I'm trying to find the "official CVE disclosue" mentioned in the email entitled "SequenceServer security risk / please update asap" received on 2nd July 2024

martinjv · August 13, 2024, 12:30pm

As the title says, the email I/we recieved on the 2nd July 2024 states;

We will be issuing an official CVE disclosure in a few weeks. By then, we hope that most public-facing and high-risk internal servers will have been upgraded.

Is there a URL to this, or even a sequenceserver.com blog post about this to server as a reference? The only evidence of this is the email I received … and I’m sure not everyone who deploys a sequenceserver instance signs up to the support forum.

yannick_wurm · August 14, 2024, 8:40am

Dear @martinjv,

thanks for the message and your patience.

We indeed did our best to reach out to every email we had on record, not just those from the support forum.

The CVE is now up (on GitHub; we understand that GitHub should imminently be pushing it to CVE.org.

Kind regards,
Yannick

martinjv · August 14, 2024, 9:06am

Hi @yannick_wurm,

That’s perfect, thank you for that.

Many thanks,

Martin