CVEs that do not Affect TOS or will not be Fixed

CVEs that do not Affect TOS

The following CVEs do not affect TOS:

  • CVE-2025-1974, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098

    TOS does not use the admission controller component of Ingress-NGINX and therefore is not affected.

  • Apache Tomcat Remote Code Execution via write enabled Default Servlet (CVE-2025-24813)

    CVE-2025-24813 does not affect TOS because the default configuration of the parameter readonly (true) is used, and therefore write disabled for the default servlet.

  • Libwebp Vulnerability (CVE-2023-4863)

    CVE-2023-4863 does not affect TOS.

  • mod_auth_openidc Denial-of-Service attack (CVE-2023-28625)

    CVE-2023-28625 does not affect TOS, since TOS does not use the OIDCStripCookies setting in its configuration.

  • OpenSSL Email Address Buffer Overflows (CVE-2022-3602 / CVE-2022-3786)

    TOS products do not use OpenSSL version 3.x.

  • Spring Data MongoDB SpEL Expression injection vulnerability (CVE-2022-22980)

    • TOS does not use Spring Data MongoDB and therefore is not affected.

  • Spring Framework Spring4Shell RCE (CVE-2022-22965)

    According to the information provided by VMware, the Spring Framework vendor, the CVE only affects applications running on JDK 9 and above . TOS runs on JDK 8. Based on the information provided by VMware, TOS is not affected.

  • Spring Cloud Function RCE (CVE-2022-22963)

    TOS does not use Spring Cloud functions and therefore is not affected.

  • Spring Cloud Gateway Code Injection Vulnerability (CVE-2022-22947)

    TOS does not use Spring Cloud Gateway and therefore is not affected.

  • CVE-2022-23305 (CVE-2022-23305)

    TOS products do not use the JDBCAppender in the Log4j configuration

  • CVE-2022-23307 (CVE-2022-23307)

    TOS products do not use the Chainsaw UI

  • CVE-2022-23302 (CVE-2022-23302 )

    TOS products do not use the JMSSink in the Log4j configuration.

  • CVE-2021-4104 (CVE-2021-4104)

    TOS products do not use the JMSAppender in the Log4j configuration.

  • CVE-2020-1938 (CVE-2020-1938)

    Apache Tomcat Ghostcat flaw: the Apache Tomcat AJP port disabled.

  • CVE-2020-1745 (CVE-2020-1745)

    Undertow Web Server Ghostcat flaw: the Keycloak Undertow AJP port bound to the localhost

CVEs that will not be Fixed

The following CVEs will not be fixed by Tufin:

  • CVE-2020-13461

    Username enumeration in Tufin SecureTrack.

    Tufin has categorized the vulnerability as low severity and has decided not to fix it.

    This attack requires access to the internal network. If an attacker is part of the internal network, they do not require access to TOS to know the usernames.