Connect2id server and CVE-2023-5072
Our CVE scanner recently returned a DoS vulnerability for the JSON.org
Fortunately this dependency is used in a single, non-critical place, to evaluate JSON paths as part of a configuration check in the optional software statement verifier (SSV) plugin of the Connect2id server.
There is no need to take action, unless all of the following applies:
You have enabled open dynamic client registration:
You have a Connect2id server deployment with an enabled SSV plugin:
The plugin is configured for
op.ssv.scopeRules.*that represent JSON Path queries.
Due to that fact that the scope rules check is performed only after a successfully authenticated (JWS validated) software statement, the DoS exploitation risk is minimal.
We have released a patched up SSV plugin that bumps the
The patched up SSV plugin will be included in the next Connect2id server release.