Hi Jérôme - Hope you are well!
We have a need to upgrade to a new version of pac4j that addresses CVE-2021-44878. However, it appears that the version of pac4j with the fix requires Java 11 or above. Can we request a new release with Java 8 support as we are not able to drop support for it at this time without broad discussion and community agreement. Even then we would need to provide a Knox release with the fix backported for those that can't upgrade to 11+. If we could help with this effort, please let us know. thanks, --larry
