You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -33,7 +33,7 @@ If you or your institution is a member of the Apereo foundation with an active s
# Severity
Details will be made public once the [security grace period](https://apereo.github.io/cas/developer/Sec-Vuln-Response.html) has passed.
If your CAS server is functioning as an OAuth or OpenID Connect identity provider **AND** you have configured the system to create and share **access tokens as JWTs**, you are affected by this issue, which mistakenly allows CAS to ignore the attribute/claim release policies assigned to the application definition and to release all possible claims to the application as part of the JWT access token. The patch releases listed below should help CAS re-evaluate the claim release policy of the application before building and sharing a JWT access token. There are also smaller measures in place to ensure CAS selects the correct *indexed* service definition during request processing, particularly if and when the service definition record is modified dynamically at runtime.
