Janssen Project Config API Scope Verification Vulnerability
Vulnerability
A vulnerability exists in the Janssen Project Config API, prior to version 1.8.0, allowing access to API results without proper scope verification. This flaw exposes a wide range of information from the identity provider, including details about clients, users, and scripts. The vulnerability has been addressed in version 1.8.0. Users can apply the patch by forking the Config API, incorporating the necessary changes, and rebuilding the API on their system.
Impact
The vulnerability could lead to unauthorized information disclosure from the identity provider, including sensitive data about clients, users, and scripts.
Reproduction
To reproduce this vulnerability, send a request to the Janssen Config API attributes endpoint without the required scope. The response will include the requested data, bypassing scope restrictions.
Remediation
Users are advised to upgrade to Janssen version 1.8.0. Instructions for downloading this version are available on the Janssen Project GitHub Releases page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.