CVE-2025-53003 – io.jans:jans-config-api-server

Package

Manager: maven
Name: io.jans:jans-config-api-server
Vulnerable Version: >=0 <1.8.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00059 pctl0.18334

Details

Janssen Config API returns results without scope verification ### Impact _What kind of vulnerability is it? Who is impacted?_ The configAPI is an internal service and hence should never be exposed to the internet. With that said, this is a serious vulnerability that has a large internal surface attack area that exposes all sorts of information from the IDP including clients, users, scripts ..etc. This affects all users of Janssen <1.8.0 and Gluu Flex <5.8.0 ### Patches _Has the problem been patched? What versions should users upgrade to?_ All users are advised to upgrade immediately to [1.8.0](https://github.com/JanssenProject/jans/releases/tag/v1.8.0) for Janssen users and [5.8.0](https://github.com/GluuFederation/flex/releases/tag/v5.8.0) For Flex users. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ The user can potentially fork and build the config api and patch it in their system following the commit here https://github.com/JanssenProject/jans/commit/92eea4d4637f1cae16ad2f07b2c16378ff3fc5f1 ### References _Are there any links users can visit to find out more?_ https://github.com/JanssenProject/jans/issues/11575 https://github.com/JanssenProject/jans/commit/92eea4d4637f1cae16ad2f07b2c16378ff3fc5f1

Metadata

Created: 2025-06-30T17:52:44Z
Modified: 2025-07-01T13:13:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-373j-mhpf-84wg/GHSA-373j-mhpf-84wg.json
CWE IDs: ["CWE-200", "CWE-269", "CWE-284"]
Alternative ID: GHSA-373j-mhpf-84wg
Finding: F039
Auto approve: 1