#Release Notes

The Webswing version 20.2 comes with new Clustering feature, Standalone Admin Console and some security and bug fixes. In this page we list also other changes for minor releases.

This version is in Long Term Support till 30.9.2023

#20.2.22

Release date: 19th August 2023

#3rd party vulnerabilities:

Webswing Server:

• Creation of Temporary File in Directory with Insecure Permissions Low Severity
• Prototype Pollution High Severity
• Information Exposure Low Severity
• Information Exposure Low Severity
• Denial of Service (DoS) Medium Severity
• Regular Expression Denial of Service (ReDoS) High Severity

SAML2 Security Module:

• Denial of Service (DoS) Medium Severity

SHIRO Security Module

• Directory Traversal [Critical Severity](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHESHIRO-5804850]

Formium:

• Denial of Service (DoS) Medium Severity
• Denial of Service (DoS) Medium Severity

Test Tool:

• Cross-site Scripting (XSS) Medium Severity
• Creation of Temporary File in Directory with Insecure Permissions Low Severity
• Denial of Service (DoS) Low Severity
• Denial of Service (DoS) Low Severity
• Denial of Service (DoS) High Severity
• Arbitrary File Write via Archive Extraction (Zip Slip) Medium Severity

#20.2.21

Release date: 21st November 2022

• Fixed re-rendering of tabbed pane in JavaFX
• ClientIP is blank with Chrome
• LogReaderUtil does not close files
• EDT monitor busy dialog does not hide automatically
• Error handling of invalid URL parameters
• Ping timer deadlock fix
• Fixed Admin Console properties initialization on Tomcat

3rd party vulnerabilities:

• Denial of Service (DoS) Medium Severity
• Denial of Service (DoS) Medium Severity
• Denial of Service (DoS) Medium Severity
• Out-of-bounds Write (new) High Severity

Security Module SHIRO:

• Authorization Bypass High Severity
• Authentication Bypass High Severity

TEST TOOL:

• Arbitrary Code Execution High Severity
• Cross-site Scripting (XSS) Medium Severity
• HTTP Request Smuggling (new) Low Severity
• Denial of Service (DoS) Medium Severity
• Denial of Service (DoS) Medium Severity
• Stack-based Buffer Overflow Low Severity
• Stack-based Buffer Overflow Low Severity
• Stack-based Buffer Overflow (new) Low Severity
• Stack-based Buffer Overflow Medium Severity
• Denial of Service (DoS) High Severity

#20.2.20

Release date: 22nd August 2022

• #645 generate key_typed event for control+a-Z events
• #663 fix clipboard copy after focusing pwd field
• Denial of Service (DoS) [High Severity] CVE-2020-36518
• Improper Input Validation [Low Severity] CVE-2022-2047

#20.2.19

Release date: 8th July 2022

• Header Injection Vulnerability [Critical Severity] CVE-2022-34914

#20.2.18

Release date: 22nd June 2022

• #617: fix Application Selector page for user with no permissions

3rd party updates:

• Cryptographic Issues [Medium Severity] SNYK-JAVA-ORGBOUNCYCASTLE-2841508
• Test Tool:
  • Denial of Service (DoS) [Medium Severity] CVE-2022-22970
• SAML2:
  • XML External Entity (XXE) Injection [Critical Severity] SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754
  • Denial of Service (DoS) [Medium Severity] CVE-2022-22970

#20.2.17

Release date: 10th May 2022

• #581: Admin Console fix for high number of Session Pools
• #569 : server OOM due to deadlock fix

3rd party updates:

• Webswing Test Tool - Spring Shell [Critical] CVE-2022-22965
• Webswing Security OIDC - Improper Verification of Cryptographic Signature [High Severity] CVE-2021-22573

#20.2.16

Release date: 4th April 2022

• #550 "C:\Program" is not executable file appears when running with security manager enabled
• #551 Add option to use grizzly websocket client instead of jdk to admin server
• #537 ping timer deadlock causing OOM
• hide Logs buttons, on LogsView false

3rd party updates:

• Denial of Service (DoS) [High Severity] CVE-2020-36518
• SAML2 Security module:
  • Remote Code Execution [Critical Severity] CVE-2021-22096

#20.2.15

Release date: 9th February 2022

• Webswing Server ID startup arg fix for standalone mode
• #425 ScriptWebSocketUrlLoader stability fix
• #526 Java8 JavaFX NoSuchMethodException: com.sun.glass.ui.Screen
• Misleading message when stopping Webswing on Linux
• #372 Use localStorage to store webswingID instead of cookie
• #513 customization css upload to bucket

3rd party updates:

• Denial of Service (DoS) [High Severity] CVE-2021-22569
• SAML2 Security module:
  • Improper Output Neutralization for Logs [Medium Severity] CVE-2021-22096
  • Improper Input Validation [Medium Severity] CVE-2021-22060

#20.2.14

Release date: 6th January 2022

• #504 NPE at WindowManager
• unnecessary Java 11 WARNING removed

3rd party security fix:

• log4j-core 2.17.1 Arbitrary Code Execution (new) [Medium Severity] CVE-2021-44832
• jackson-databind 2.13.1 Denial of Service (DoS) [Medium Severity] CWE-400

#20.2.13

Release date: 21st December 2021

3rd party security fix:

• CVE-2021-45105 - Updating Log4J to 2.17.0

#20.2.12

Release date: 13th December 2021

3rd party security fix:

• CVE-2021-44228 - updating Log4J to 2.16.0

#20.2.11

Release date: 3rd December 2021

• #467 Empty page at the end of the print preview
• #477: Option to use grizzly websocket client instead of jdk
• Updated Webswing related Java thread names

#20.2.10

Release date: 4th November 2021

• #457 Download triggered by pointing to directories
• #454 Passwords hidden in some logs
• #442 websocket handshake Timeout if application does not start in 30s
• #439 Extensible cluster server load balancer

3rd party security fix:

• Webswing Server: CVE-2021-41182

#20.2.9

#20.2.8

#20.2.7

#20.2

Release date: 9th November 2020

Changes:

• Cluster support
• Standalone Admin Console
• Other small performance improvements, security & bug fixes

#Versioning

Since 2020 Webswing uses a new versioning scheme. Every year there are 2 major releases. This year we have released 20.1 and 20.2. In 2021 we will release 21.1 in Q1 and 21.2 in Q2.