Last week, a vulnerability - now known as Spring4Shell - was discovered in the Spring framework. It is registered as CVE-2022-22965, technical details can be found in this article, among others: https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/
verinice.PRO is only affected under certain conditions: Only if the verinice-REST-Service is installed on the server. In a standard installation of verinice.PRO, the verinice REST service is generally not included. The verinice single-user version is not affected by this vulnerability at all.
Since the verinice REST service can be affected by the vulnerability under certain circumstances, the verinice team has created a new version of this application. This closes the vulnerability and is available via the verinice GitHub repository: https://github.com/SerNet/verinice-rest-service/releases/tag/0.5. We recommend updating to this new version 0.5 if you have the verinice REST service installed.
Please contact our support if you have further questions or need help.
