From 750366f2b8978d52babc2345184a7797b4601a98 Mon Sep 17 00:00:00 2001 From: Peter Amstutz Date: Fri, 5 Aug 2022 14:03:31 -0400 Subject: [PATCH] Sync security update text. refs #19330 Arvados-DCO-1.1-Signed-off-by: Peter Amstutz --- doc/admin/upgrading.html.textile.liquid | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid index 5d35ebb9a1..00b20c43eb 100644 --- a/doc/admin/upgrading.html.textile.liquid +++ b/doc/admin/upgrading.html.textile.liquid @@ -42,14 +42,15 @@ GitHub Security Lab (GHSL) reported a remote code execution (RCE) vulnerability in the Arvados Workbench that allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. -This vulnerability is fixed in 2.4.2. +This vulnerability is fixed in 2.4.2 ("#19316":https://dev.arvados.org/issues/19316). -We believe the vulnerability exists in all versions of Arvados up to 2.4.1. +It is likely that this vulnerability exists in all versions of Arvados up to 2.4.1. This vulnerability is specific to the Ruby on Rails Workbench application ("Workbench 1"). We do not believe any other Arvados -components, including the TypesScript based Workbench ("Workbench 2") -or API Server, are vulnerable to this attack. +components, including the TypesScript browser-based Workbench +application ("Workbench 2") or API Server, are vulnerable to this +attack. h3. CVE-2022-31163 and CVE-2022-32224 -- 2.30.2