...
Date fixed | Affects versions | Fixed in versions | Jira | Description |
---|---|---|---|---|
3-Nov-2023 | 2.5.23-2.5.68, v2.6.0-v2.6.19, v4.0.1-v4.7.2, v5.0.3-v5.4.0 | v2.5.69, v4.8.0, v5.5.0 | Authentication bypass security issue | |
9-Nov-2020 | 2.5.36 and 2.5.37 | 2.5.36.1, 2.5.37.1, 2.5.38+ | container prints env vars to logs which can be passwords | |
14-May-2020 | 2.4 ui patch 46+, 2.5 up to 2.5.27 | 2.5.28 | Some encrypted values can be shown on UI to admins | |
24-Apr-2019 | 2.4 | v2_4_0_api_patch_42 | GRP-2110 | Use SSL context while making rabbitmq connection |
20-Aug-2018 | 2.3 ui patch 44 | Patch for 2.3.0 | GRP-1875 | subject audits should only be seen by grouper admins |
20-Aug-2018 | 2.3 api patch 109 | Patch for 2.3.0 | GRP-1876 | flash cache in groups can allow subjects to view (not read) objects with quick subsequent requests |
20-Jul-2018 | 2.2 and 2.3 | Patch for 2.2.2 and 2.3.0 | GRP-1838 | xsrf problem with /UiV2Public.index |
29-Nov-2015 | 1.4-2.2.2 | Patch for 2.2.2 | GRP-1227 | security issue with subject api init params |
18-Nov-2015 | 2.2.0, 2.2.1, 2.2.2 | Patch for 2.2.2 | GRP-1222 | |
14-Sep-2013 | 2.1.5 and before | Grouper UI is susceptible to CSRF / XSRF Cross site request forgery | ||
16-Aug-2013 | 1.4, 1.5, 1.6, 2.0, 2.1 (build 0,1,2,3,4) | 1.4.2, 1.5.3, 1.6.3, 2.0.3, 2.1.4 | Grouper UI allows unauthorized users to view the privileges of other subjects | |
2-Aug-2013 | 1.6, 2.0, 2.1 (build 0,1,2,3) | 1.6.3, 2.0.3, 2.1.3 | Deleting an attributeDef can cause incorrect membership deletes | |
1-Aug-2013 | 1.6, 2.0, 2.1 (build 0,1,2,3,4) | 1.6.3, 2.0.3, 2.1.4 | ||
28-Jul-2013 | 1.4, 1.5, 1.6, 2.0, 2.1 (build 0,1,2,3,4) | 1.4.2, 1.5.3, 1.6.3, 2.0.3, 2.1.4 | WS getGrouperPrivilegesLite can return more data than the user should be able to see | |
22-Dec-2010 | 1.5 (build 0,1,2,3), 1.6 (build 0,1,2) | 1.5.3, 1.6.2 | A bug in the Grouper UI allows unauthorized users to view user audit logs by URL manipulation |
...