Secret Server Release Notes 10.5.000001

Release Notes 10.5.000001

Release Date: 8/15/2018

Security Fixes

  • Secret data is now authenticated with HMAC-SHA-256. This addresses CVE-2018-18002.

    • Security Issue Discovered by: Jarrod Farncomb of TSS (
  • SOAP API updated to use the same token generation as the REST API.

  • Security Issue Discovered by: TSS (


  • Customers are now able to configure the time when session recordings are moved from the database to disk.

Bug Fixes

  • Fixed issue where after 10.5 upgrade, session recording could not be configured to use a file share.
  • Fixed an issue where there was an intermittent first login fail on fresh install.
  • Fixed issue where selecting "Now" for a password change in Autochange Schedule could set the incorrect time in situations where the user's computer is in a different time zone than the Secret Server host.
  • Fixed issue where dependency scanning would miss Scheduled Task dependencies in situations where two domains with the same name (ex: and were used.
  • Fixed issue where the password for an account would be changed multiple times in a row if the "Only Change password when Secret is expired" box was selected in Autochange Schedule.
  • Fixed issue where bulk operations could cause database deadlocks.
  • Fixed issue where Distributed Engine callbacks could cause a race condition.
  • Added a warning to the schedule page that specified the time will be saved is Secret Server configuration time.
  • Fixed an issue where after adding and saving an identity provider in advance settings (SAML), the user observed an error stating 'Object reference not set to an instance of an object.'