...
As always, sites are advised to use the latest stable release of any Grouper product. Refer to the Grouper Downloads page for information about our support and versioning policies. The Security Advisories page identifies the specific versions recommended at a given point in time
...
Date fixed | Affects versions | Patched for versions | Jira | Description and patch |
---|
24-Apr-2019 | 2.4 | v2_4_0_api_patch_42 | GRP-2110 | Use SSL context while making rabbitmq connection |
20-Aug-2018 | 2.3 ui patch 44 | Patch for 2.3.0 | GRP-1875 | subject audits should only be seen by grouper admins |
20-Aug-2018 | 2.3 api patch 109 | Patch for 2.3.0 | GRP-1876 | flash cache in groups can allow subjects to view (not read) objects with quick subsequent requests |
20-Jul-2018 | 2.2 and 2.3 | Patch for 2.2.2 and 2.3.0 | GRP-1838 | xsrf problem with /UiV2Public.index |
29-Nov-2015 | 1.4-2.2.2 | Patch for 2.2.2 | GRP-1227 | security issue with subject api init params |
18-Nov-2015 | 2.2.0, 2.2.1, 2.2.2 | Patch for 2.2.2 | GRP-1222 | xss vulnerability in tooltips in new UI |
14-Sep-2013 | 2.1.5 and before |
| GRP-934 | Grouper UI is susceptible to CSRF / XSRF Cross site request forgery |
16-Aug-2013 | 1.4, 1.5, 1.6, 2.0, 2.1 (build 0,1,2,3,4) | 1.4.2, 1.5.3, 1.6.3, 2.0.3, 2.1.4 | GRP-928 | Grouper UI allows unauthorized users to view the privileges of other subjects |
2-Aug-2013 | 1.6, 2.0, 2.1 (build 0,1,2,3) | 1.6.3, 2.0.3, 2.1.3 | GRP-880 | Deleting an attributeDef can cause incorrect membership deletes |
1-Aug-2013 | 1.6, 2.0, 2.1 (build 0,1,2,3,4) | 1.6.3, 2.0.3, 2.1.4 | GRP-911 and GRP-924 | Unauthorized users can delete attribute assignments |
28-Jul-2013 | 1.4, 1.5, 1.6, 2.0, 2.1 (build 0,1,2,3,4) | 1.4.2, 1.5.3, 1.6.3, 2.0.3, 2.1.4 | GRP-923 | WS getGrouperPrivilegesLite can return more data than the user should be able to see |
22-Dec-2010 | 1.5 (build 0,1,2,3), 1.6 (build 0,1,2) | 1.5.3, 1.6.2 | GRP-519 | A bug in the Grouper UI allows unauthorized users to view user audit logs by URL manipulation |
...