# Security Advisories

{% hint style="warning" %}

### Vulnerability Disclosure Program

Keeper has partnered with Bugcrowd to manage our vulnerability disclosure program. Please submit reports through <https://bugcrowd.com/keepersecurity> or send an email to <security@keepersecurity.com>.
{% endhint %}

| Severity (CVSS v3.1 score) | CVE ID         | Description                                                                                | Fixed in Keeper Connection Manager (or legacy Glyptodon) Release |
| -------------------------- | -------------- | ------------------------------------------------------------------------------------------ | ---------------------------------------------------------------- |
| Low (1.8)                  | CVE-2020-9497  | Improper input validation of RDP static virtual channels                                   | 1.13, 2.1                                                        |
| Medium (5.9)               | CVE-2020-9498  | Dangling pointer in RDP static virtual channel handling                                    | 1.13, 2.1                                                        |
| Medium (4.1)               | CVE-2020-11997 | Inconsistent restriction of connection history visibility                                  | 1.14, 2.2                                                        |
| Medium (4.4)               | CVE-2021-41767 | Private tunnel identifier may be included in the non-private details of active connections | 1.16, 2.6                                                        |
| High (8.7)                 | CVE-2021-43999 | Improper validation of SAML responses                                                      | 2.7                                                              |

### Severity rating scale <a href="#id-.advisoriesv1.x-severityratingscale" id="id-.advisoriesv1.x-severityratingscale"></a>

Keeper Connection Manager evaluates the factual details of each known vulnerability affecting Keeper Connection Manager and assigns severity ratings using the [CVSS v3.1 scoring system](https://www.first.org/cvss/v3.1/specification-document), a standard owned by [FIRST.Org, Inc.](https://first.org/) which FIRST has made freely available for public use. This scoring system produces a numeric rating between 0.0 and 10.0, which we then classify according to [the "Qualitative Severity Rating Scale" published with the CVSS standard](https://www.first.org/cvss/specification-document#Qualitative-Severity-Rating-Scale). The specific analysis that went into each assigned score can also be found within the document specific to the vulnerability, linked within the main table above.

| Severity | CVSS score range |
| -------- | ---------------- |
| None     | 0.0              |
| Low      | 0.1 - 3.9        |
| Medium   | 4.0 - 6.9        |
| High     | 7.0 - 8.9        |
| Critical | 9.0 - 10.0       |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeper-connection-manager/security-advisories.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.