Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Tip

This is the advisory page for Identity Provider V5 releases. For IdP plugins supported by the project, see the plugins home page. For older IdP advisories, please refer to the V4 IDP SecurityAdvisories page.

For the SP, please refer to V3 SP SecurityAdvisories page.

As a courtesy, you can also find Jetty advisories at https://www.eclipse.org/jetty/security-reports.html and Tomcat advisories at http://tomcat.apache.org/security.html

...

The oldest IdP 5 version unaffected by fixable vulnerabilities is 5.01.2.0

Version

EOL

User Data Exposure

User Data Accuracy

Session Hijacking

Denial of Service

Remote Exploit

Advisories

All

X

X

X

2018-01-23, 2017-05-18

5.1.3

5.1.2

Jul 2024

5.1.1

Apr 2024

X

2024-03-20

5.1.0

Mar 2024

X

2024-03-20

5.0.0

Mar 2024

X

Advisory List

Date

Title

Affects

Severity

CVE

2024-03-20

CAS service URL handling vulnerable to Server-Side Request Forgery

IdP < 5.1.2

low

CVE-2024-22259, CVE-2024-22262

2018-01-23

Implications of ROBOT TLS vulnerability

All

high

2017-05-18

Default Kerberos configurations are unsafe

All

high

Library Issues

Because we have relatively infrequent releases and a strict versioning policy, it is not rare that we ship third-party libraries that may contain unfixed vulnerabilities when those issues are believed to be non-impactful. This is often due to timing; for example, we may be unable to adequately test a new version of something in time to include it in a release and may determine that the less risky course is to stay on an older version. Alternatively, it may be impossible to update something because of the API changes required, since many projects do not adhere to semantic (or any) versioning.

In the event that we ship releases known to, or that we subsequently discover to, contain vulnerable libraries and do not have specific plans to immediately issue a patch with a newer version, we will document any known issues here, and our official position as to the lack of relevance of the issue to the software. It is not our aim to pass generic, context-free scanners that simply flag every issue. Automation is not a substitute for human judgement.

V5.

...

1.

...

3

  • Guava (any) (CVE-2020-8908)

    • We don't use the affected, deprecated function, and there is no fix for the issue.

  • Apache Commons compress Spring Framerwork (CVE-2023-42503)

    • We do use the affected feature to handle plugin installation, however we enforce signature checking before we unpack anything, so exploiting this woould require deliberately accepting a signed file from an untrusted actor, and the threat of an “offline” denial of service is not significant as a running IdP would not be not impacted. We will patch this in a future release.

  • Spring Framework (CVE-2023-34053)

    • We do not install the necessary “ObservationRegistry” allowing the exploit to occur (and it is only a DoS in any event). We will patch this in a future release.

  • Spring Framework (CVE-2024-22233)

    • We do not include or recommend the use of Spring Security in our software; however, deployers could choose to add it themselves, and would then be vulnerable to this issue. It is however a denial of service issue only.

  • logback < 1.4.12 (CVE-2023-6378)

    The issue impacts an unusual feature of logback allowing remote collection of log events and the bug exists in the “receiver” component. Thus, the IdP’s use of logback would not involve this feature. We will patch this in a future release

    2024-38809, CVE-2024-38816, CVE-2024-38819, CVE-2024-38820)

    • The IdP is not impacted by these issues.

  • Bouncy Castle (CVE-2024-29857, CVE-2024-30171 , CVE-2024-30172, CVE-2024-34447)

    • The IdP is not impacted by these issues. Bouncy Castle is problematic to update because they do not follow sensible API and behavioral versioning practices and mix functional and ABI changes with security fixes. While we may update it once we are able, our priority is to remove our runtime dependency on it (It likely will continue to be used by the installer in very limited fashion).