Skip to content

Release: Merge back 2.52.2 into dev from: master-into-dev/2.52.2-2.53.0-dev #13721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rossops merged 30 commits into from
Nov 17, 2025

Merge branch 'dev' into master-into-dev/2.52.2-2.53.0-dev

6f0897a
Select commit
Loading
Failed to load commit list.
Merged

Release: Merge back 2.52.2 into dev from: master-into-dev/2.52.2-2.53.0-dev #13721

Merge branch 'dev' into master-into-dev/2.52.2-2.53.0-dev
6f0897a
Select commit
Loading
Failed to load commit list.
DryRunSecurity / General Security Analyzer succeeded Nov 17, 2025 in 1m 23s

DryRun Security

Details

General Security Analyzer Findings: 3 detected

⚠️ Information Disclosure dojo/api_v2/views.py (click for details)
Type Information Disclosure
Description The engagement.name is directly included in notification messages (e.g., Slack, Email, Webhooks, internal alerts) when a user is mentioned in a note. If the engagement.name contains sensitive information, and an authorized user mentions an unauthorized user in a note, this sensitive information could be disclosed to the unauthorized recipient via the notification system. While the note content itself is truncated, the engagement.name in the parent_title is not.
Filename dojo/api_v2/views.py
CodeLink

django-DefectDojo/dojo/api_v2/views.py

Lines 540 to 543 in 6f0897a

parent_title=f"Engagement: {engagement.name}",
)
serialized_note = serializers.NoteSerializer(
⚠️ Information Disclosure dojo/api_v2/views.py (click for details)
Type Information Disclosure
Description The finding.title is used directly in notification messages sent to various channels (email, Slack, MS Teams, webhooks) without explicit sanitization or truncation. If a finding's title contains sensitive information (e.g., internal system names, specific vulnerability details that should not be widely broadcast), this information could be exposed to unauthorized recipients through these notification channels. While the system attempts to filter recipients based on permissions, the parent_title is used in the notification message itself, which could be problematic if the title is inherently sensitive and the notification goes to a broader audience than intended for the specific finding's details.
Filename dojo/api_v2/views.py
CodeLink

django-DefectDojo/dojo/api_v2/views.py

Lines 1107 to 1110 in 6f0897a

parent_title=f"Finding: {finding.title}",
)
if finding.has_jira_issue:
⚠️ Information Disclosure dojo/api_v2/views.py (click for details)
Type Information Disclosure
Description The parent_title for notifications, which includes test.title, is directly incorporated into messages sent to various notification channels (Slack, MS Teams, Email, Webhooks, and internal Alerts). There is no explicit sanitization or truncation of test.title before it is used in these notifications. In a vulnerability management system like DefectDojo, test.title can contain sensitive information such as internal project names, specific vulnerability details, or references to unreleased features. This sensitive information could be disclosed to unauthorized users or external systems if notification channels are not strictly controlled.
Filename dojo/api_v2/views.py
CodeLink

django-DefectDojo/dojo/api_v2/views.py

Lines 2165 to 2168 in 6f0897a

parent_title=f"Test: {test.title}",
)
serialized_note = serializers.NoteSerializer(
View more details on DryRunSecurity