Date fixed | Affects versions | Patched for versions | Jira | Description and patch |
---|
9-Nov-2020 | 2.5.36 and 2.5.37 | 2.5.36.1, 2.5.37.1, 2.5.38+ | GRP-3015 | container prints env vars to logs which can be passwords |
14-May-2020 | 2.4 ui patch 46+, 2.5 up to 2.5.27 | 2.5.28 | GRP-2705 | Some encrypted values can be shown on UI to admins |
24-Apr-2019 | 2.4 | v2_4_0_api_patch_42 | GRP-2110 | Use SSL context while making rabbitmq connection |
20-Aug-2018 | 2.3 ui patch 44 | Patch for 2.3.0 | GRP-1875 | subject audits should only be seen by grouper admins |
20-Aug-2018 | 2.3 api patch 109 | Patch for 2.3.0 | GRP-1876 | flash cache in groups can allow subjects to view (not read) objects with quick subsequent requests |
20-Jul-2018 | 2.2 and 2.3 | Patch for 2.2.2 and 2.3.0 | GRP-1838 | xsrf problem with /UiV2Public.index |
29-Nov-2015 | 1.4-2.2.2 | Patch for 2.2.2 | GRP-1227 | security issue with subject api init params |
18-Nov-2015 | 2.2.0, 2.2.1, 2.2.2 | Patch for 2.2.2 | GRP-1222 | xss vulnerability in tooltips in new UI |
14-Sep-2013 | 2.1.5 and before |
| GRP-934 | Grouper UI is susceptible to CSRF / XSRF Cross site request forgery |
16-Aug-2013 | 1.4, 1.5, 1.6, 2.0, 2.1 (build 0,1,2,3,4) | 1.4.2, 1.5.3, 1.6.3, 2.0.3, 2.1.4 | GRP-928 | Grouper UI allows unauthorized users to view the privileges of other subjects |
2-Aug-2013 | 1.6, 2.0, 2.1 (build 0,1,2,3) | 1.6.3, 2.0.3, 2.1.3 | GRP-880 | Deleting an attributeDef can cause incorrect membership deletes |
1-Aug-2013 | 1.6, 2.0, 2.1 (build 0,1,2,3,4) | 1.6.3, 2.0.3, 2.1.4 | GRP-911 and GRP-924 | Unauthorized users can delete attribute assignments |
28-Jul-2013 | 1.4, 1.5, 1.6, 2.0, 2.1 (build 0,1,2,3,4) | 1.4.2, 1.5.3, 1.6.3, 2.0.3, 2.1.4 | GRP-923 | WS getGrouperPrivilegesLite can return more data than the user should be able to see |
22-Dec-2010 | 1.5 (build 0,1,2,3), 1.6 (build 0,1,2) | 1.5.3, 1.6.2 | GRP-519 | A bug in the Grouper UI allows unauthorized users to view user audit logs by URL manipulation |