SR-A20094 · Issue 238591
Localization handling updated for High Level Overview documents generated in Word
Resolved in Pega Version 7.2.1
In a localized environment, High Level Overview documents generated in Word included some garbled characters if there were images or attachments in between the content of sections. The localization code has been updated to properly handle this format.
SR-A20183 · Issue 238612
Localization handling updated for High Level Overview documents generated in Word
Resolved in Pega Version 7.2.1
In a localized environment, High Level Overview documents generated in Word included some garbled characters if there were images or attachments in between the content of sections. The localization code has been updated to properly handle this format.
SR-A21378 · Issue 245075
Resolved Interaction Portal unexpected close
Resolved in Pega Version 7.2.1
In Google Chrome, launching a secondary portal and encountering a Content Security Policy issue relating to an image caused the secondary portal to automatically close and the developer portal to be refreshed. This was an issue with a mismatch in the pyrequestor token, and has been corrected.
SR-A21569 · Issue 242079
Corrected persistence of deleted requirements links with multiple actors
Resolved in Pega Version 7.2.1
When checking in a specification with more than one actor specified on it, deleted requirement links re-appeared after the rule was closed and re-opened. This was due to an unnecessary section refresh, which has been removed.
SR-A22198 · Issue 244738
Empty access groups handling added for organizational instance
Resolved in Pega Version 7.2.1
If an unauthenticated access group was configured in the organizational instance, errors occurred because the organization instance access groups are only considered for session authorization once the user is authenticated. This will now be handled through a validate activity change in the Data-admin-organization to honor the emptiness of access groups
SR-A24508 · Issue 246983
Apache Struts updated for security
Resolved in Pega Version 7.2.1
Apache Struts has been updated to version 2.3.28 to protect against potential security vulnerabilities exposed when Dynamic Method Invocation is enabled, removing the ability for remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
SR-A87291 · Issue 255631
JDBC password encryption check logic updated
Resolved in Pega Version 7.2.2
When using a Database instance with a JDBC connection URL, the specified password is encrypted. An issue was occurring where multiple saves of the instance caused the encrypted password to be encrypted again, causing the agent to lose access to the DB due to an authentication failure. The problem was traced to a logic flaw in the method used to check whether the password was already encrypted, and has been fixed.
SR-A91802 · Issue 260001
Apache Struts JARS updated to improve security
Resolved in Pega Version 7.2.2
The Apache Struts JARs have been updated to resolve the following potential security vulnerabilities: The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
SR-A87698 · Issue 256038
SQL info stripped from user-view DB2 error codes
Resolved in Pega Version 7.2.2
A security audit showed that entering bogus values for pyActivity in a URL resulted in actual DB@ error codes provided to user in the exception response. In order to prevent any vulnerability, the message shown to the http client will mask SQLCodes.
SR-A87698 · Issue 260087
SQL info stripped from user-view DB2 error codes
Resolved in Pega Version 7.2.2
A security audit showed that entering bogus values for pyActivity in a URL resulted in actual DB@ error codes provided to user in the exception response. This was not an issue with Oracle. In order to prevent any vulnerability, the message shown to the http client will mask SQLCodes.