We recently discovered two vulnerabilities in Mender, and we have now fixed them.
The deviceconnect microservice in Mender before version 3.2.2 allows Cross-Origin WebSocket Hijacking. The vulnerability is present in the following versions of the product: 2.6.x, 2.7.x, 3.0.x, 3.1.x, 3.2.0, 3.2.1. The vulnerability was patched in Mender 3.2.2. In the official public CVE registry, the issue's ID is CVE-2022-29555.
This is a companion discussion topic for the original entry at https://mender.io/blog/cve-2022-29555-and-cve-2022-29556-vulnerabilities-in-iot-manager-and-deviceconnect