CVE-2025-53003
Janssen Config API returns results without scope verification
描述
### Impact _What kind of vulnerability is it? Who is impacted?_ The configAPI is an internal service and hence should never be exposed to the internet. With that said, this is a serious vulnerability that has a large internal surface attack area that exposes all sorts of information from the IDP including clients, users, scripts ..etc. This affects all users of Janssen <1.8.0 and Gluu Flex <5.8.0 ### Patches _Has the problem been patched? What versions should users upgrade to?_ All users are advised to upgrade immediately to [1.8.0](https://github.com/JanssenProject/jans/releases/tag/v1.8.0) for Janssen users and [5.8.0](https://github.com/GluuFederation/flex/releases/tag/v5.8.0) For Flex users. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ The user can potentially fork and build the config api and patch it in their system following the commit here https://github.com/JanssenProject/jans/commit/92eea4d4637f1cae16ad2f07b2c16378ff3fc5f1 ### References _Are there any links users can visit to find out more?_ https://github.com/JanssenProject/jans/issues/11575 https://github.com/JanssenProject/jans/commit/92eea4d4637f1cae16ad2f07b2c16378ff3fc5f1
如何修補 CVE-2025-53003
要修補 CVE-2025-53003,請將受影響套件升級到下列已修補版本。
- —升級至 1.8.0 或更新版本
CVE-2025-53003 正在被利用嗎?
低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 1.8.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |