We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
The Janssen Project is an open-source identity and access management (IAM) platform. Prior to version 1.8.0, the Config API returns results without scope verification. This has a large internal surface attack area that exposes all sorts of information from the IDP including clients, users, scripts ..etc. This issue has been patched in version 1.8.0. A workaround for this vulnerability involves users forking and building the config api, patching it in their system following commit 92eea4d.
Reserved 2025-06-24 | Published 2025-07-01 | Updated 2025-07-01 | Assigner GitHub_MCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-269: Improper Privilege Management
CWE-284: Improper Access Control
github.com/...t/jans/security/advisories/GHSA-373j-mhpf-84wg
github.com/JanssenProject/jans/issues/11575
github.com/...ommit/92eea4d4637f1cae16ad2f07b2c16378ff3fc5f1
github.com/JanssenProject/jans/releases/tag/v1.8.0
Support options