Skip to content

Release: Merge back 2.47.3 into dev from: master-into-dev/2.47.3-2.48.0-dev#12675

Merged
Maffooch merged 14 commits intodevfrom
master-into-dev/2.47.3-2.48.0-dev
Jun 23, 2025
Merged

Release: Merge back 2.47.3 into dev from: master-into-dev/2.47.3-2.48.0-dev#12675
Maffooch merged 14 commits intodevfrom
master-into-dev/2.47.3-2.48.0-dev

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Jun 23, 2025

Release triggered by Maffooch

DefectDojo release bot and others added 13 commits June 16, 2025 14:34
Update versions in application files
284664a
@rossops
Merge pull request #12616 from DefectDojo/master-into-bugfix/2.47.2-2…
5e2f4ed 
….48.0-dev

Release: Merge back 2.47.2 into bugfix from: master-into-bugfix/2.47.2-2.48.0-dev
@valentijnscholten
remove outdated (mysql) test database instructions (#12609)
459f4b2
@valentijnscholten
PR template: adjust freeze wording (#12608)
10c9b85 
* PR template: adjust freeze wording

* fix dead link
@valentijnscholten
adjust query (#12599)
be90ad9
@paulOsinski
pro priority and risk tweaks (#12623)
6fa0813 
Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
@valentijnscholten
Burp Enterprise renamed to Burp DAST (#12604)
92d4a0b 
* Burp Enterprise renamed to Burp DAST

* Burp Enterprise renamed to Burp DAST

* Burp Enterprise renamed to Burp DAST
@Jino-T
Change CLI tool reference in docs (#12619)
e174325 
Co-authored-by: Jino Tesauro <jino@defectdojo.com>
@9alexx3
Fix Finding_Text (#12628)
a18fbcd
@valentijnscholten
API: Allow filtering users on last_login/date_joined (#12640)
1ba222c
Update versions in application files
515d9e0
@Maffooch
Merge pull request #12674 from DefectDojo/release/2.47.3
a406968 
Release: Merge release into master from: release/2.47.3
Update versions in application files
92fff22
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Jun 23, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request contains multiple security findings related to potential information disclosure, including sensitive user information exposure in API filters, PII risks in Jira templates, and potential third-party content risks in documentation, with most findings classified as low-risk and non-blocking.

🔴 Configured Codepaths Edit in dojo/jira_link/helper.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
Third-Party Content Risk in docs/content/en/working_with_findings/finding_priority.md
Vulnerability Third-Party Content Risk
Description Embedding a YouTube video in documentation introduces a potential supply chain risk. While the risk is low in a documentation context, the iframe could potentially be a vector for content injection or tracking if the third-party domain is compromised.

django-DefectDojo/docs/content/en/working_with_findings/finding_priority.md

Lines 1 to 18 in 53abfd7

---
title: "⏱️ Finding Priority and Risk (Pro)"
description: "How DefectDojo ranks your Findings"
weight: 1
---
Additional Finding filters are available in DefectDojo Pro to more easily triage, filter and prioritize Findings.
![image](images/pro_risk_example.png)
* **Priority** sorts Findings based on the context and importance of the Product they are stored in.
* **Risk** considers the Product's context, with a greater emphasis on the exploitability of a Finding.
Learn more about Priority and Risk with DefectDojo Inc's May 2025 Office Hours:
<iframe width="560" height="315" src="https://www.youtube.com/embed/4SN0BWWsVm4?si=VYUzEGNeijjhoD22" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
## Finding Priority

Reporter PII Exposure in dojo/templates/issue-trackers/jira_limited/jira-description.tpl
Vulnerability Reporter PII Exposure
Description Jira description template now includes the reporter's full name and email address, which could expose personally identifiable information if the Jira issue is accessible to unauthorized parties.

django-DefectDojo/dojo/templates/issue-trackers/jira_limited/jira-description.tpl

Lines 9 to 17 in 53abfd7

*Product/Engagement/Test:* [{{ finding.test.engagement.product.name }}|{{ product_url|full_url }}] / [{{ finding.test.engagement.name }}|{{ engagement_url|full_url }}] / [{{ finding.test }}|{{ test_url|full_url }}]
*Reporter:* [{{ finding.reporter|full_name}} ({{ finding.reporter.email }})|mailto:{{ finding.reporter.email }}]
{% if finding_text %}
*Finding Text*:
{{ finding_text|safe }}
{% endif %}

Sensitive User Information Disclosure in dojo/filters.py
Vulnerability Sensitive User Information Disclosure
Description The ApiUserFilter exposes sensitive user attributes like is_active, is_superuser, and last_login. Without strict access controls, this could allow unauthorized gathering of user account metadata.

django-DefectDojo/dojo/filters.py

Lines 85 to 91 in 53abfd7

Test_Import_Finding_Action,
Test_Type,
TextQuestion,
User,
Vulnerability_Id,
)
from dojo.product.queries import get_authorized_products

User Enumeration via API Filter in dojo/api_v2/views.py
Vulnerability User Enumeration via API Filter
Description The ApiUserFilter allows filtering user data by sensitive fields like username and email. If not properly secured, this could enable attackers to enumerate valid user accounts by observing filter responses, potentially aiding in targeted attacks.

django-DefectDojo/dojo/api_v2/views.py

Lines 60 to 66 in 53abfd7

ApiRiskAcceptanceFilter,
ApiTemplateFindingFilter,
ApiTestFilter,
ApiUserFilter,
ReportFindingFilter,
ReportFindingFilterWithoutObjectLookups,
TestImportAPIFilter,

Finding Text Information Disclosure in dojo/jira_link/helper.py
Vulnerability Finding Text Information Disclosure
Description The new get_jira_finding_text() function adds finding text to Jira descriptions, which could expose sensitive internal details or debugging information depending on the content of finding_text.

django-DefectDojo/dojo/jira_link/helper.py

Lines 362 to 375 in 53abfd7

return "customfield_" + str(jira_instance.epic_name_id)
def get_jira_finding_text(jira_instance):
if jira_instance and jira_instance.finding_text:
return jira_instance.finding_text
logger.debug("finding_text not found in Jira instance")
return None
def has_jira_issue(obj):
return get_jira_issue(obj) is not None

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented Jun 23, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented Jun 23, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@github-actions github-actions Bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests ui parser helm labels Jun 23, 2025
@Maffooch Maffooch merged commit 6962a95 into dev Jun 23, 2025
80 checks passed
@Maffooch Maffooch deleted the master-into-dev/2.47.3-2.48.0-dev branch June 23, 2025 16:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

Assignees

No one assigned

Labels

apiv2 docs helm parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Maffooch @rossops @valentijnscholten @paulOsinski @Jino-T @9alexx3