Connect2id server and CVE-2023-5072

Our CVE scanner recently returned a DoS vulnerability for the dependency org.json:json:20230227.

Fortunately this dependency is used in a single, non-critical place, to evaluate JSON paths as part of a configuration check in the optional software statement verifier (SSV) plugin of the Connect2id server.

There is no need to take action, unless all of the following applies:

  1. You have enabled open dynamic client registration:

  2. You have a Connect2id server deployment with an enabled SSV plugin:

  3. The plugin is configured for op.ssv.scopeRules.* that represent JSON Path queries.

Due to that fact that the scope rules check is performed only after a successfully authenticated (JWS validated) software statement, the DoS exploitation risk is minimal.

We have released a patched up SSV plugin that bumps the org.json:json dependency to 20231013.


The patched up SSV plugin will be included in the next Connect2id server release.