CVEs That Do Not Affect TOS or Will Not Be Fixed

CVEs that do not Affect TOS

The following CVEs do not affect TOS:

  • CVE-2026-1580

    TOS does not allow user control over Kubernetes Ingress resources. The ingress-nginx component in TOS is internal-only, not internet-facing, and not user-configurable.

  • CVE-2026-24512

    TOS customers do not have RBAC or API access to ingress objects and therefore cannot modify ingress rules.

  • CVE-2026-24513

    TOS ingress configuration is static and vendor-controlled, and is isolated within the cluster. The vulnerability relies on ingress annotation manipulation, which is not possible in TOS.

  • CVE-2025-61984

    TOS does not use an OpenSSH client ProxyCommand with %r and an untrusted remote username in the default TOS or TufinOS deployment model.

  • CVE-2025-1974

    CVE-2025-24514

    CVE-2025-1097

    CVE-2025-1098

    TOS does not use the admission controller component of Ingress-NGINX and therefore is not affected.

  • CVE-2025-24813

    TOS uses the default configuration where the readonly parameter is set to true and write access to the default servlet is disabled.

  • CVE-2023-4863

    TOS is not affected.

  • CVE-2023-28625

    TOS does not use the OIDCStripCookies setting in its configuration.

  • CVE-2022-3602

    CVE-2022-3786

    TOS products do not use OpenSSL version 3.x.

  • CVE-2022-22980

    TOS does not use Spring Data MongoDB and therefore is not affected.

  • CVE-2022-22965

    According to the Spring Framework vendor, this CVE affects applications running on JDK 9 and above. TOS runs on JDK 8 and is therefore not affected.

  • CVE-2022-22963

    TOS does not use Spring Cloud functions and therefore is not affected.

  • CVE-2022-22947

    TOS does not use Spring Cloud Gateway and therefore is not affected.

  • CVE-2022-23305

    TOS products do not use the JDBCAppender in the Log4j configuration.

  • CVE-2022-23307

    TOS products do not use the Chainsaw UI.

  • CVE-2022-23302

    TOS products do not use the JMSSink in the Log4j configuration.

  • CVE-2021-4104

    TOS products do not use the JMSAppender in the Log4j configuration.

  • CVE-2020-1938

    The Apache Tomcat AJP port is disabled.

  • CVE-2020-1745

    The Keycloak Undertow AJP port is bound to localhost.

CVEs that will not be Fixed

The following CVEs will not be fixed by Tufin:

  • CVE-2020-13461

    Username enumeration in Tufin SecureTrack.

    Tufin has categorized the vulnerability as low severity and has decided not to fix it.

    This attack requires access to the internal network. If an attacker is part of the internal network, they do not require access to TOS to know the usernames.