CVE-2025-23083 HIGH nodejs: Node.js Worker Thread Exposure via Diagnostics Channel 3.2.3
viewer CVE-2025-29087 HIGH sqlite: Integer Overflow in SQLite concat_ws Function 3.2.3
viewer CVE-2025-31115 HIGH xz: XZ has a heap-use-after-free bug in threaded .xz decoder 3.2.3