Genian ZTNA Security Advisories
Last Updated: 2024-04-01
Security Vulnerability
| Fixed Versions | Key | Components | Description | Affects Versions | CVSS Score |
|---|---|---|---|---|---|
| 6.0.9 | GN-25753 | WebUI | Improved so that CWP does not redirect to an illegal path via the PAGEFW parameter | 4.2 | |
| 6.0.9 | GN-25746 | Center, Sensor | Secure coding inspection results vulnerability patch | ||
| 6.0.9 | GN-25438 | Center, Sensor | Improved the _filelist.html file to be generated differently for each center | 3 | |
| 6.0.8 | GN-25561 | WebUI | Blind SQL Injection vulnerability in node search bar | 5.3 | |
| 6.0.8 | GN-25184 | Sensor | Modified Dnsmasq to not cache query results in order to prevent DNS Cache Attacks | 3.7 | |
| 6.0.8 | GN-23677 | Center, Sensor | Administrator approval system to enhance security when registering sensor policy servers | 7.9 | |
| 6.0.7 | GN-25387 | Database, WebUI | Issues where management roles are not applied to Policy > Cloud Security Group Policy | 3.5 | |
| 6.0.7 | GN-25309 | Center, Sensor | CSAP (SaaS) security certification audit source code vulnerability measures - C/C++ | 7.5 | |
| 6.0.7 | GN-25250 | WebUI | Possible problems with XSS when/is appended after the HTML Tag string | 4.9 | |
| 6.0.7 | GN-25239 | WebUI | Tomcat version upgrade (8.5.78 -> 9.0.65) | 7.5 | |
| 6.0.7 | GN-25237 | WebUI | CSAP (SaaS) security certification audit source code vulnerability measures | 0 | |
| 6.0.7 | GN-25193 | WebUI | [Universal OS Ubuntu] Management Console > An issue where the 'X-Frame-Options' header on the CWP Design Template list page is displayed as allowall | 6.5 | |
| 6.0.7 | GN-25119 | macOS Agent | Upgrade to the latest versions of macOS Agent, OpenVPN (2.5.7), and OpenSSL (1.1.1q) | 5.3 | |
| 6.0.6 | GN-25306 | WebUI | A problem where usable method information is output through an unused HTTP-method | 5.3 | |
| 6.0.6 | GN-25110 | Linux Agent | Upgrading Linux Agent, OpenVPN (2.5.7), and OpenSSL (1.1.1q) to the latest versions | 5.3 | |
| 6.0.5 | GN-25104 | Center, macOS Agent, Sensor, Windows Agent | Upgrading to the latest version of OpenSSL (OpenSSL 1.1.1q) | 5.3 | |
| 6.0.5 | GN-24782 | WebUI | Library upgrades based on vulnerability checks | 9.8 | |
| 6.0.4 | GN-25064 | WebUI | Web service vulnerability improved so that Apache WAS information is not exposed | 4.0.119, 5.0.16 | 2.5 |
| 6.0.4 | GN-24583 | WebUI | A lib upgrade where a vulnerability was discovered in the Java lib used by WebUI | 9.8 | |
| 6.0.4 | GN-23947 | Windows Agent | 윈도우 에이전트 Secure coding inspection results vulnerability patch | 5.0.0, 6.0.0 | |
| 6.0.3 | GN-24917 | Center, macOS Agent, Sensor, Windows Agent | Upgrading to the latest version of OpenSSL (OpenSSL 1.1.1o) | 9.8 | |
| 6.0.3 | GN-24908 | WebUI | Tomcat version upgrade (8.5.78) | 8.6 | |
| 6.0.3 | GN-24851 | Center | Apache HTTP Server 2.4.53 upgrade | 9.8 | |
| 6.0.22 | GN-26723 | WebUI | Vulnerability fixes that are not immediately reflected when the administrator's rights are changed | 3.3 | |
| 6.0.21, 6.0.16 | GN-28063 | WebUI | A problem where blind injection is possible in the node management search bar | 2.2 | |
| 6.0.20, 6.0.16 | GN-27107 | WebUI | Service disabled by executing a Tomcat restart command by an unauthorized administrator | 5.0.41 | 2.7 |
| 6.0.2 | GN-24689 | WebUI | Issues where XSS is possible in Audit > Logs > Log Search | 4.3 | |
| 6.0.2 | GN-24687 | WebUI | An issue where files can be accessed by relative paths on the debug log screen | 3.83 | |
| 6.0.2 | GN-24651 | Center, macOS Agent, Windows Agent | Upgrading to the latest version of OpenSSL (OpenSSL 1.1.1n) | 4.0.0, 5.0.0, 6.0.0 | 7.5 |
| 6.0.2 | GN-24535 | WebUI | Remove logstash | 5.9 | |
| 6.0.18, 6.0.16 | GN-26393 | WebUI | Vulnerability where information can be modified by directly entering a URL to an unauthorised page | 3.1 | |
| 6.0.18, 6.0.16 | GN-26390 | WebUI | File export permission bypass vulnerability for unauthorized administrators through the Audit Log REST API | 3.1 | |
| 6.0.17, 6.0.16 | GN-27492 | WebUI | Tomcat version upgrade (8.5.94 -> 8.5.96/9.0.81 -> 9.0.83) | 7.5 | |
| 6.0.17, 6.0.16 | GN-27278 | WebUI | Tomcat version upgrade (8.5.94/9.0.81) | 7.5 | |
| 6.0.17, 6.0.16 | GN-26315 | WebUI | Improved two-step verification to limit the number of times the verification code can be entered and the time limit | 4.3 | |
| 6.0.17 | GN-26600 | WebUI | The problem of not being able to log in after an abnormal API call | 5.0.42, 5.0.49, 6.0.7, 4.0.156, 5.0.56 | 5.3 |
| 6.0.16 | GN-27014 | WebUI | A problem where Passkey can be registered using the Passkey re-registration function without permission | 3.9 | |
| 6.0.16 | GN-26935 | WebUI | Vulnerability where an html tag output as a department name is executed in a tree | 5.0.0 | 1.2 |
| 6.0.16 | GN-26835 | Center | Command Injection vulnerability via SQL used to update data | 6.6 | |
| 6.0.16 | GN-26833 | Sensor | nmap script tampering vulnerability during sensor NMDB update | 4.1 | |
| 6.0.16 | GN-26696 | Sensor | Insufficient validation of incoming sensor events | 6.3 | |
| 6.0.16 | GN-26694 | Center | Parameter injection vulnerability due to insufficient verification of download URLs | 6.6 | |
| 6.0.16 | GN-26383 | WebUI | Vulnerability where html/script code can be injected | 5.3 | |
| 6.0.15 | GN-26814 | Center | Code improvements to Bufferoverflow | 2 | |
| 6.0.15 | GN-26725 | Linux Agent, macOS Agent, Windows Agent | [Agent] Added validation for events sent from the Center and sensors | 6.3 | |
| 6.0.15 | GN-26392 | WebUI | Vulnerability that allows unprivileged administrators to download debug logs | 2.9 | |
| 6.0.15 | GN-26368 | WebUI | Vulnerability where an administrator's API key is exposed to other administrators | 5.3 | |
| 6.0.15 | GN-26222 | WebUI | A problem where redirection can be performed by modulating the returnURL parameter used when moving pages in the management console | 1.9 | |
| 6.0.14 | GN-26460 | Windows Agent | A vulnerability that allows an ordinary user to obtain PC administrator rights via an agent | 5.0.0, 6.0.0 | 4.6 |
| 6.0.14 | GN-26391 | WebUI | Vulnerability where an unauthorized administrator can view debug logs in real time | 5.0.0, 6.0.0 | 2.9 |
| 6.0.13 | GN-26286 | WebUI | An issue where Google OTP 2-step verification can pass 2-step verification by receiving a new security key | 6.5 | |
| 6.0.12 | GN-26205 | Database | MySQL version upgrade 5.7.40 -> 5.7.41 | ||
| 6.0.12 | GN-26150 | WebUI | Tomcat version upgrade (9.0.68 -> 9.0.72, 8.5.78 -> 8.5.86) | ||
| 6.0.12 | GN-26062 | Center, macOS Agent, Sensor, Windows Agent | OpenSSL 1.1.1t upgrade - Passing random pointers to memcmp calls can read memory contents or cause denial of service | 7.4 | |
| 6.0.12 | GN-26000 | MySQL | MySQL version upgrade 5.7.33 -> 5.7.40 | ||
| 6.0.12 | GN-25869 | CWP | A problem where only an account (ID) is authenticated when CWP is authenticated using the agent user authentication menu when the IP management message is first on | 6.0.3, 5.0.46 | 3.4 |
| 6.0.11 | GN-25982 | WebUI | CSP and HSTS headers added to WebUI Response Headers | ||
| 6.0.11 | GN-25875 | Windows Agent | A problem where agents have high privileges when running a web browser | 4.0.0, 5.0.0, 6.0.0 | 3.3 |
| 6.0.11 | GN-25849 | WebUI | WebUI lib vulnerability check | ||
| 6.0.11 | GN-25811 | IPMGMT | A problem where you can log in with only a user ID via frontpage in the IP application system | 4.9 | |
| 6.0.10 | GN-25925 | IPMGMT, WebUI | IP Application System > IP Application Screen XSS Possible Problems | 5.4 | |
| 6.0.10 | GN-25847 | WebUI | Added a re-authentication procedure when accessing the user information modification page on the CWP screen | 4.2 | |
| 6.0.10 | GN-25740 | WebUI | Issues where XSS is possible in Audit > Logs > Log search bar | 5.6 | |
| 6.0.1 | GN-24305 | GNOS | 2.4.52 version upgrade for Apache vulnerability measures | 9.8 | |
| 6.0.1 | GN-24253 | WebUI | log4j vulnerability improvements | 9.8 | |
| 6.0.1 | GN-23714 | Center | Complementing agent-related APIs with poor authentication | 4.6 | |
| 6.0.1 | GN-23461 | WebUI | [SaaS] Saas security authentication source code inspection result measures | 9.1 | |
| 6.0.1 | GN-23446 | gnlogin, WebUI | Handle passwords so that specific words cannot be used | 8.7 | |
| 6.0.0 | GN-24030 | GNOS | Removing the reverse shell feature from the netcat (nc) command included with the product | ||
| 6.0.0 | GN-24014 | Center | SOAP/REST restrictions that can be called via HTTP | 2.5 | |
| 6.0.0 | GN-23981 | macOS Agent, Windows Agent | An abnormal termination issue due to packet manipulation of UDP events to the agent | 3.4 | |
| 6.0.0 | GN-23977 | macOS Agent, Windows Agent | Fixed an XSS vulnerability when the agent displayed instant messages | 6.8 | |
| 6.0.0 | GN-23972 | Center, Sensor | A problem where the daemon may terminate abnormally when processing UDP event packets | 5.0.36 | 6.4 |
| 6.0.0 | GN-23970 | WebUI | Administrator login bypass vulnerability using mobile apps | 6.1 | |
| 6.0.0 | GN-23967 | WebUI | REST API Command Injection | 6.7 | |
| 6.0.0 | GN-23966 | WebUI | XSS attack vulnerability when applying as an Excel file when applying as a CWP user | 6.8 | |
| 6.0.0 | GN-23965 | WebUI | Internal file download vulnerability via a relative path on the Agent Download page | 5.0.37 | 5.2 |
| 6.0.0 | GN-23794 | WebUI | A problem where the REST API can be called even if there is no valid authentication base when calling the REST API | 4.9 | |
| 6.0.0 | GN-23743 | Center | Improving Denial of Service (DoS) vulnerabilities through APIs | 6.4 | |
| 6.0.0 | GN-23708 | Center | Complementing sensor-related APIs with poor authentication | 4.6 | |
| 6.0.0 | GN-23706 | Center | Internally used SOAP API vulnerability exposed externally via RPC | ||
| 6.0.0 | GN-23705 | WebUI | (KVE-2021-1062) Enhanced name validity check for the file upload component in Conf Engine | 6.7 | |
| 6.0.0 | GN-23702 | WebUI | (KVE-2021-1062) SSTI vulnerability in CWP Design Template | ||
| 6.0.0 | GN-23701 | Windows Agent | (KVE-2021-1062) Vulnerability where relative paths can be used when generating agent files | 6.1 | |
| 6.0.0 | GN-23700 | Center | (KVE-2021-1061) A vulnerability that allows a node to change passwords even if you are not an authenticated user | 8.7 | |
| 6.0.0 | GN-23699 | Center, Sensor | (KVE-2021-1061) Vulnerability where information from all nodes can be obtained without sensor information | ||
| 6.0.0 | GN-23663 | macOS Agent, Windows Agent | Agent OpenSSL 1.1.1l update | 9.8 | |
| 6.0.0 | GN-23662 | GNOS | Upgraded to openSSL version 1.1.1l | 4.0.146, 5.0.44, 6.0.1 | 9.8 |
| 6.0.0 | GN-23563 | Center | Fixes to defend against command injection attacks | 8 | |
| 6.0.0 | GN-23533 | Center | Improved so that unusable plug-ins are not delivered to agents | 7.6 | |
| 6.0.0 | GN-23500 | Center | Improved SQL Injection defense processing method | 8.7 | |
| 6.0.0 | GN-23499 | GNOS | Remove the vulnerable LD_LIBRARY_PATH environment variable within GNOS | ||
| 6.0.0 | GN-23488 | WebUI | [SaaS] SaaS security authentication WAS (Tomcat) vulnerability improvements | 7.5 | |
| 6.0.0 | GN-23377 | GNOS | Upgrading openssh to version 8.6p1 | ||
| 6.0.0 | GN-23358 | WebUI | [CC] Web vulnerability check results security | 6.5 | |
| 6.0.0 | GN-23237 | GenianOS | Apache httpd (2.4.48)/tomcat (8.5.63) upgrade | 7.5 | |
| 6.0.0 | GN-23233 | ElasticSearch | [CC] Elasticsearch upgraded to version 5.6.16 | 8.8 |