Delinea Documentation - Secret Server - 11.1.0

Secret Server: 10.8.000004 Release Notes

June 8, 2020

Note: The system requirements last changed with version 10.7.000000. See that version's release notes for details.

Upgrade Notes

• Delinea encourages all customers to upgrade at the earliest opportunity.
• Security advisories are under review and will be published at the end of that review process. The link to that advisory will appear here.
• Delinea thanks Jay Huang from Insomnia Security for identifying the security issues leading to this release.

Security

High Priority Security Fix

Addressed incorrect user permissions validation.

• Common Vulnerability Scoring System (CVSS) v3.1 score: 8.8 (High).
• CVSS v3.1 Vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Additional Security Fixes

• Added Custom "URL Security Check" to the Secret Server Security Hardening report. Delinea recommends configuring the Custom URL.
• Added host and port validation when using a proxied secret.
• Remediated potential cross-site scripting vulnerability.
• Modified user access controls to limit low-privilege application user access to administrative features.
• Implemented SHA-512 hashes for the launcher, replacing an older hash algorithm.
• Removed disclosure of internal IP addresses during authentication process of proxied connections.
• Modified when cookies are set during authentication.