| Tip |
|---|
This is the advisory page for Identity Provider V5 releases. For IdP plugins supported by the project, see the plugins home page. For older IdP advisories, please refer to the V4 IDP SecurityAdvisories page. For the SP, please refer to V3 SPÂ SecurityAdvisories page. As a courtesy, you can also find Jetty advisories at https://www.eclipse.org/jetty/security-reports.html and Tomcat advisories at http://tomcat.apache.org/security.html |
...
Version | EOL | User Data Exposure | User Data Accuracy | Session Hijacking | Denial of Service | Remote Exploit | Advisories |
|---|---|---|---|---|---|---|---|
All | X | X | X | 2018-01-23, 2017-05-18 | |||
5.1.3 | |||||||
5.1.2 | Jul 2024 | ||||||
5.1.1 | Apr 2024 | X | 2024-03-20 | ||||
5.1.0 | Mar 2024 | X | 2024-03-20 | ||||
5.0.0 | Mar 2024 | X |
Advisory List
Date | Title | Affects | Severity | CVE |
|---|---|---|---|---|
2024-03-20 | CAS service URL handling vulnerable to Server-Side Request Forgery | IdP < 5.1.2 | low | CVE-2024-22259, CVE-2024-22262 |
2018-01-23 | All | high | ||
2017-05-18 | All | high |
...
Guava (any) (CVE-2020-8908)
We don't use the affected, deprecated function, and there is no fix for the issue.
Spring Framerwork (CVE-2024-38809)
The IdP is not impacted by this issue.
Bouncy Castle (CVE-2024-29857, CVE-2024-30171 , CVE-2024-30172, CVE-2024-34447)
The IdP is not impacted by these issues. Bouncy Castle is problematic to update because they do not follow sensible API and behavioral versioning practices and mix functional and ABI changes with security fixes. While we may update it once we are able, our priority is to remove our runtime dependency on it (It likely will continue to be used by the installer in very limited fashion).