On 29-Mar-2024, a Microsoft security researcher announced that he had discovered malicious code in the upstream tarballs of xz, a lossless data compression library, starting with version 5.6.0. Shortly thereafter, NVD assigned the backdoor vulnerability a CVE, and CISA recommended all affected users downgrade to an uncompromised version.
Upon assessing the Appian platform against all details of the CVE, we can confirm that the Appian platform is not impacted by this vulnerability as Appian does not utilize the impacted versions described in the above advisories. We will continue to monitor the situation and provide any updates as appropriate.
The following CVE was released with additional information on the scope of the vulnerability:
This article applies to all supported versions of Appian.
Last reviewed: April 5, 2024