| Tip |
|---|
This is the advisory page for Identity Provider V4 releases. For IdP plugins supported by the project, see the plugins home page. For the older V3 IdP's advisories, please refer to the V3 IDP SecurityAdvisories page. For the newer V5 IdP’s advisories, please refer to the V5 IDP Security Advisories page. For the SP, please refer to V3 SP SecurityAdvisories page. As a courtesy, you can also find Jetty advisories at https://www.eclipse.org/jetty/security-reports.html and Tomcat advisories at http://tomcat.apache.org/security.html |
...
The oldest IdP 4 version unaffected by fixable vulnerabilities is 4.3.2 (release imminent)3.
Version | EOL | User Data Exposure | User Data Accuracy | Session Hijacking | Denial of Service | Remote Exploit | Advisories |
|---|---|---|---|---|---|---|---|
All | X | X | X | 2018-01-23, 2017-05-18 | |||
4.3.3 | |||||||
4.3.2 | Apr 2024 | X | 2024-03-20 | ||||
4.3.1 | Mar 2024 | X | 2024-03-20 | ||||
4.3.0 | Mar 2023 | X | X | X | 2023-03-30 | ||
4.2.1 | Jan 2023 | X | |||||
4.1.6 | Apr 2022 | X | X | X | 2022-12-16 | ||
4.1.5 | Mar 2022 | X | X | X | |||
4.1.4 | Jan 2022 | X | X | X | |||
4.1.2 | Jul 2021 | X | X | X | |||
4.1.0 | May 2021 | X | X | X | |||
4.0.1 | Mar 2021 | X | X | X | |||
4.0.0 | Jun 2020 | X | X | X |
Advisory List
Date | Title | Affects | Severity | CVE |
|---|---|---|---|---|
2024-03-20 | CAS service URL handling vulnerable to Server-Side Request Forgery | IdP < 4.3.3 | low | CVE-2024-22259, CVE-2024-22262 |
2023-04-18 | IdP on Windows < 4.3.1.1 | low | CVE-2023-26048, CVE-2023-26049 | |
2023-03-30 | Regression in RemoteUser login flow could lead to impersonation | IdP V4.3.0 only | low | |
2022-12-16 | IdP, OpenSAML < 4.2.0 | critical | ||
2018-01-23 | All | high | ||
2017-05-18 | All | high |
...