CVE-2022-29555 and CVE-2022-29556 - vulnerabilities in iot-manager and deviceconnect | Mender

farshadt · April 27, 2022, 9:50pm

We recently discovered two vulnerabilities in Mender, and we have now fixed them.

The deviceconnect microservice in Mender before version 3.2.2 allows Cross-Origin WebSocket Hijacking. The vulnerability is present in the following versions of the product: 2.6.x, 2.7.x, 3.0.x, 3.1.x, 3.2.0, 3.2.1. The vulnerability was patched in Mender 3.2.2. In the official public CVE registry, the issue's ID is CVE-2022-29555.

This is a companion discussion topic for the original entry at https://mender.io/blog/cve-2022-29555-and-cve-2022-29556-vulnerabilities-in-iot-manager-and-deviceconnect

Topic		Replies	Views
CVE-2021-35342 - useradm incorrect access control vulnerability \| Mender Announcements	0	339	August 23, 2021
Mender connect trying to authenticate against a local service? General Discussions mender-connect	2	83	March 26, 2024
/api/devices/v2/deployments/device/deployments/next throws error General Discussions yocto	2	371	January 24, 2023
Still x509 error while executing authorization request General Discussions	2	370	November 6, 2020
Device can't connect to hosted server General Discussions hosted-mender , deviceauth , authorization	3	698	March 27, 2023

CVE-2022-29555 and CVE-2022-29556 - vulnerabilities in iot-manager and deviceconnect | Mender

Related Topics