Merging to release-5.6: Update 5.6.0 (#5669)

Update 5.6.0 (#5669) update
TykTechnologies · Oct 25, 2024 · 33197c3 · 33197c3
1 parent 7a12f46
commit 33197c3
Showing 1 changed file with 0 additions and 35 deletions.
diff --git a/tyk-docs/content/product-stack/tyk-dashboard/release-notes/version-5.6.md b/tyk-docs/content/product-stack/tyk-dashboard/release-notes/version-5.6.md
@@ -275,41 +275,6 @@ We have fixed an issue in the Monitoring section of the Dashboard UI where the *
 
 </ul>
 
-#### Security Fixes
-<!-- This section should be a bullet point list that should be included when any security fixes have been made in the release, e.g. CVEs. For CVE fixes, consideration needs to be made as follows:
-1. Dependency-tracked CVEs - External-tracked CVEs should be included on the release note.
-2. Internal scanned CVEs - Refer to the relevant engineering and delivery policy.
-For agreed CVE security fixes, provide a link to the corresponding entry on the NIST website. For example:
-- Fixed the following CVEs:
-    - [CVE-2022-33082](https://nvd.nist.gov/vuln/detail/CVE-2022-33082)
--->
-<ul>
-<li>
-<details>
-<summary>Strengthened RBAC password reset permissions</summary>
-
-We have fixed a privilege escalation vulnerability where a user with certain permissions could potentially reset other users' passwords, including admin accounts. The following changes have been made to tighten the behavior of the password reset permission:
-- All users can reset their own passwords
-- A specific permission is required to reset the password of another user within the same Tyk organization
-- This permission can only be assigned by an admin or super-admin
-- This permission can only be assigned to an admin and cannot be assigned to a user group
-- The allow_admin_reset_password configuration option automatically grants this permission to all admin users
-- Super-admins always have the password reset permission across all Tyk organization
-
-</details>
-</li>
-
-<li>
-<details>
-<summary>Gateway secret could be exposed in debug logs</summary>
-
-Resolved an issue where the Gateway secret was inadvertently included in the log generated by the Dashboard for a call to the `/api/keys` endpoint when in debug mode. This issue has been fixed to prevent sensitive information from appearing in system logs. We do not recommend running production environments in debug mode.
-
-</details>
-</li>
-
-
-</ul>
 <!-- Required. use 3 hyphens --- between release notes of every patch (minors will be on a separate page) -->
 
 ---