This affects Grouper v2.4 ui patch #46+ and v2.5 up to and not including v2.5.28.
You are affected if:
- You have UI config editor enabled
- You have encrypted values with keys that do not contain "pass", "secret', "private" (case-insensitive). Note: most of the built-in Grouper sensitive configuration keys are not affected due to this.
Grouper admins at your institution will be able to see unencrypted values of those configs on the UI from the IP addresses specified in the UI editor source IP addresses.
Verify if you are affected
- Go to the UI and look in the configurations, see which properties are customized, and see if you can see unencrypted values for sensitive configs
- Upgrade to v2.5.28
- or Move those encrypted values to be encrypted in files and change your config to read the files and decrypt with an expression language scriptlet
- or Disable the UI config editor by editing the grouper-ui.properties and not allowing configuration editor from any IP addresses. You can manage these configurations from GSH until upgrade
- or Only allow the UI config from certain IP addresses of Grouper admins who are allowed to see those passwords
Note: attest your Grouper admins group now, and put attestation on it so you are reminded to periodically review it.
Note: since this vulnerability is not common and there are remediations for 2.4 we will not be providing a patch for 2.4 as of now.
Note: if you are affected by this and you follow a remediation, you should change any encrypted data/passwords that could have been affected