Secret Server 11.6.000004 Release Notes
On-premises: December 6, 2023
Important security release—we recommend all affected Secret Server On-Premise customers upgrade as soon as possible. This update addresses a security vulnerability recently discovered during internal testing and impacts all versions of Secret Server. A SQL Injection vulnerability was found in the REST API. Hashes for upgrade have been updated for this change. This issue is rated HIGH with a score of 7.2 on the Common Vulnerability Scoring System (CVSS): CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
This vulnerability has been patched in Secret Server Cloud, so there is no additional update to address it.
Step Upgrade Required (11.5.2). Versions prior to 11.5.2 need to first upgrade to 11.5.2. The automatic downloads in the product will get the right versions for the step upgrade and then allow the 11.6 upgrade. But if offline and using the file upload method, versions prior to 11.5.2 will get an error message saying, "Integrity Check failed - Security Catalog is signed by thumbprint that is not specifically trusted." The remedy is to first upgrade to 11.5.2 and then do the upgrade to 11.6.4.