[MODLOGSAML-130] Pac4j 5.2.1, RMB 33.2.4, vertx-pac4j 6.0.0 fixing unsecure token (CVE-2021-44878) - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: TBD
Resolution: Done
Affects Version/s: None
Fix Version/s: 2.4.0
Labels:
- security

Template:

Standard Bug Write-Up Format
Sprint:
CP: sprint 131
Story Points:
1
Development Team:
Core: Platform

Description

Pac4j v5.1 and earlier allows (by default) clients to accept and successfully validate ID Tokens with "none" algorithm. This is insecure because it disables signature validation:

https://nvd.nist.gov/vuln/detail/CVE-2021-44878

Update Pac4j from 5.1.4 to 5.2.1.

Also update RMB 33.2.3 to 33.2.4 (this bumps log4j from 2.17.0 to 2.17.1).

And update vertx-pac4j from 6.0.0-FOLIO.1 to 6.0.0.

TestRail: Results

Attachments

Activity

People

Assignee:: Julian Ladisch

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 10/Jan/22 3:11 PM

Updated:: 11/Jan/22 4:18 PM

Resolved:: 11/Jan/22 4:18 PM

Pac4j 5.2.1, RMB 33.2.4, vertx-pac4j 6.0.0 fixing unsecure token (CVE-2021-44878)