KB-2233 Appian Self-Managed Vulnerability Testing

Kaushal Patel — Fri, 16 Jan 2026 19:01:58 GMT

Current Revision posted to Appian Knowledge Base by Kaushal Patel on 1/16/2026 7:01:58 PM

Purpose

Self-managed customers can perform security-related activities against their Appian installation such as penetration testing and vulnerability scanning as well as software composition analysis scans on installers, containers and plugin jars. This article outlines accepted formats for submitting vulnerabilities to Appian.

Submitting Results

The following applies to all submissions:

Appian reviews security scan results only for recent hotfixes. Customers running older hotfix versions should upgrade to a recent hotfix and resubmit security scan results before Appian team initiates review.
All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian Vulnerability Submission Worksheet according to the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers, containers and plugin jars.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.
If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: May 2023

Tags: self-managed, Security

KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Wed, 03 May 2023 16:09:33 GMT

Revision 29 posted to Appian Knowledge Base by Elly Meng on 5/3/2023 4:09:33 PM

Purpose

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian Vulnerability Submission Worksheet according to the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers, containers and plugin jars.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.
If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: May 2023

Tags: self-managed, Security

KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Wed, 03 May 2023 16:03:11 GMT

Revision 28 posted to Appian Knowledge Base by Elly Meng on 5/3/2023 4:03:11 PM

Purpose

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian Vulnerability Submission Worksheet according to the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers, containers and plugin jars.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.
If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: May 2023

Tags: self-managed, Security

KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Wed, 03 May 2023 15:41:48 GMT

Revision 27 posted to Appian Knowledge Base by Elly Meng on 5/3/2023 3:41:48 PM

Purpose

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian Vulnerability Submission Worksheet according to the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers, containers and plugin jars.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.
If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: April 2023

Tags: self-managed, Security

KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Wed, 03 May 2023 15:40:26 GMT

Revision 26 posted to Appian Knowledge Base by Elly Meng on 5/3/2023 3:40:26 PM

Purpose

Self-managed customers can perform security-related activities against their Appian installation such as penetration testing, vulnerability scanning and software composition analysis scans on installers or containers. This article outlines accepted formats for submitting vulnerabilities to Appian.

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian Vulnerability Submission Worksheet according to the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers, containers and plugin jars.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.
If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: April 2023

Tags: self-managed, Security

KB-2233 Appian Self-Managed Vulnerability Testing

Maggie Deppe-Walker — Mon, 17 Apr 2023 08:36:50 GMT

Revision 25 posted to Appian Knowledge Base by Maggie Deppe-Walker on 4/17/2023 8:36:50 AM

Purpose

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian Vulnerability Submission Worksheet according to the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers or containers.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.
If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: April 2023

Tags: self-managed, Security

KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Fri, 24 Feb 2023 22:00:10 GMT

Revision 24 posted to Appian Knowledge Base by Elly Meng on 2/24/2023 10:00:10 PM

Purpose

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian vulnerability submission worksheet according to the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers or containers.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.
If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: February 2023

Tags: self-managed, Security

KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Fri, 24 Feb 2023 21:46:18 GMT

Revision 23 posted to Appian Knowledge Base by Elly Meng on 2/24/2023 9:46:18 PM

Purpose

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian vulnerability submission worksheet according to the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers or containers.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.
If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analyses of the report and individual findings through the support case.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: February 2023

Tags: self-managed, Security

KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Fri, 24 Feb 2023 21:22:47 GMT

Revision 21 posted to Appian Knowledge Base by Elly Meng on 2/24/2023 9:22:47 PM

Purpose

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian vulnerability submission worksheet according to the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers or containers.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.
If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: February 2023

Tags: self-managed, Security

KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Fri, 24 Feb 2023 21:22:47 GMT

Revision 22 posted to Appian Knowledge Base by Elly Meng on 2/24/2023 9:22:47 PM

Purpose

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian vulnerability submission worksheet according to the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers or containers.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.
If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: February 2023

Tags: self-managed, Security

KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Fri, 24 Feb 2023 21:20:57 GMT

Revision 20 posted to Appian Knowledge Base by Elly Meng on 2/24/2023 9:20:57 PM

Purpose

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian vulnerability submission worksheet and take note of the following:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers or containers.

Fill out the Appian third-party vulnerability submission worksheet and take note of the following:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.
If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: February 2023

Tags: self-managed, Security

KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Fri, 24 Feb 2023 21:17:06 GMT

Revision 19 posted to Appian Knowledge Base by Elly Meng on 2/24/2023 9:17:06 PM

Purpose

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian vulnerability submission worksheet. NOTE: all submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept direct output from automated scanners without additional manual validation.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers or containers.

Fill out the Appian third-party vulnerability submission worksheet and take note of the following:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.
If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: February 2023

Tags: self-managed, Security

KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Fri, 24 Feb 2023 21:15:53 GMT

Revision 18 posted to Appian Knowledge Base by Elly Meng on 2/24/2023 9:15:53 PM

Purpose

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers or containers.

Fill out the Appian third-party vulnerability submission worksheet and take note of the following:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.
If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: February 2023

Tags: self-managed, Security

KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Fri, 24 Feb 2023 21:15:14 GMT

Revision 17 posted to Appian Knowledge Base by Elly Meng on 2/24/2023 9:15:14 PM

Purpose

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers or containers.

Fill out the Appian third-party vulnerability submission worksheet and take note of the following:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.
If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: February 2023

Tags: self-managed, Security

KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Fri, 24 Feb 2023 21:14:32 GMT

Revision 16 posted to Appian Knowledge Base by Elly Meng on 2/24/2023 9:14:32 PM

Purpose

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian vulnerability submission worksheet and take note that all submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept direct output from automated scanners without additional manual validation.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers or containers.

Fill out the Appian third-party vulnerability submission worksheet and take note of the following:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.
If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: February 2023

Tags: self-managed, Security

KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Fri, 24 Feb 2023 17:40:29 GMT

Revision 15 posted to Appian Knowledge Base by Elly Meng on 2/24/2023 5:40:29 PM

Purpose

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers or containers.

Fill out the Appian third-party vulnerability submission worksheet and take note of the following:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: February 2023

Tags: self-managed, Security

KB-KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Fri, 24 Feb 2023 17:35:14 GMT

Revision 14 posted to Appian Knowledge Base by Elly Meng on 2/24/2023 5:35:14 PM

Purpose

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers or containers.

Fill out the Appian third-party vulnerability submission worksheet and take note of the following:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: February 2023

Tags: self-managed, Security

KB-KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Fri, 24 Feb 2023 17:29:30 GMT

Revision 13 posted to Appian Knowledge Base by Elly Meng on 2/24/2023 5:29:30 PM

Purpose

Self-managed customers can perform security-related activities against their Appian installation such as penetration testing, vulnerability scanning and software composition analysis scans on installers or containers. Any proposed vulnerabilities submitted to Appian must be done via support case in the following formats:

Submitting Results

All submissions must adhere to the following:

Appian will not accept findings that are missing information within the provided template.
All vulnerability documentation (including results, summaries, and reproduction steps) must be submitted in English.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers or containers.

Fill out the Appian third-party vulnerability submission worksheet and take note of the following:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: February 2023

Tags: self-managed, Security

KB-KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Fri, 24 Feb 2023 17:28:18 GMT

Revision 12 posted to Appian Knowledge Base by Elly Meng on 2/24/2023 5:28:18 PM

Self-managed customers can perform security-related activities against their Appian installation such as penetration testing, vulnerability scanning and software composition analysis scans on installers or containers. Any proposed vulnerabilities submitted to Appian must be done via support case in the following formats:

Submitting Results

All submissions must adhere to the following:

Appian will not accept findings that are missing information within the provided template.
All vulnerability documentation (including results, summaries, and reproduction steps) must be submitted in English.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers or containers.

Fill out the Appian third-party vulnerability submission worksheet and take note of the following:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: February 2023

Tags: self-managed, Security

KB-KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Fri, 24 Feb 2023 17:28:01 GMT

Revision 11 posted to Appian Knowledge Base by Elly Meng on 2/24/2023 5:28:01 PM

Self-managed customers can perform security-related activities against their Appian installation such as penetration testing, vulnerability scanning and software composition analysis scans on installers or containers. Any proposed vulnerabilities submitted to Appian must be done via support case in the following formats:

Submitting Results

All submissions must adhere to the following:

Appian will not accept findings that are missing information within the provided template.
All vulnerability documentation (including results, summaries, and reproduction steps) must be submitted in English.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers or containers.

Fill out the Appian third-party vulnerability submission worksheet and take note of the following:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: February 2023

Tags: self-managed, Security

KB-KB-2233 Appian Self-Managed Vulnerability Testing

Elly Meng — Fri, 24 Feb 2023 17:27:21 GMT

Revision 10 posted to Appian Knowledge Base by Elly Meng on 2/24/2023 5:27:21 PM

Self-managed customers can perform security-related activities against their Appian installation such as penetration testing, vulnerability scanning and software composition analysis scans on installers or containers. Any proposed vulnerabilities submitted to Appian must be done via support case in the following formats:

Submitting Results

All submissions must adhere to the following:

Appian will not accept findings that are missing information within the provided template.
All vulnerability documentation (including results, summaries, and reproduction steps) must be submitted in English.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers or containers.

Fill out the Appian third-party vulnerability submission worksheet and take note of the following:

Version (major and hotfix) must be provided.
Self-managed vs. leveraging Appian on Kubernetes must be specified.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Affected Versions

This article applies to all self-managed versions of Appian.

Last Reviewed: February 2023

Tags: self-managed, Security