Cedar Java
Monthly
Incorrect equality comparison in CedarJava (cedar-java) versions before 4.9.0 causes EntityIdentifier.equals() to return true when comparing against null and false when comparing an object to itself, due to inverted null/self-reference branches. Cedar's actual authorization decisions are unaffected because they are computed in Rust from JSON, but integrators who call equals() on entity identifiers in their own Java logic may make incorrect trust or access decisions. No public exploit identified at time of analysis; the issue is fixed in 4.9.0.
Incorrect equality comparison in CedarJava (cedar-java) versions before 4.9.0 causes EntityIdentifier.equals() to return true when comparing against null and false when comparing an object to itself, due to inverted null/self-reference branches. Cedar's actual authorization decisions are unaffected because they are computed in Rust from JSON, but integrators who call equals() on entity identifiers in their own Java logic may make incorrect trust or access decisions. No public exploit identified at time of analysis; the issue is fixed in 4.9.0.