Responsible Disclosure of Vulnerabilities

[ephmral]

Hi Janssen Community,

I posted a concern earlier this week with regards to an issue with authentication.

#11575

#11575 (comment)

This effectively opens up for token exposure and subsequent privilege escalation. I have a PoC for how to exploit this if there's interest. AFAIK this affects many versions of Janssen dating back at least a year...?

However I didn't get any response from this and now noticed that the fix for this is included in release 1.8.0, however I can't see the issue being mentioned in the release notes. This concerns me as this means that many people can/will go unpatched.

https://github.com/JanssenProject/jans/releases/tag/v1.8.0

I'm quite underwhelmed that this is not a) disclosed as a vulnerability (as a CVE or similar) as this is criticial and effects many previous versions and b) that there's no hotfix for previous versions, meaning that a lot of users/customers remain vulnerable without knowing.

What is your thoughts on this?

[moabu]

Hey @ephmral ,

The configAPI is an internal service and hence should never be exposed to the internet. With that said, this is a serious vulnerability that has a large internal surface attack area. It wasn’t referenced in the releases due to the PR title missing conventional commit standards which was unintentional. That should be fixed.

A. We are working on disclosing it. Its already in draft mode. You should see it disclosed a little after our release. The 1.8.0 release is still going post QA runs. After full verification of the 1.8.0 release and our internal notes to our partners we will disclose the issue. We did work on 1.8.0 release right after the report of this issue to bring a resolution out ASAP.

B. It does affect previous versions but we support auto upgrades so to address this issue everyone should upgrade their versions. If the user hasn’t followed best practices in keeping up with our last 2 released versions they should upgrade in batches. 1.1.0 —> 1.3.0 —> 1.5.0 —> 1.7.0 and so on

Thanks for your care and notes!

[moabu]

The advisory has been published and an CVE should be published soon under https://www.cve.org/CVERecord?id=CVE-2025-53003

[ephmral]

The advisory has been published and an CVE should be published soon under https://www.cve.org/CVERecord?id=CVE-2025-53003

Excellent - thanks a lot! Great work.