| Tip |
|---|
This is the advisory page for Identity Provider V5 releases. For IdP plugins supported by the project, see the plugins home page. For older IdP advisories, please refer to the V4 IDP SecurityAdvisories page. For the SP, please refer to V3 SPÂ SecurityAdvisories page. As a courtesy, you can also find Jetty advisories at https://www.eclipse.org/jetty/security-reports.html and Tomcat advisories at http://tomcat.apache.org/security.html |
...
Version | EOL | User Data Exposure | User Data Accuracy | Session Hijacking | Denial of Service | Remote Exploit | Advisories |
|---|---|---|---|---|---|---|---|
All | X | X | X | 2018-01-23, 2017-05-18 | |||
5.1.3 | |||||||
5.1.2 | Jul 2024 | ||||||
5.1.1 | Apr 2024 | X | 2024-03-20 | ||||
5.1.0 | Mar 2024 | X | 2024-03-20 | ||||
5.0.0 | Mar 2024 | X |
Advisory List
Date | Title | Affects | Severity | CVE |
|---|---|---|---|---|
2024-03-20 | CAS service URL handling vulnerable to Server-Side Request Forgery | IdP < 5.1.2 | low | CVE-2024-22259, CVE-2024-22262 |
2018-01-23 | All | high | ||
2017-05-18 | All | high |
...
In the event that we ship releases known to, or that we subsequently discover to, contain vulnerable libraries and do not have specific plans to immediately issue a patch with a newer version, we will document any known issues here, and our official position as to the lack of relevance of the issue to the software. It is not our aim to pass generic, context-free scanners that simply flag every issue. Automation is not a substitute for human judgement.
V5.1.
...
3
Guava (any) (CVE-2020-8908)
We don't use the affected, deprecated function, and there is no fix for the issue.