From: Manoop Talasila <talasila@research.att.com>
Date: Thu, 30 May 2019 14:46:41 +0000 (+0000)
Subject: Merge changes I1c586793,I47249407,Idad22dea,I5c3bee06,I5cb96956
X-Git-Tag: 3.2.0~307
X-Git-Url: https://gerrit.onap.org/r/gitweb?p=portal.git;a=commitdiff_plain;h=40c8f073970f3664786d1bb4d4c69ed3f57b8b45;hp=88f48d47dc427e73842c0b65a6b544c8229c2773

Merge changes I1c586793,I47249407,Idad22dea,I5c3bee06,I5cb96956

* changes:
  Document OJSI-190 vulnerability
  Document OJSI-174 (CVE-2019-12318) vulnerability
  Document OJSI-92 (CVE-2019-12121) vulnerability
  Document OJSI-65 (CVE-2019-1212) vulnerability
  Document OJSI-15 (CVE-2019-12317) vulnerability
---

diff --git a/docs/release-notes.rst b/docs/release-notes.rst
index 457819bc..9502569a 100644
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -35,9 +35,15 @@ We worked on SDK upgrade to integrate with AAF. We partially implemented multi-l
 *Fixed Security Issues*
 
 *Known Security Issues*
+
+	* CVE-2019-12317 - Number of XSS vulnerabilities in Portal [`OJSI-15 <https://jira.onap.org/browse/OJSI-15>`_]
+	* CVE-2019-12122 - ONAP Portal allows to retrieve password of currently active user [`OJSI-65 <https://jira.onap.org/browse/OJSI-65>`_]
+	* CVE-2019-12121 - ONAP Portal is vulnerable for Padding Oracle attack [`OJSI-92 <https://jira.onap.org/browse/OJSI-92>`_]
 	* In defult deployment PORTAL (portal-app) exposes HTTP port 8989 outside of cluster. [`OJSI-97 <https://jira.onap.org/browse/OJSI-97>`_]
 	* In defult deployment PORTAL (portal-app) exposes HTTP port 30215 outside of cluster. [`OJSI-105 <https://jira.onap.org/browse/OJSI-105>`_]
 	* In defult deployment PORTAL (portal-sdk) exposes HTTP port 30212 outside of cluster. [`OJSI-106 <https://jira.onap.org/browse/OJSI-106>`_]
+	* CVE-2019-12318 - Number of SQL Injections in Portal [`OJSI-174 <https://jira.onap.org/browse/OJSI-174>`_]
+	* Portal stores users passwords encrypted instead of hashed [`OJSI-190 <https://jira.onap.org/browse/OJSI-190>`_]
 
 *Known Vulnerabilities in Used Modules*