We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-53003

Janssen Config API returns results without scope verification



Description

The Janssen Project is an open-source identity and access management (IAM) platform. Prior to version 1.8.0, the Config API returns results without scope verification. This has a large internal surface attack area that exposes all sorts of information from the IDP including clients, users, scripts ..etc. This issue has been patched in version 1.8.0. A workaround for this vulnerability involves users forking and building the config api, patching it in their system following commit 92eea4d.

Reserved 2025-06-24 | Published 2025-07-01 | Updated 2025-07-01 | Assigner GitHub_M


HIGH: 8.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-269: Improper Privilege Management

CWE-284: Improper Access Control

Product status

< 1.8.0
affected

References

github.com/...t/jans/security/advisories/GHSA-373j-mhpf-84wg

github.com/JanssenProject/jans/issues/11575

github.com/...ommit/92eea4d4637f1cae16ad2f07b2c16378ff3fc5f1

github.com/JanssenProject/jans/releases/tag/v1.8.0

cve.org (CVE-2025-53003)

nvd.nist.gov (CVE-2025-53003)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-53003

Support options

Helpdesk Chat, Email, Knowledgebase