| Tip |
|---|
This is the advisory page for Identity Provider V5 releases. For IdP plugins supported by the project, see the plugins home page. For older IdP advisories, please refer to the V4 IDP SecurityAdvisories page. For the SP, please refer to V3 SPÂ SecurityAdvisories page. As a courtesy, you can also find Jetty advisories at https://www.eclipse.org/jetty/security-reports.html and Tomcat advisories at http://tomcat.apache.org/security.html |
...
The oldest IdP 5 version unaffected by fixable vulnerabilities is 5.1.02.0
Version | EOL | User Data Exposure | User Data Accuracy | Session Hijacking | Denial of Service | Remote Exploit | Advisories |
|---|---|---|---|---|---|---|---|
All | X | X | X | 2018-01-23, 2017-05-18 | |||
5.1.3 | |||||||
5.1.2 | Jul 2024 | ||||||
5.1.1 | Apr 2024 | X | 2024-03-20 | ||||
5.1.0 | Mar 2024 | X | 2024-03-20 | ||||
5.0.0 | Mar 2024 | X |
Advisory List
Date | Title | Affects | Severity | CVE |
|---|---|---|---|---|
2024-03-20 | CAS service URL handling vulnerable to Server-Side Request Forgery | IdP < 5.1.12 | low | CVE-2024-22259, CVE-2024-22262 |
2018-01-23 | All | high | ||
2017-05-18 | All | high |
...
In the event that we ship releases known to, or that we subsequently discover to, contain vulnerable libraries and do not have specific plans to immediately issue a patch with a newer version, we will document any known issues here, and our official position as to the lack of relevance of the issue to the software. It is not our aim to pass generic, context-free scanners that simply flag every issue. Automation is not a substitute for human judgement.
V5.1.
...
3
Guava (any) (CVE-2020-8908)
We don't use the affected, deprecated function, and there is no fix for the issue.
Spring Framerwork (CVE-2024-38809, CVE-2024-38816, CVE-2024-38819, CVE-2024-38820)
The IdP is not impacted by these issues.
Bouncy Castle (CVE-2024-29857, CVE-2024-30171 , CVE-2024-30172, CVE-2024-34447)
The IdP is not impacted by these issues. Bouncy Castle is problematic to update because they do not follow sensible API and behavioral versioning practices and mix functional and ABI changes with security fixes. While we may update it once we are able, our priority is to remove our runtime dependency on it (It likely will continue to be used by the installer in very limited fashion).