|
|
|
| Date
|
2026-06-08
|
| Severity
|
reported "medium/high", BlueSpice assessment: not affected
|
| Affected
|
Cloudogu Container Images (library present, not exploitable)
|
| Fixed in
|
Next regular update
|
| CVE
|
|
| Validated by
|
RV, FS
|
Problem
| CVE
|
Component
|
Type of vulnerability
|
BlueSpice 5
|
BlueSpice 4
|
| CVE-2026-31789
|
hallowelt/bluespice-mathoid, hallowelt/bluespice-collabpadsbackend, hallowelt/mongodb
|
Heap Buffer Overflow (OpenSSL, 32-bit only)
|
not affected
|
not affected
|
| CVE-2026-43512
|
hallowelt/bluespice-pdfrenderer, hallowelt/drawio
|
Authentication Bypass (Apache Tomcat DIGEST)
|
not affected
|
not affected
|
| CVE-2026-7261
|
hallowelt/bluespice
|
PHP SOAP Server Session Persistence
|
not affected
|
not affected
|
Impact assessment
| CVE
|
Assessment
|
Mitigation without update
|
| CVE-2026-31789
|
Not affected. The vulnerability only applies to 32-bit platforms. Additionally, the way OpenSSL is used in the affected container images does not expose any exploitable attack surface.
|
No action required.
|
| CVE-2026-43512
|
Not affected. Neither bluespice-pdfrenderer nor drawio use DIGEST authentication. Access to both services is anonymous by design.
|
No action required.
|
| CVE-2026-7261
|
Not affected. BlueSpice does not use a PHP SOAP server, and the affected SOAP_PERSISTENCE_SESSION setting is not in use.
|
No action required.
|
Solution
No immediate action required. The affected libraries will be updated in the next regular release.
