VERSION 2022.3.10.0 (February 02nd 2023)
If you are using RDM as the client, RDM 2022.3 is required for this DVLS version
FIXES
- Core - Avoid sending an email on successful backup if user does not want to receive it
- SECURITY FIX Core - Fixed a security issue where sensitive data was returned even if the user did not have access to it. related to security advisory https://devolutions.net/security/advisories/DEVO-2023-0002.
- Core - Fixed an issue where tags with a dot were not displayed correctly
- Core - Fixed the hyperlink in backup confirmation email
- PAM - Fixed an issue where some PAM vaults or PAM accounts were not found
## CONSOLE RELEASE NOTES ##
IMPROVEMENTS
- Update prerequisite IIS ASP.NET Core Module (ANCM) to version 6.0.13
FIXES
- Fixed an issue where encryption at rest cannot be activated
Richard Boisvert
All Comments (1)
Hello,
In reference to security advisory https://devolutions.net/security/advisories/DEVO-2023-0002, here's a quick FAQ to help you understand the implications.
- What exactly is affected?
- The full password history is included in the payload returned to the caller.
- Who can access this information
- Only users that had the VIEW permission on the target entry.
- How can this issue be exploited
- Remote Desktop Manager will hide the passwords because it will re-apply the permissions as it works with the entry. One would need to use the REST API to see the passwords in clear. An alternative method would be to use the DVLS Web interface and to use the developer tools to inspect the payload.
- When was this issue introduced
- The issue was introduced in version 2022.3.1
In summary, if you do not apply the patch, avoid granting access to entries WITHOUT also granting the view password permission.
Maurice