Guava (any) (CVE-2020-8908)
We don't use the affected, deprecated function, and there is no fix for the issue.
Apache Commons compress (CVE-2023-42503)
We do use the affected feature to handle plugin installation, however we enforce signature checking before we unpack anything, so exploiting this woould require deliberately accepting a signed file from an untrusted actor, and the threat of an “offline” denial of service is not significant as a running IdP would not be not impacted. We will patch this in a future release.
Spring Framework (CVE-2023-34053)
We do not install the necessary “ObservationRegistry” allowing the exploit to occur (and it is only a DoS in any event). We will patch this in a future release.
logback < 1.4.12 (CVE-2023-6378)
The issue impacts an unusual feature of logback allowing remote collection of log events and the bug exists in the “receiver” component. Thus, the IdP’s use of logback would not involve this feature. We will patch this in a future release.