CVE-2022-29555 and CVE-2022-29556 - vulnerabilities in iot-manager and deviceconnect | Mender

We recently discovered two vulnerabilities in Mender, and we have now fixed them.

The deviceconnect microservice in Mender before version 3.2.2 allows Cross-Origin WebSocket Hijacking. The vulnerability is present in the following versions of the product: 2.6.x, 2.7.x, 3.0.x, 3.1.x, 3.2.0, 3.2.1. The vulnerability was patched in Mender 3.2.2. In the official public CVE registry, the issue's ID is CVE-2022-29555.

This is a companion discussion topic for the original entry at