Versions Compared

Version Old Version 19 New Version 20
Changes made by

Scott Cantor

Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Tip

This is the advisory page for Identity Provider V5 releases. For IdP plugins supported by the project, see the plugins home page. For older IdP advisories, please refer to the V4 IDP SecurityAdvisories page.

For the SP, please refer to V3 SP SecurityAdvisories page.

As a courtesy, you can also find Jetty advisories at https://www.eclipse.org/jetty/security-reports.html and Tomcat advisories at http://tomcat.apache.org/security.html

...

Version

EOL

User Data Exposure

User Data Accuracy

Session Hijacking

Denial of Service

Remote Exploit

Advisories

All

X

X

X

2018-01-23, 2017-05-18

5.1.3

5.1.2

Jul 2024

5.1.1

Apr 2024

X

2024-03-20

5.1.0

Mar 2024

X

2024-03-20

5.0.0

Mar 2024

X

Advisory List

Date

Title

Affects

Severity

CVE

2024-03-20

CAS service URL handling vulnerable to Server-Side Request Forgery

IdP < 5.1.2

low

CVE-2024-22259, CVE-2024-22262

2018-01-23

Implications of ROBOT TLS vulnerability

All

high

2017-05-18

Default Kerberos configurations are unsafe

All

high

...

  • Guava (any) (CVE-2020-8908)

    • We don't use the affected, deprecated function, and there is no fix for the issue.

  • Spring Framerwork (CVE-2024-38809, CVE-2024-38816, CVE-2024-38819, CVE-2024-38820)

    • The IdP is not impacted by these issues.

  • Bouncy Castle (CVE-2024-29857, CVE-2024-30171 , CVE-2024-30172, CVE-2024-34447)

    • The IdP is not impacted by these issues. Bouncy Castle is problematic to update because they do not follow sensible API and behavioral versioning practices and mix functional and ABI changes with security fixes. While we may update it once we are able, our priority is to remove our runtime dependency on it (It likely will continue to be used by the installer in very limited fashion).

  • Netty (CVE-2024-47535)

    • This is a ridiculous CVE. Yes, if you give an attacker the ability to create a file on your Windows server running the IdP, they can cause a denial of service attack. They can also do a lot more than that by definition so they aren’t going to waste their time on a silly DOS like this.