Skip to content

v74.1.0 - UAA Release v74.1.0

Choose a tag to compare

View all tags
@cf-identity cf-identity released this 09 Sep 20:44
· 3004 commits to develop since this release
v74.1.0
65f366b

FEATURES

Added the ability to forward the IP address of the caller to the IdP when using OIDC password grant

Improved UAA’s ability to reconnect to its database upon VM restart; eliminating UAA’s former 503/Failure mode

SECURITY

CVE-2019-11279: Addressed a privilege escalation via scope manipulation in UAA
CVE-2019-11278: Addressed a privilege escalation via blind SCIM injection in UAA

BUG FIXES

Fixed a bug that could potentially cause unnecessary and failing requests to the database

Added a missing audit log event, when the authentication with the external IdP is not successful - specifically for the OIDC password grant flow

DEPENDENCY UPDATES

Bump Spring Boot from 2.1.6.RELEASE to 2.1.7.RELEASE
Bump log4j2 from 2.12.0 to 2.12.1
Bump slf4j-api from 1.7.27 to 1.7.28
Bump groovy from 2.5.7 to 2.5.8
Bump scim-sdk from 1.8.21 to 1.8.22
Bump snakeyaml from 1.24 to 1.25
Bump tomcat from 9.0.22 to 9.0.24
Bump api-ldap-model from 1.0.0 to 1.0.3 [Security CVE-2019-0231]
Bump mockito from 2.13.0 to 3.0.0
Bump flyway-core from 5.2.4 to 6.0.0
Bump guava from 28.0-jre to 28.1-jre

Assets 2
Loading