Security Announcement on CVE-2023-46589

We will update this announcement with new details as they emerge from our analysis. Please check back periodically.

Last update: 05 March 2024, 5:00 PM CET

CVE-2023-46589 is a vulnerability rated 7.5. It affects several versions of Apache Tomcat, a third-party component used to run our software.

The vulnerability allows potential attackers to perform so-called request smuggling and can only be exploited if a reverse proxy setup is used in the customer environment.

Further official information on this can be found at the National Institute of Standards and Technology.

The vulnerability is not considered critical, but as some components of our product lines may be at risk, we are providing hotfixes.

enaio®

You can find the hotfixes in our Serviceportal via 'Software > Version > Release Info'.

Enter DB-7976 in the search field to find all hotfixes related to this security warning.

Version 11.0

  • enaio® documentviewer: Hotfix 11.0.0.3 from 06th Feb 2024

  • enaio® appconnector: Hotfix 11.0.0.155 from 16th Feb 2024

  • enaio® gateway: Hotfix 11.0.0.16 from 27th Feb 2024

  • enaio® services

    • RestDashlet-app.jar: 2.0.2 from 20th Feb 2024

    • masstorage-app.jar: 2.1.5 from 20th Feb 2024

    • massmtp-app.jar: 2.1.5 from 20th Feb 2024

    • masmailbox-app.jar: 2.1.5 from 28th Feb 2024

Version 10.10

  • enaio® documentviewer: Hotfix 10.10.0.12 from 06th Feb 2024

  • enaio® webservices: Hotfix 10.10.0.7 from 29th Dec 2023

  • enaio® appconnector: Hotfix 10.10.0.155 from 16th Feb 2024

  • enaio® gateway: Hotfix 10.10.0.28 from 27th Feb 2024

yuuvis® RAD

You will receive the hotfixes as usual via our e-mail distribution list. You can find the list of hotfixes that have already been deployed in the developer documentation.

Version 9.16 (LTS)

yuuvis_rad_service-manager 9.16.9 from 13th Feb 2024

All older versions are no longer under maintenance.

yuuvis® Momentum

You will receive the hotfixes as usual via our e-mail distribution list. You can find the list of hotfixes that have already been deployed in the developer documentation.

Version 2023 Winter LTS

  • office-for-the-web/yuuvis-momentum-provider-client: pending

  • office-for-the-web/yuuvis-momentum-dashlet-microservice: pending

  • repositorymanager-momentum: pending

  • mas-storage-momentum: pending

  • mas-smtp-momentum: pending

  • mas-mailbox-momentum: pending