CVE-2025-53003
HIGHjans-config-api-server < 1.8.0 - Unauthenticated Exposure of Sensitive Information via Missing Scope Verification
Title source: llmDescription
The Janssen Project is an open-source identity and access management (IAM) platform. Prior to version 1.8.0, the Config API returns results without scope verification. This has a large internal surface attack area that exposes all sorts of information from the IDP including clients, users, scripts ..etc. This issue has been patched in version 1.8.0. A workaround for this vulnerability involves users forking and building the config api, patching it in their system following commit 92eea4d.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/JanssenProject/jans/security/advisories/GHSA-373j-mhpf-84wg
Issue Tracking x_refsource_misc
https://github.com/JanssenProject/jans/issues/11575
Patch x_refsource_misc
https://github.com/JanssenProject/jans/commit/92eea4d4637f1cae16ad2f07b2c16378ff3fc5f1
Release Notes x_refsource_misc
https://github.com/JanssenProject/jans/releases/tag/v1.8.0
Scores
CVSS v4
8.2
EPSS
0.0034
EPSS Percentile
25.9%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
CWE-269
CWE-284
Status
published
Products (2)
io.jans/jans-config-api-server
0 - 1.8.0Maven
JanssenProject/jans
< 1.8.0
Published
Jul 01, 2025
Tracked Since
Feb 18, 2026