Affected Product: Nuxeo Enhanced Viewer
Affected Product Versions: All versions
A vulnerability has been reported in Nuxeo Enhanced Viewer where a possible server-side request forgery (SSRF) issue could occur. The Hyland Security team has deployed a mitigation in our cloud instance.
We strongly advise self-managed customers to likewise apply the following configuration change to mitigate the risk of this vulnerability:
- Declare or update the UI previewer service environment variable below as follows:
ARENDERSRV_ARENDER_SERVER_URL_PARSERS_BEANNAMES=blobNuxeoURLParser,DocumentIdURLParser
- Restart your Nuxeo Enhanced Viewer instance.
Fixed Versions: 2.1.4 and higher
Upgrading to this version can be applied in lieu of performing the mitigation steps above.
If you have questions or require additional assistance, please open a support ticket with us.
