EGI SVG Advisories

Advisory-EGI-SVG-2025-19

HIGH risk INDIGO IAM vulnerabilities

Date: 2025-10-22
Updated: 2025-12-03

HIGH risk vulnerability concerning INDIGO IAM where a a protected
resource client can obtain tokens using the client-credentials flow.

IDs AND CVSS SCORE

EGI SVG ID : EGI-SVG-2025-19

CVE ID : N/A

CVSS Score : N/A

AFFECTED SOFTWARE AND VERSIONS

All releases of INDIGO IAM up to and including version 1.12.2.

ACTIONS REQUIRED/RECOMMENDED

Sites are recommended to update relevant components
using information in the references below, if they have
not already updated to version 1.12.3 or later

COMPONENT INSTALLATION INFORMATION

Update INDIGO IAM to release 1.12.3 or later [R 3]

See references below for further information

MITIGATION

There is no mitigation.

MORE INFORMATION

Note that this is fixed in the same release as a previous ‘MODERATE’
risk vulnerability. So sites who have acted on EGI-SVG-2025-18 should
already not be vulnerabile.

STATUS OF THIS ADVISORY

TLP:CLEAR information - Un;imited distribution

https://advisories.egi.eu/Advisory-EGI-SVG-2025-19

Minor updates may be made without re-distribution to the sites.

CONTACT AND OTHER INFORMATION ON SVG

---

This advisory is subject to the Creative Commons licence 
https://creativecommons.org/licenses/by/4.0/ and
the EGI (https://www.egi.eu/) Software Vulnerability Group 
must be credited. ---

Comments or questions should be sent to svg-rat at mailman.egi.eu

Vulnerabilities relevant for EGI can be reported at report-vulnerability at egi.eu

(see [R 99] for further details, and other information on SVG)

REFERENCES

• [R 1] https://indigo-iam.github.io/

• [R 2] https://github.com/indigo-iam/iam

• [R 3] https://github.com/indigo-iam/iam/releases

• [R 99] https://confluence.egi.eu/display/EGIBG/SVG+Advisories

This site is open source. Improve this page.