This document lists known security issues that might be relevant for TranslationStudio.

Wherever possible, recommendations are discussed and steps suggested to address any such issue.

This page will be updated whenever we learn about a relevant issue.

1. General Recommendations

The following recommendations are general tips to minimise the thread layer right from the start.

  • Stay up-to-date with the latest JDK version compatible with TranslationStudio

  • Follow the Principle of least privilege when operating TranslationStudio. You can update the start script to change the user/group accordingly.

  • Only grant access to external URLs where needed. Usually, TranslationStudio has a very specifig (short) list of addresses it needs to contact (email server, translation memory system provider (if applicable) or the CMS).

2. Common Vulnerabilities and Exposures (CVE)

ISSUE STATUS DESCRIPTION

CVE-2022-45868
CVE-2022-23221
CVE-2021-42392
CVE-2021-23463

Not impacted (01.01.2024)

Although translationstudio may use an embedded H2 database. The aforementioned vulnerabilities may only have an effect if a third party gains access to your server in the first place. In addition, those vulnerabilities require H2 to be started in server mode or via the console - both of which methods are not used by translationstudio. However, newer versions of translationstudio use a patched H2 version 2.2.224.

CVE-2022-22965
CVE-2022-22963

Not impacted (01.04.2022)

translationstudio is not affected by these vulnerabilities (Remote code execution in Spring Framework, Spring Cloud Function)

CVE-2021-44228 - Apache Log4j

Not impacted (13.12.2021)

translationstudio is not directly affected, because it does not use Log4J. Its dependencies also do not add the library to the classpath. Please follow the general advice related to this CVE.

You can directly deactivate the behaviour causing the issue by adding

-Dlog4j2.formatMsgNoLookups=true to ./conf/jvm.conf