RPM-597Platform users no longer impact the user pool.Application Lifecycle LifeTime Fix Details:*Symptoms* The customer when trying to register an environment on LifeTime gets the following error message: "Your license doesn't allow any more production environments. Please contact OutSystems Support" *How to reproduce* Try to register a new environment on LifeTime with the environment already registered on the Licensing portal.
RPM-684Fixed an issue in POST /users of LlifeTime API v2 where the incorrect error code was returned. CVSSv3.1 score 4.3 (Medium).Application Lifecycle LifeTime Fix Details:*Symptoms* It is possible to enumerate the users of an infrastructure via different reply messages from Lifetime API with access only permissions. This vulnerability was classified as Medium with a risk score of 4.3 *How to reproduce* Pre-requirements: Have a service account with access only permissions 1. Make a request to the users api to create a new user with a username that already exists 2. Check that the reply will contain the message: Failed to create user ' ' because A user with username '{username}' already exists and the status code 400 3. Make a request to create a user with a username that does not exists 4. Note that the reply message will be: Failed to change user password because user has insufficient permissions. and status code 403 *Findings* Check the pictures in annex to this issue *Impact* List users present on the infrastructure *Reoccurrence Likelihood* Not likely.
RPM-707Fixed restrictions on LifeTime for unprivileged users. CVSSv3.1 score 4.3 (Medium).Application Lifecycle LifeTime Fix Details:Lifetime is not properly validating user permissions and is allowing access to information that is not meant to be presented to users with low privileges. This as been classified as a vulnerability with a Medium severity and base score of 4.3.
RPM-727Fixed a security issue that could allow a brute force attack while changing passwords. CVSSv3.1 score 2.8 (Low).Application Lifecycle LifeTime Fix Details:*Symptoms* The functionality of a user changing his own password does not limit the number of tries for the current password. If an attacker is able to compromise a session, he will have unlimited tries to discover the user password. This vulnerability was classified as Low with a cvss score of 2.8.