What's new in NEV 2.1.4
Summary
This is a security update.
A vulnerability has been reported in Nuxeo Enhanced Viewer where a possible server-side request forgery (SSRF) issue could occur. The Hyland Security team has deployed a mitigation in our cloud instance. We strongly advise self-managed customers to likewise apply the following configuration change to mitigate the risk of this vulnerability while they undergo the deployment process of this release:
Declare or update the UI previewer service environment variable below as follows:
ARENDERSRV_ARENDER_SERVER_URL_PARSERS_BEANNAMES=blobNuxeoURLParser,DocumentIdURLParser
Restart your Nuxeo Enhanced Viewer instance.
This version fixes the issue, and upgrading to this version can be applied in lieu of performing the mitigation steps above.
Noteworthy Changes
- Fixed a security issue.
[NEV-629]
Learn More
More information about released changes and fixed bugs is available in our bug tracking tool.
NEV Release Notes Summary
| Version | Notes |
|---|---|
| NEV 2.1.3 | Authenticate to NEV without being authenticated in Web UI. |
| NEV 2.1.1 and 2.1.2 | Bugfix releases. |
| NEV 2.1.0 | Major observability improvements and bugfixes. |
| NEV 2.0.0 | Major version with new features, UI improvements, architectural changes, bug fixes, and improvements. |
| NEV 10.6.11 | Log4j vulnerabilities (CVE-2021-45046) remediation. |