Resolved security issues in SharpV OS 14.4.0 - The following security-related issues are resolved in SharpV OS 14.4.0. - SharpV OS 14.4.0 | SharpV - Release notes - Security updates

AutoVu™ SharpV OS Release Notes 14.4.0
Product
SharpV
Content type
Release notes
Version
14.4
Release
14.4.0
ft:locale
en-US
Last updated
2025-02-20

The following security-related issues are resolved in SharpV OS 14.4.0.

Highest severity of resolved issues: Critical

Severity Issue Description
Critical 3886363 The SharpV OS Metrics page was previously accessible without authentication. (CWE-306)
High 4355406 Fixed authentication bypass on some RTSP commands in H264 streaming. (CWE-306)
High 4355374 Resolved denial of service caused by large RTSP requests by imposing a limit of 32,768 bytes per request. (CWE-789)
High 4166604 New passwords in the Sharp Portal now require at least 12 characters. (SecREQ-002)
High 3961427 Added input validation on cellular APN settings. (CWE-20, CWE-78)
High 3871007 JSON Web Token authentication logic no longer loads files with improper validation. (CWE-1286, CWE-820)
High 3835913 Updated jquery-validation to version 1.20.0. (BDSA-2023-3833/CWE-79)
High 3412777
  • Execution of external OS commands now encodes parameters to avoid OS command injections. (CWE-78)
  • Added timeout when executing regular expression to avoid denial of service. (CWE-1333)
Medium 4355414 The RTSP implementation now returns an error 404 - Not Found if the request refers to an invalid URL. (CWE-183)
Medium 4320314 Updating the cellular APN no longer logs the user name or the password associated to the APN. (CWE-256, CWE-312)
Medium 4222737 Improved validation for the PIP case number field in the Sharp Portal.
Medium 4208846 Added validation of certificate options on the front-end and back-end. (CWE-20)
Medium 4160147 The Azure.Identity library was upgraded.
Medium 4160146 The System.Formats.Asn1 library was upgraded.
Medium 3836166 When configuring firewall rules, SharpV OS no longer allows enabling both TCP and UDP port types.
Medium 3767306 The Enable reads trigger API compatibility mode feature is unused and has been removed.
Medium 3689719 SharpOS now validates the NTP server configuration received from AutoVu Cloudrunner™ services. (CWE-1287)
Medium 3676997 Removed unauthenticated access in a maintenance service used for testing. (CWE-305)
Medium 3424752 DHCP monitoring logic validates character encoding of analyzed UDP packets. (CWE-1287)
Medium 3315899 Removed detailed information from web socket communication reports. (CWE-209)
Low 4081856 Removed OS information disclosure through LLDP messages.
Low 3510638 Sharp OS web API no longer exposes an unsupported firmware upgrade route. The Genetec Protocol FirmwareUpgradeSupported capability now indicates that firmware upgrade isn’t supported. (CWE-749)
Low 2902656 The Sharp OS Web API no longer returns detailed error messages.