Delinea Documentation - Bulletins - current

Secret Server 11.2.000003 Security Patch

Delinea discovered a Secret Server vulnerability with rating of CVSS v3.1 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). A SQL Injection vulnerability was found in the REST API. Please see Please see the CVSS Calculator for details.

This requires an immediate security patch available October 4, 2022.

FAQs

Which products are affected?

All versions of Secret Server up to and including 11.2.000002. Secret Server Cloud has already been updated.

What should users do?

Delinea recommends that all Secret Server customers upgrade to version 11.2.000003 at their earliest convenience. Secret Server Cloud users do not need to take any action.

Recommendation

Delinea recommends customers remaining diligent and checking for any suspicious activity in Secret Server that could be generated, not necessarily from this vulnerability, which includes but should not be limited to:

• Activity in the unlimited administrator (break-the-glass) audit log
• Activity in the secrets export log
• Users gaining administrative privileges or over privileged accounts
• Unexpected system users
• Unverified API users
• API or SDK credentials stored in operational scripts, such as PowerShell, Python, or Bash.