Search criteria
8 vulnerabilities by apereo
CVE-2025-3986 (GCVE-0-2025-3986)
Vulnerability from cvelistv5 – Published: 2025-04-27 21:00 – Updated: 2025-04-28 17:38
VLAI?
Title
Apereo CAS CasConfigurationMetadataServerController.java redos
Summary
A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repository\src\main\java\org\apereo\cas\metadata\rest\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
4.3 (Medium)
4.3 (Medium)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
caichaoxiong (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3986",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-28T17:34:50.472484Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T17:38:45.562Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CAS",
"vendor": "Apereo",
"versions": [
{
"status": "affected",
"version": "5.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "caichaoxiong (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\\core\\cas-server-core-configuration-metadata-repository\\src\\main\\java\\org\\apereo\\cas\\metadata\\rest\\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In Apereo CAS 5.2.6 wurde eine Schwachstelle ausgemacht. Sie wurde als problematisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Datei cas-5.2.6\\core\\cas-server-core-configuration-metadata-repository\\src\\main\\java\\org\\apereo\\cas\\metadata\\rest\\CasConfigurationMetadataServerController.java. Mittels dem Manipulieren des Arguments Name mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-27T21:00:07.694Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-306322 | Apereo CAS CasConfigurationMetadataServerController.java redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.306322"
},
{
"name": "VDB-306322 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.306322"
},
{
"name": "Submit #557473 | Apereo CAS v5.2.6 ReDos Denial of Service",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.557473"
},
{
"tags": [
"exploit"
],
"url": "https://wx.mail.qq.com/s?k=rk-m8GwRMVMcOjBY1a"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-04-26T10:12:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "Apereo CAS CasConfigurationMetadataServerController.java redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-3986",
"datePublished": "2025-04-27T21:00:07.694Z",
"dateReserved": "2025-04-26T08:07:08.619Z",
"dateUpdated": "2025-04-28T17:38:45.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3985 (GCVE-0-2025-3985)
Vulnerability from cvelistv5 – Published: 2025-04-27 20:31 – Updated: 2025-04-28 18:09
VLAI?
Title
Apereo CAS ResponseEntity redos
Summary
A vulnerability was found in Apereo CAS 5.2.6. It has been classified as problematic. This affects the function ResponseEntity of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\ManageRegisteredServicesMultiActionController.java. The manipulation of the argument Query leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
caichaoxiong (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3985",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-28T18:02:23.445535Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T18:09:01.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CAS",
"vendor": "Apereo",
"versions": [
{
"status": "affected",
"version": "5.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "caichaoxiong (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Apereo CAS 5.2.6. It has been classified as problematic. This affects the function ResponseEntity of the file cas-5.2.6\\webapp-mgmt\\cas-management-webapp-support\\src\\main\\java\\org\\apereo\\cas\\mgmt\\services\\web\\ManageRegisteredServicesMultiActionController.java. The manipulation of the argument Query leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Apereo CAS 5.2.6 ausgemacht. Sie wurde als problematisch eingestuft. Hiervon betroffen ist die Funktion ResponseEntity der Datei cas-5.2.6\\webapp-mgmt\\cas-management-webapp-support\\src\\main\\java\\org\\apereo\\cas\\mgmt\\services\\web\\ManageRegisteredServicesMultiActionController.java. Durch Manipulation des Arguments Query mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:N/AC:L/Au:M/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-27T20:31:06.556Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-306321 | Apereo CAS ResponseEntity redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.306321"
},
{
"name": "VDB-306321 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.306321"
},
{
"name": "Submit #557110 | Apereo CAS v5.2.6 ReDos regular expression engine denial of service",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.557110"
},
{
"tags": [
"exploit"
],
"url": "https://wx.mail.qq.com/s?k=lzDuxVkSRXUZ0bwZEG"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-04-26T10:12:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "Apereo CAS ResponseEntity redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-3985",
"datePublished": "2025-04-27T20:31:06.556Z",
"dateReserved": "2025-04-26T08:07:05.931Z",
"dateUpdated": "2025-04-28T18:09:01.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3984 (GCVE-0-2025-3984)
Vulnerability from cvelistv5 – Published: 2025-04-27 20:00 – Updated: 2025-04-28 18:09
VLAI?
Title
Apereo CAS Groovy Code RegisteredServiceSimpleFormController.java saveService code injection
Summary
A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\RegisteredServiceSimpleFormController.java of the component Groovy Code Handler. The manipulation leads to code injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
caichaoxiong (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3984",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-28T18:02:57.375986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T18:09:12.760Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Groovy Code Handler"
],
"product": "CAS",
"vendor": "Apereo",
"versions": [
{
"status": "affected",
"version": "5.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "caichaoxiong (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\\webapp-mgmt\\cas-management-webapp-support\\src\\main\\java\\org\\apereo\\cas\\mgmt\\services\\web\\RegisteredServiceSimpleFormController.java of the component Groovy Code Handler. The manipulation leads to code injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Apereo CAS 5.2.6 gefunden. Sie wurde als kritisch eingestuft. Davon betroffen ist die Funktion saveService der Datei cas-5.2.6\\webapp-mgmt\\cas-management-webapp-support\\src\\main\\java\\org\\apereo\\cas\\mgmt\\services\\web\\RegisteredServiceSimpleFormController.java der Komponente Groovy Code Handler. Durch die Manipulation mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie ist schwierig ausnutzbar. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.6,
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-27T20:00:08.108Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-306320 | Apereo CAS Groovy Code RegisteredServiceSimpleFormController.java saveService code injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.306320"
},
{
"name": "VDB-306320 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.306320"
},
{
"name": "Submit #557100 | Apereo CAS v5.2.6 Remote Arbitrary Code Execution",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.557100"
},
{
"tags": [
"exploit"
],
"url": "https://wx.mail.qq.com/s?k=ilW4ixcMaVgGU49Dij"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-04-26T10:12:13.000Z",
"value": "VulDB entry last update"
}
],
"title": "Apereo CAS Groovy Code RegisteredServiceSimpleFormController.java saveService code injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-3984",
"datePublished": "2025-04-27T20:00:08.108Z",
"dateReserved": "2025-04-26T08:06:59.509Z",
"dateUpdated": "2025-04-28T18:09:12.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11209 (GCVE-0-2024-11209)
Vulnerability from cvelistv5 – Published: 2024-11-14 13:31 – Updated: 2024-11-14 14:29
VLAI?
Title
Apereo CAS 2FA login improper authentication
Summary
A vulnerability was found in Apereo CAS 6.6. It has been classified as critical. This affects an unknown part of the file /login?service of the component 2FA. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Arthur Souza (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apereo:cas_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cas_server",
"vendor": "apereo",
"versions": [
{
"status": "affected",
"version": "6.6"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11209",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:27:41.882291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:29:15.472Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"2FA"
],
"product": "CAS",
"vendor": "Apereo",
"versions": [
{
"status": "affected",
"version": "6.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Arthur Souza (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Apereo CAS 6.6. It has been classified as critical. This affects an unknown part of the file /login?service of the component 2FA. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Apereo CAS 6.6 ausgemacht. Sie wurde als kritisch eingestuft. Dabei betrifft es einen unbekannter Codeteil der Datei /login?service der Komponente 2FA. Durch Manipulieren mit unbekannten Daten kann eine improper authentication-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T13:31:06.281Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-284523 | Apereo CAS 2FA login improper authentication",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.284523"
},
{
"name": "VDB-284523 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.284523"
},
{
"name": "Submit #437238 | Apereo CAS 6.6 Authentication Bypass Issues",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.437238"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xArthurSouza/281e8ea8a797abc8371a8ced31dc5562"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-11-14T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-11-14T07:58:27.000Z",
"value": "VulDB entry last update"
}
],
"title": "Apereo CAS 2FA login improper authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-11209",
"datePublished": "2024-11-14T13:31:06.281Z",
"dateReserved": "2024-11-14T06:53:18.271Z",
"dateUpdated": "2024-11-14T14:29:15.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11208 (GCVE-0-2024-11208)
Vulnerability from cvelistv5 – Published: 2024-11-14 13:31 – Updated: 2024-11-14 14:31
VLAI?
Title
Apereo CAS login session expiration
Summary
A vulnerability was found in Apereo CAS 6.6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login?service. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
CWE
- CWE-613 - Session Expiration
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Credits
Arthur Souza (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apereo:cas_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cas_server",
"vendor": "apereo",
"versions": [
{
"status": "affected",
"version": "6.6"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11208",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:30:05.341086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:31:21.251Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CAS",
"vendor": "Apereo",
"versions": [
{
"status": "affected",
"version": "6.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Arthur Souza (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Apereo CAS 6.6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login?service. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Apereo CAS 6.6 gefunden. Sie wurde als problematisch eingestuft. Dies betrifft einen unbekannten Teil der Datei /login?service. Durch das Manipulieren mit unbekannten Daten kann eine session expiration-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie ist schwierig ausnutzbar. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T13:31:04.929Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-284522 | Apereo CAS login session expiration",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.284522"
},
{
"name": "VDB-284522 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.284522"
},
{
"name": "Submit #437211 | Apereo CAS 6.6 Session Expiration",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.437211"
},
{
"tags": [
"related"
],
"url": "https://gist.github.com/0xArthurSouza/ce3b89887b03cc899d5e8cb6e472b04e"
},
{
"tags": [
"exploit"
],
"url": "https://ibb.co/1LxSK2k"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-11-14T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-11-14T07:58:25.000Z",
"value": "VulDB entry last update"
}
],
"title": "Apereo CAS login session expiration"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-11208",
"datePublished": "2024-11-14T13:31:04.929Z",
"dateReserved": "2024-11-14T06:53:14.390Z",
"dateUpdated": "2024-11-14T14:31:21.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11207 (GCVE-0-2024-11207)
Vulnerability from cvelistv5 – Published: 2024-11-14 12:31 – Updated: 2024-11-14 19:32
VLAI?
Title
Apereo CAS login redirect
Summary
A vulnerability has been found in Apereo CAS 6.6 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /login. The manipulation of the argument redirect_uri leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
4.3 (Medium)
4.3 (Medium)
CWE
- CWE-601 - Open Redirect
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Arthur Souza (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apereo:cas:6.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cas",
"vendor": "apereo",
"versions": [
{
"status": "affected",
"version": "6.6"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11207",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T18:46:20.660109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T19:32:28.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CAS",
"vendor": "Apereo",
"versions": [
{
"status": "affected",
"version": "6.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Arthur Souza (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Apereo CAS 6.6 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /login. The manipulation of the argument redirect_uri leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In Apereo CAS 6.6 wurde eine Schwachstelle gefunden. Sie wurde als problematisch eingestuft. Das betrifft eine unbekannte Funktionalit\u00e4t der Datei /login. Mittels Manipulieren des Arguments redirect_uri mit unbekannten Daten kann eine open redirect-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "Open Redirect",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T12:31:04.225Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-284521 | Apereo CAS login redirect",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.284521"
},
{
"name": "VDB-284521 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.284521"
},
{
"name": "Submit #437207 | Apereo CAS 6.6 Open Redirect",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.437207"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/0xArthurSouza/68295d8fa20f18161945260fcdf842a2"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-11-14T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-11-14T07:58:24.000Z",
"value": "VulDB entry last update"
}
],
"title": "Apereo CAS login redirect"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-11207",
"datePublished": "2024-11-14T12:31:04.225Z",
"dateReserved": "2024-11-14T06:53:11.652Z",
"dateUpdated": "2024-11-14T19:32:28.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28857 (GCVE-0-2023-28857)
Vulnerability from cvelistv5 – Published: 2023-06-27 17:10 – Updated: 2024-11-27 19:03
VLAI?
Title
LDAP password leak in Apereo CAS - GHSL-2023-009
Summary
Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be configured to use authentication based on client X509 certificates. These certificates can be provided via TLS handshake or a special HTTP header, such as “ssl_client_cert”. When checking the validity of the provided client certificate, X509CredentialsAuthenticationHandler performs check that this certificate is not revoked. To do so, it fetches URLs provided in the “CRL Distribution Points” extension of the certificate, which are taken from the certificate itself and therefore can be controlled by a malicious user. If the CAS server is configured to use an LDAP server for x509 authentication with a password, for example by setting a “cas.authn.x509.ldap.ldap-url” and “cas.authn.x509.ldap.bind-credential” properties, X509CredentialsAuthenticationHandler fetches revocation URLs from the certificate, which can be LDAP urls. When making requests to this LDAP urls, Apereo CAS uses the same password as for initially configured LDAP server, which can lead to a password leak. An unauthenticated user can leak the password used to LDAP connection configured on server. This issue has been addressed in version 6.6.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
4 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:38.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-009_Apereo_CAS/",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-009_Apereo_CAS/"
},
{
"name": "https://apereo.github.io/2023/02/20/x509-vuln/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://apereo.github.io/2023/02/20/x509-vuln/"
},
{
"name": "https://github.com/apereo/cas/releases/tag/v6.6.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/apereo/cas/releases/tag/v6.6.6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28857",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T19:03:30.830177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T19:03:39.948Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CAS",
"vendor": "Apereo",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.5.0, \u003c 6.5.9.1"
},
{
"status": "affected",
"version": "\u003e= 6.6.0, \u003c 6.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be configured to use authentication based on client X509 certificates. These certificates can be provided via TLS handshake or a special HTTP header, such as \u201cssl_client_cert\u201d. When checking the validity of the provided client certificate, X509CredentialsAuthenticationHandler performs check that this certificate is not revoked. To do so, it fetches URLs provided in the \u201cCRL Distribution Points\u201d extension of the certificate, which are taken from the certificate itself and therefore can be controlled by a malicious user. If the CAS server is configured to use an LDAP server for x509 authentication with a password, for example by setting a \u201ccas.authn.x509.ldap.ldap-url\u201d and \u201ccas.authn.x509.ldap.bind-credential\u201d properties, X509CredentialsAuthenticationHandler fetches revocation URLs from the certificate, which can be LDAP urls. When making requests to this LDAP urls, Apereo CAS uses the same password as for initially configured LDAP server, which can lead to a password leak. An unauthenticated user can leak the password used to LDAP connection configured on server. This issue has been addressed in version 6.6.6. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-27T17:10:47.930Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-009_Apereo_CAS/",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-009_Apereo_CAS/"
},
{
"name": "https://apereo.github.io/2023/02/20/x509-vuln/",
"tags": [
"x_refsource_MISC"
],
"url": "https://apereo.github.io/2023/02/20/x509-vuln/"
},
{
"name": "https://github.com/apereo/cas/releases/tag/v6.6.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apereo/cas/releases/tag/v6.6.6"
}
],
"source": {
"advisory": "GHSA-p78h-m8pv-g9gm",
"discovery": "UNKNOWN"
},
"title": "LDAP password leak in Apereo CAS - GHSL-2023-009"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28857",
"datePublished": "2023-06-27T17:10:47.930Z",
"dateReserved": "2023-03-24T16:25:34.468Z",
"dateUpdated": "2024-11-27T19:03:39.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39369 (GCVE-0-2022-39369)
Vulnerability from cvelistv5 – Published: 2022-11-01 00:00 – Updated: 2025-04-23 16:41
VLAI?
Title
Service Hostname Discovery Exploitation in phpCAS
Summary
phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to "^(https)://.*") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied. This vulnerability may allow an attacker to gain access to a victim's account on a vulnerable CASified service without victim's knowledge, when the victim visits attacker's website while being logged in to the same CAS server. phpCAS 1.6.0 is a major version upgrade that starts enforcing service URL discovery validation, because there is unfortunately no 100% safe default config to use in PHP. Starting this version, it is required to pass in an additional service base URL argument when constructing the client class. For more information, please refer to the upgrading doc. This vulnerability only impacts the CAS client that the phpCAS library protects against. The problematic service URL discovery behavior in phpCAS < 1.6.0 will only be disabled, and thus you are not impacted from it, if the phpCAS configuration has the following setup: 1. `phpCAS::setUrl()` is called (a reminder that you have to pass in the full URL of the current page, rather than your service base URL), and 2. `phpCAS::setCallbackURL()` is called, only when the proxy mode is enabled. 3. If your PHP's HTTP header input `X-Forwarded-Host`, `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-Protocol` is sanitized before reaching PHP (by a reverse proxy, for example), you will not be impacted by this vulnerability either. If your CAS server service registry is configured to only allow known and trusted service URLs the severity of the vulnerability is reduced substantially in its severity since an attacker must be in control of another authorized service. Otherwise, you should upgrade the library to get the safe service discovery behavior.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.178Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64"
},
{
"name": "FEDORA-2022-37c2d26f59",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RUA2JM6YT3ZXSZLBJVRA32AXYM3GJMO3/"
},
{
"name": "FEDORA-2022-d6c6782130",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XL7SMW6ESSP2Y6HHRYWW2MMCZSI4LBZ/"
},
{
"name": "FEDORA-2022-76b3530ac2",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJZGTWJ5ZXUUT47EHARNOUUNTH6SYDSE/"
},
{
"name": "[debian-lts-announce] 20230708 [SECURITY] [DLA 3485-1] php-cas security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00007.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39369",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:47:15.853866Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:41:58.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpCAS",
"vendor": "apereo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to \"^(https)://.*\") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied. This vulnerability may allow an attacker to gain access to a victim\u0027s account on a vulnerable CASified service without victim\u0027s knowledge, when the victim visits attacker\u0027s website while being logged in to the same CAS server. phpCAS 1.6.0 is a major version upgrade that starts enforcing service URL discovery validation, because there is unfortunately no 100% safe default config to use in PHP. Starting this version, it is required to pass in an additional service base URL argument when constructing the client class. For more information, please refer to the upgrading doc. This vulnerability only impacts the CAS client that the phpCAS library protects against. The problematic service URL discovery behavior in phpCAS \u003c 1.6.0 will only be disabled, and thus you are not impacted from it, if the phpCAS configuration has the following setup: 1. `phpCAS::setUrl()` is called (a reminder that you have to pass in the full URL of the current page, rather than your service base URL), and 2. `phpCAS::setCallbackURL()` is called, only when the proxy mode is enabled. 3. If your PHP\u0027s HTTP header input `X-Forwarded-Host`, `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-Protocol` is sanitized before reaching PHP (by a reverse proxy, for example), you will not be impacted by this vulnerability either. If your CAS server service registry is configured to only allow known and trusted service URLs the severity of the vulnerability is reduced substantially in its severity since an attacker must be in control of another authorized service. Otherwise, you should upgrade the library to get the safe service discovery behavior."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-99",
"description": "CWE-99: Improper Control of Resource Identifiers (\u0027Resource Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-08T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64"
},
{
"name": "FEDORA-2022-37c2d26f59",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RUA2JM6YT3ZXSZLBJVRA32AXYM3GJMO3/"
},
{
"name": "FEDORA-2022-d6c6782130",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XL7SMW6ESSP2Y6HHRYWW2MMCZSI4LBZ/"
},
{
"name": "FEDORA-2022-76b3530ac2",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJZGTWJ5ZXUUT47EHARNOUUNTH6SYDSE/"
},
{
"name": "[debian-lts-announce] 20230708 [SECURITY] [DLA 3485-1] php-cas security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00007.html"
}
],
"source": {
"advisory": "GHSA-8q72-6qq8-xv64",
"discovery": "UNKNOWN"
},
"title": "Service Hostname Discovery Exploitation in phpCAS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39369",
"datePublished": "2022-11-01T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:41:58.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}