Skip to content

v7.3.1 - Security release

Latest

Choose a tag to compare

@afk11 afk11 released this 08 Jul 15:07

INEX is pleased to announce the immediate availability of IXP Manager v7.3.1. This is primarily a security release following a responsible disclosure from @9Bakabaka.

⚠️ All IXP Manager users should upgrade to v7.3.1.

Release Summary

git --no-pager diff --shortstat v7.3.0
 13 files changed, 266 insertions(+), 360 deletions(-)

Upgrade Instructions

The official upgrade instructions can be found here.


Security Advisory: Vulnerabilities Resolved in v7.3.1

Impact: High (Remote Code Execution)

Target Audience: All IXP Manager Administrators

Summary

We have released IXP Manager v7.3.1 to address a high-impact security vulnerability. All users are strongly urged to upgrade immediately.

Identified Issues

  1. Remote Code Execution (CVE-PENDING) (CVSS Base Severity: 9.9)
    A confirmed vulnerability allows an authenticated user to achieve remote code execution on the server running IXP Manager. The CVSS Base score is 9.9 (Critical). This was responsibly disclosed via GitHub's Security Advisories platform

Remediation

The vulnerability is addressed in this v7.3.1 release. Please upgrade to v7.3.1 as soon as possible.

Acknowledgments

We would like to sincerely thank @9Bakabaka for responsibly disclosing this issue, and for the detailed report which accompanied their disclosure.


Other Improvements

  • Refactoring markdown mailable classes.

Bug Fixes

  • A crash on the contact information page was fixed.
  • The API key view page now shows the token identifier and description.