Listen to this Post
The vulnerability stems from the exposure of the internal ConfigAPI service to the internet, allowing unauthorized access to sensitive Identity Provider (IDP) data. Attackers can exploit this misconfiguration to retrieve client details, user information, scripts, and other critical system configurations. The flaw occurs due to improper access controls in Janssen versions <1.8.0 and Gluu Flex versions <5.8.0, where the API fails to enforce authentication for internal endpoints.
DailyCVE Form:
Platform: Janssen & Gluu Flex
Version: <1.8.0 / <5.8.0
Vulnerability: Information Disclosure
Severity: Critical
Date: 2023-XX-XX
Prediction: Patch expected by 2023-XX-XX
What Undercode Say:
Check exposed ConfigAPI endpoints: curl -X GET http://<target>/jans-config-api/api/v1 Verify patch via commit: git clone https://github.com/JanssenProject/jans git checkout 92eea4d
How Exploit:
- Unauthenticated HTTP requests to `/jans-config-api/api/v1`
– Retrieval of client secrets, user attributes, and scripts
Protection from this CVE:
- Upgrade to Janssen 1.8.0 / Gluu Flex 5.8.0
- Restrict ConfigAPI to internal network
Impact:
- Full IDP configuration exposure
- Compromise of authentication mechanisms
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
