CVE-2025-53003: Janssen Config API returns results without scope verification

The vulnerability is an improper access control issue in the Janssen Config API. The root cause is located in the io.jans.configapi.util.AuthUtil.findMissingElements function, which is responsible for checking if a client's access token contains the required scopes to access a given API endpoint.

The flawed logic in findMissingElements considered a token with no scopes as valid for an endpoint that required scopes. Specifically, if the list of scopes from the token was empty, the function would incorrectly return that there were no 'missing' scopes, thus bypassing the authorization check. An attacker could exploit this by presenting a valid access token that was issued with no scopes, gaining unauthorized access to sensitive configuration data such as clients, users, and scripts.

The patch rectifies this by changing the logic in findMissingElements. The updated code now checks if the token's scope list is empty and, if so, returns the full list of required scopes as 'missing', correctly denying access.

The io.jans.configapi.security.service.OpenIdAuthorizationService.validateScope function is the higher-level method that initiates this entire validation process for an API resource. Therefore, it would appear in any runtime profile or stack trace when the vulnerability is triggered, as it is the gateway to the flawed authorization logic.