Skyve 9.4.3 released
This release of Skyve is a security hardening update for the reporting subsystem.
Report Configuration Hardening
Skyve 9.4.3 sets TemplateClassResolver.ALLOWS_NOTHING_RESOLVER on the report configuration. This restricts the report engine so that it cannot instantiate arbitrary classes, ensuring report templates are resolved safely.
This change resolves a security advisory responsibly disclosed by tonghuaroot. We thank them for their work in helping to keep Skyve secure. Further details are available in the GitHub security advisory.
Not all applications are affected: exploitation requires both a compromised or malicious privileged user account and a Skyve application that is accessible over the internet. As a precaution, we nonetheless recommend all users upgrade to this version.
Notes for Upgrading
To upgrade your Skyve project to this version, change the Skyve version in your pom.xml to 9.4.3 and perform an assemble.
If you are upgrading from a version older than 9.4.2, please see the previous release notes and also apply those changes.
See the complete upgrade instructions on GitHub.