Skip to content

wazuh

v4.14.5 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 1mo SIEM & Threat Detection
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 4 known CVEs

Topics

cloud-security compliance configuration-assessement container-security security file-integrity-monitoring
+12 more
incident-response log-analysis malware-detection pci-dss security-audit security-automation security-hardening security-tools siem vulnerability-detection wazuh xdr

Summary

AI summary

Multiple security fixes for DAPI, buffer overflow, path traversal, and RBAC bypass.

Full changelog

Manager

Fixed

  • Fixed DAPI callable resolution to restrict invocations to exposed resources only. (#34889)
  • Fixed uncontrolled memory allocation in cluster caused by crafted packet length. (#35173) (#35412)
  • Fixed rate limit bypass for the /events endpoint. (#35077)
  • Fixed buffer overflow in analysisd regex match processing. (#35106)
  • Fixed path traversal in authd via agent group name validation. (#35230)
  • Fixed size_t underflow in remoted ReadSecMSG causing potential heap overflow. (#35193)
  • Fixed RBAC bypass in DAPI allowing privilege escalation. (#35307)
  • Fixed analysisd plugin decoder argument alignment. (#35176)

Agent

Fixed

  • Fixed rootcheck false positive for /dev/.blkid.tab. (#34734)
  • Fixed ORDER_REVERSAL deadlocks in FIM. (#34735)
  • Fixed Roundcube decoder regex to prevent srcip truncation in "Failed login ... in session" logs. (#34793)
  • Fixed macOS Ventura SCA policy incorrectly passing pmset checks. (#34693)
  • Fixed Office365 integration pagination by trimming HTTP header values. (#34673)
  • Fixed FIM false positives caused by double readdir check. (#34880)
  • Fixed audit log cache overflow for events with many records in logcollector. (#35285)
  • Fixed daily marker for GuardDuty log collector. (#35110)
  • Fixed rootcheck not generating findings. (#35297)
  • Fixed heap buffer overflow in syscheck Registry Wildcard Expansion. (#35287)

Changed

  • Changed RHEL init script with SUSE variant on SLES 11. (#34563)
  • Changed service check from WMI to sc.exe. (#34543)
  • Changed windows syscollector to include command arguments. (#34727)

RESTful API

Fixed

  • Fixed allow_higher_versions validation in API upload_configuration. (#34905)
  • Fixed nested JSON depth limit in API request processing. (#35224)
  • Fixed upload size limit config mismatch. (#35141)

Ruleset

Fixed

  • Fixed bug in CIS SCA checks 35675 and 35689 for Ubuntu 24.04. (#35088)
  • Fixed Dovecot decoders to correctly extract rip and lip fields. (#35089)

Other

Changed

  • Updated dependencies cryptography to 46.0.5, Werkzeug to 3.1.6, pip to 26.0.1 and wheel to 0.46.3. (#34907)
  • Updated embedded Python to 3.10.20 and dependencies pyjwt, pyasn1. (#35135)
  • Updated dependencies cryptography, requests. (#35331)

Security Fixes

  • DAPI callable resolution restriction
  • Buffer overflow in analysisd regex match
  • Path traversal in authd via agent group name
  • RBAC bypass in DAPI allowing privilege escalation
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track wazuh

Get notified when new releases ship.

Sign up free

About wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.

All releases →

Related context

Beta — feedback welcome: [email protected]