Themes in this article
What are DRACOON security updates?
Security updates are updated versions of DRACOON components for which a security-relevant error has been identified or reported.
A security-relevant error is a vulnerability in the software that can be exploited under certain conditions to gain unauthorized access to data worth protecting.
Since mid-July 2020, vulnerabilities have been rated in DRACOON according to severity. For this purpose, CVSS scores (Common Vulnerability Scoring System) will be used, which enables a comparison between different vulnerabilities based on certain factors (metrics).
The higher the value, the more severe the vulnerabilities are rated:
| CVSS Score | Severity Rating |
|---|---|
| 9.0 – 10.0 |
Critical
|
| 7.0 – 8.9 |
High
|
| 4.0 – 6.9 |
Medium
|
| 3.9 or less |
Low
|
DRACOON also publishes security bulletins to inform about known vulnerabilities in used components.
How do I receive DRACOON security updates?
As an existing DRACOON cloud customer, you will receive security-relevant updates immediately as soon as they are available and have been tested accordingly.
As an existing customer of DRACOON Server with a DRACOON-managed environment (fully managed service), you will receive an announcement with a date on which DRACOON will install the update.
As an existing customer of DRACOON Server with a self-managed environment, you will be informed about an available security-related update—but you are responsible for the installation or the update of the affected component yourself. If support is needed, our operations team will assist with the installation.
For clients (DRACOON for Windows/Mac, DRACOON for Outlook, DRACOON for iOS, and DRACOON for Android), downloads of the latest versions are provided via the following DRACOON page:
Updates for the mobile apps (DRACOON for iOS and Android) are distributed and rolled out via the respective stores (App Store, Google Play Store).
We will inform all existing customers if a security-relevant update is available for the desktop applications (DRACOON for Windows/Mac or DRACOON for Outlook).
DRACOON security updates
| DRACOON Product | Description | Release Version | Release Date | CVSS Score | Rating |
|---|---|---|---|---|---|
| DRACOON Cloud, DRACOON Server | The Okio and OkHttp components used by DRACOON for Android each contain a vulnerability (CVE-2023-3635 and CVE-2023-3782). | DRACOON for Android 6.11, DRACOON for Android 5.12.8 | 01.09.2023 | 7.5 |
High
|
| DRACOON Cloud | The SQLite component used by DRACOON for Android contains a vulnerability (CVE-2023-32697). | DRACOON for Android 6.10 | 31.07.2023 | 9.8 |
Critical
|
| DRACOON Cloud | The Bouncy Castle crypto library used by DRACOON for Android contains a vulnerability (CVE-2023-33201). | DRACOON for Android 6.10 | 31.07.2023 | 6.5 |
Medium
|
| DRACOON Cloud | When opening an event report with Microsoft Excel that was generated with DRACOON in CSV format, code may be executed on the PC of the Excel user, which an attacker injected through a logged and thus in the report contained API call to the DRACOON environment with a manipulated UserAgent entry. | DRACOON Reporting Service 1.6.1 | 19.07.2023 | 9.6 |
Critical
|
| DRACOON Cloud | Vulnerability CVE-2023-34462 | DRACOON API Gateway 1.6 | 05.07.2023 | 8.8 |
High
|
| DRACOON Cloud | Vulnerability CVE-2023-33201 | DRACOON API Gateway 1.6 | 05.07.2023 | 6.5 |
Medium
|
| DRACOON Cloud | Vulnerability CVE-2023-2976 | DRACOON API Gateway 1.6 | 05.07.2023 | 6.2 |
Medium
|
| DRACOON Cloud | The Spring Boot version used by DRACOON API Gateway contains a vulnerability (CVE-2023-20883) that can lead to a Denial-Of-Service attack under certain conditions. | DRACOON API Gateway 1.6 | 05.07.2023 | 7.5 |
High
|
| DRACOON Cloud | The Spring Framework used by DRACOON API Gateway contains a vulnerability (CVE-2023-20860) that could lead to a potential security bypass due to incorrect pattern matching between Spring Security and Spring MVC. | DRACOON API Gateway 1.6 | 05.07.2023 | 7.5 |
High
|
| DRACOON Cloud | Spring Security used by DRACOON API Gateway contains a vulnerability (CVE-2023-20862) that can cause the security context to be incorrectly reset on logout. | DRACOON API Gateway 1.6 | 05.07.2023 | 9.8 |
Critical
|
| DRACOON Cloud | Unlimited PIN entry attempts are possible if a PIN code was set for the DRACOON app. | DRACOON for iOS 6.15 | 22.06.2023 | ||
| DRACOON Cloud | If a PIN code was set for the DRACOON app, re-entering the PIN code is not required if the app was closed and reopened within 30 seconds. | DRACOON for iOS 6.15 | 22.06.2023 | 6.3 |
Medium
|
| DRACOON Cloud | The Spring Boot Admin used by the DRACOON OAuth service contains a version of SnakeYaml with a vulnerability. | DRACOON OAuth Service 4.28 | 08.05.2023 | 9.8 |
Critical
|
| DRACOON Cloud | A vulnerability in the Java authentication framework Spring Security used by the DRACOON Core Service can cause the security context not to be reset when logging off. | DRACOON Core Service 4.43 | 03.05.2023 | 8.8 |
High
|
| DRACOON Cloud | Two-step authentication (MFA) can be bypassed if the password flow is used during OAuth-based authentication. | DRACOON OAuth Service 4.27.3, DRACOON Core Service 4.42.4 | 28.04.2023 | 7.5 |
High
|
| DRACOON Cloud, DRACOON Server | Since the DRACOON WebDAV proxy does not transmit a "content-disposition" header, opening a WebDAV link from DRACOON in the browser results in the file being displayed instead of downloaded, which is a reflected XSS vulnerability. | DRACOON WebDAV Proxy 6.1.3, DRACOON WebDAV Proxy 5.4.8 | 28.04.2023 | 8 |
High
|
| DRACOON Server | A vulnerability in the Java authentication framework Spring Security used by the DRACOON Spring Boot Admin can cause the security context not to be reset when logging off. | DRACOON Spring Boot Admin 1.2.1 | 26.04.2023 | 8.8 |
High
|
| DRACOON Server | A vulnerability in the Spring Security Java authentication framework used by DRACOON services allows authentication checks to be bypassed. | DRACOON Message Queue Sender 1.4.6, DRACOON Spring Boot Admin 1.0.4, DRACOON WebDAV Proxy 5.4.7 | 06.04.2023 | 9.8 |
Critical
|
| DRACOON Cloud | A vulnerability in the Spring Security Java authentication framework used by DRACOON services allows authentication checks to be bypassed. | DRACOON API Gateway 1.5.1, DRACOON Event Log Service 1.1, DRACOON S3 CMUR Worker 1.8, DRACOON Branding Service 1.9, DRACOON OAuth Service 4.27.1, DRACOON Message Queue Sender 1.10, DRACOON WebDAV Proxy 6.1.2 | 06.04.2023 | 9.8 |
Critical
|
| DRACOON Cloud | A reflected XSS vulnerability in Swagger (the DRACOON API documentation) of DRACOON Event Log Service allows the submission of malicious data via the configUrl parameter. | DRACOON Event Log Service 1.1 | 06.04.2023 | 6.1 |
Medium
|
| DRACOON Cloud | The Spring Boot Admin used by the DRACOON OAuth service contains a critical vulnerability. | DRACOON OAuth Service 4.27.2 | 22.03.2023 | 9.8 |
Critical
|
| DRACOON Cloud, DRACOON Server | After disabling FaceID or TouchID on iPhone/iPad, a PIN that was set for the DRACOON app was no longer required to enter when launching the app. | DRACOON for iOS 6.14.6, DRACOON for iOS 5.20.4 | 13.03.2023 | 5.5 |
Medium
|
| DRACOON Cloud | A reflected XSS vulnerability in Swagger (the DRACOON API documentation) of some DRACOON services allows the submission of malicious data via the configUrl parameter. | DRACOON Branding Service 1.8 (CVSS 8), DRACOON Media Service 1.7 (CVSS 8), DRACOON Reporting Service 1.4.2 (CVSS 6.1), DRACOON Signing Service 1.3 (CVSS 6.1) | 17.02.2023 | 8/6.1 |
High
|
| DRACOON Cloud | When using the signature process, in rare cases, the signed PDF document could be stored incorrectly. | DRACOON Signing Service 1.2.1 | 11.02.2023 | 7.5 |
High
|
| DRACOON Server | When Swagger (the DRACOON API documentation) is called with the validatorUrl parameter, a login form from DRACOON is displayed that can be redirected to the address passed in the parameter. | DRACOON Core 4.26.11 | 10.02.2023 | 6.1 |
Medium
|
| DRACOON Cloud | If the two-step authentication (MFA) is mandatory for all users, this is not required for newly added guest users—they can log in to DRACOON without two-step authentication. | DRACOON Core 4.41.2 | 09.02.2023 | 7.5 |
High
|
| DRACOON Server | A reflected XSS vulnerability in Swagger (the DRACOON API documentation) of some DRACOON services allows the submission of malicious data via the configUrl parameter. | DRACOON WebDAV Service 5.4.6 (CVSS 9.6), DRACOON Branding Service 1.4.3 (CVSS 8) | 03.02.2023 | 9.6/8 |
Critical
|
| DRACOON Cloud | When Swagger (the DRACOON API documentation) is called with the validatorUrl parameter, a login form from DRACOON is displayed that can be redirected to the address passed in the parameter. | DRACOON Core 4.41.1 | 31.01.2023 | 6.1 |
Medium
|
| DRACOON Cloud | A security hole in the DRACOON Media Service allows access data from DRACOON to be tapped, e.g., entered by the user via a fraudulent phishing website on which a DRACOON registration form is simulated. The vulnerability also allows XSS (cross-site scripting) attacks. Exploiting the vulnerability is unlikely because the DRACOON Media Service is a non-publicly documented component of DRACOON. | DRACOON Media Service 1.7 | 12.01.2023 | 9.3 |
Critical
|
| DRACOON Cloud | If DRACOON legacy authentication is used for authentication to the DRACOON API (i.e. via a deprecated X-SDS auth token), an activated two-step authentication (MFA) is not being used. | DRACOON Core 4.39 | 12.01.2023 | 7.5 |
High
|
| DRACOON Server | If a user logged into the DRACOON Web App copies his session token from the local memory of the browser, he can continue to use the Web App session despite logging out by copying the session token back to the local memory of the browser. The exploitation of this scenario by other users is not possible. | DRACOON Web App 5.12.7 | 20.09.2022 | 3.7 |
Low
|
| DRACOON Server | If the policy is set in DRACOON that a user is temporarily blocked after x incorrect login attempts, it can be determined externally whether a particular user exists in DRACOON since an error message is displayed after the incorrect login attempts, which indicates the existence of the user in DRACOON. Likewise, the existence of a user in DRACOON can be concluded by clicking the "Forgot password" link in the login form several times in quick succession, as a revealing warning message is then displayed. |
DRACOON OAuth Service 4.20.8 | 28.07.2022 | 5.3 |
Medium
|
| DRACOON Cloud | If the policy is set in DRACOON that a user is temporarily blocked after x incorrect login attempts, it can be determined externally whether a particular user exists in DRACOON since an error message is displayed after the incorrect login attempts, which indicates the existence of the user in DRACOON. Likewise, the existence of a user in DRACOON can be concluded by clicking the "Forgot password" link in the login form several times in quick succession, as a revealing warning message is then displayed. |
DRACOON OAuth Service 4.25 | 21.07.2022 | 5.3 |
Medium
|
| DRACOON Cloud | When entering the password for file requests, there is no lock after several failed input attempts, so the correct password can be guessed via a brute-force attack at some point. | DRACOON Core 4.37 | 21.06.2022 | 3.7 |
Low
|
| DRACOON Cloud | If a user logged into the DRACOON Web App copies his session token from the local memory of the browser, he can continue to use the Web App session despite logging out by copying the session token back to the local memory of the browser. The exploitation of this scenario by other users is not possible. | DRACOON Web App 6.19 | 04.05.2022 | 3.7 |
Low
|
| DRACOON Cloud | User managers can use HTML code in user names, meaning the notification email to new users also contains the specified HTML code. Thus, for example, links to any address can be integrated. Group managers can use HTML code in group names, meaning the notification email to new group members also contains the specified HTML code. Thus, for example, links to any address can be integrated. |
DRACOON Core 4.36 | 04.05.2022 | 4.8 |
Medium
|
| DRACOON Cloud | Creators of shares and file requests can insert HTML code into the e-mail they send from DRACOON to recipients and thus, for example, integrate their own links that can point to any address. | DRACOON Core 4.36 | 04.05.2022 | 4.8 |
Medium
|
| DRACOON Server | User managers can use HTML code in user names, meaning the notification email to new users also contains the specified HTML code. Thus, for example, links to any address can be integrated. Group managers can use HTML code in group names, meaning the notification email to new group members also contains the specified HTML code. Thus, for example, links to any address can be integrated. |
DRACOON Core 4.26.8 | 22.03.2022 | 4.8 |
Medium
|
| DRACOON Server | Creators of shares and file requests can insert HTML code into the email they send from DRACOON to link recipients and, thus, include their own links that can point to any address. | DRACOON Core 4.26.8 | 22.03.2022 | 4.8 |
Medium
|
| DRACOON Server | Users logged into DRACOON can be redirected to any other potentially malicious web page via the redirect_url parameter in the API endpoint /oauth/logout, e.g. by calling https://example.dracoon.com/oauth/logout?redirect_url=google.com. | DRACOON OAuth Service 4.20.7 | 22.03.2022 | 8.8 |
High
|
| DRACOON Cloud | Auditors can view the access data (access key and secret key) for the S3 object storage (if configured) in the audit log. The access data is not publicly visible. | DRACOON Core Service 4.35 | 17.02.2022 | ||
| DRACOON Cloud | Users logged into DRACOON can be redirected to any other potentially malicious website via the redirect_url parameter in the /oauth/logout API endpoint, such as https://example.dracoon.com/oauth/logout?redirect_url=google.com | DRACOON OAuth Service 4.24 | 17.02.2022 | 8.8 |
High
|
| DRACOON Cloud | Auditors can view the AES key of users, which is used in the DRACOON Web App to locally decrypt the decryption password of the respective user, in the audit log. This vulnerability cannot be used to decrypt encrypted files. | DRACOON Core Service 4.33.4 | 19.01.2022 | 4.1 |
Medium
|
| DRACOON Cloud | DRACOON for Outlook for DRACOON cloud customers contains versions of Apache Log4net and RestSharp libraries with security vulnerabilities. Exploits were only theoretically possible and unlikely. | DRACOON for Outlook 6.9.1 | 17.12.2021 | 7.8 |
High
|
| DRACOON Server | DRACOON for Outlook for DRACOON Server customers contains versions of Apache Log4net and RestSharp libraries with security vulnerabilities. Exploits were only theoretically possible and unlikely. | DRACOON for Outlook 5.12.4 | 17.12.2021 | 7.8 |
High
|
| DRACOON Cloud | Auditors can trace the AES key used by DRACOON Web App to encrypt users' personal decryption passwords in the audit log. This vulnerability cannot be used to decrypt encrypted files. | DRACOON Core 4.33.4 | 08.12.2021 | 4.1 |
Medium
|
| DRACOON Server | The secret key for connected S3 storage was stored unencrypted in the internal DRACOON database. No external access to the database was possible. | DRACOON Core 4.26.6 | 06.12.2021 | 5.6 |
Medium
|
| DRACOON Cloud | The secret key for connected S3 storage was stored unencrypted in the internal DRACOON database. No external access to the database was possible. | DRACOON Core 4.33 | 10.11.2021 | 5.6 |
Medium
|
| DRACOON Cloud | A Reflected XSS vulnerability allowed JavaScript code execution on the error page of the web app under certain conditions when using Firefox. | DRACOON Web App 5.11 | 10.03.2021 | 8.1 |
High
|
| DRACOON Cloud | The distribution of file keys in encrypted data rooms was severely limited under certain conditions. | DRACOON Core Service 4.23.5 | 27.01.2021 | 4.4 |
Medium
|
| DRACOON Cloud, DRACOON Server (2019-1) | A bug in the iOS app caused that even after logging out of a DRACOON environment previously saved favorites were still visible under "Files" in iOS. |
DRACOON for iOS 6.1.0 DRACOON for iOS 5.14.0 |
22.10.2020 | 2.2 |
Low
|
| DRACOON Cloud, DRACOON Server (2019-1) | The developer version of the Android app ran an outdated third-party software package that had a vulnerability. | DRACOON for Android 5.6.1 | 24.07.2020 | 3.3 |
Low
|
| DRACOON Cloud, DRACOON Server (2019-1) | A bug in the Android app meant that the set lock code was not requested when unlocking the screen. | DRACOON for Android 5.6.1 | 24.07.2020 | 6.1 |
Medium
|
| DRACOON Server (2019-1) | A Reflected-XSS vulnerability on the OAuth login page allowed JavaScript code execution via an input in the user field. | DRACOON OAuth Service 4.12.4 | 17.07.2020 | 6.8 |
Medium
|
| DRACOON Cloud | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | DRACOON Media Server 1.4.2 | 13.07.2020 | Not rated | Not rated |
| DRACOON Server (2019-1) | A Reflected XSS vulnerability in the use of a specific address used to display errors allowed JavaScript code execution. | DRACOON WebUI 4.12.2 | 29.05.2020 | Not rated | Not rated |
| DRACOON Cloud | In rare circumstances, a user of one webhook received information about another, unrelated webhook. | DRACOON Event Web Hook Dispatcher 1.0.2 | 07.05.2020 | Not rated | Not rated |
| DRACOON Cloud | Users received notifications in rare circumstances about the use of a share they had not created. | DRACOON Event Email Dispatcher 1.0.1 | 02.04.2020 | Not rated | Not rated |
| DRACOON Cloud, DRACOON Server (2019-1) | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 |
DRACOON WebDAV Proxy 5.3.1 |
27.03.2020 | Not rated | Not rated |
| DRACOON Cloud | Notifications on data rooms about new files were removed in rare cases without user interaction. | DRACOON Core Service 4.20.3 | 23.04.2020 | Not rated | Not rated |
| DRACOON Cloud | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | DRACOON BrandingUI 1.2.1-LTS | 02.04.2020 | Not rated | Not rated |
| DRACOON Cloud | The media token was submitted in webhook responses for the "file.created" event. | DRACOON Core Service 4.20 | 30.03.2020 | Not rated | Not rated |
| DRACOON Cloud, DRACOON Server (2019-1) | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | DRACOON OAuth Service 4.12.2 DRACOON OAuth Service 4.16.1 |
24.03.2020 | Not rated | Not rated |
| DRACOON Cloud, DRACOON Server (2019-1) | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | DRACOON Core Service 4.12.6 DRACOON Core Service 4.19 |
10.03.2020 | Not rated | Not rated |
| DRACOON Cloud | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | DRACOON BrandingUI 1.4.2 | 10.03.2020 | Not rated | Not rated |
| DRACOON Cloud | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | DRACOON Branding Service 1.3.1 | 05.03.2020 | Not rated | Not rated |
| DRACOON Cloud | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | DRACOON Web App 5.3 | 05.03.2020 | Not rated | Not rated |
| DRACOON Cloud | Spring Boot Update due to a vulnerability in Tomcat: "Ghostcat" - CVE-2020-1938 | DRACOON S3 CMUR Worker 1.3 | 05.03.2020 | Not rated | Not rated |
Comments
0 comments
Please sign in to leave a comment.