Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1131350 - (CVE-2014-4172) CVE-2014-4172 cas-client: Bypass of security constraints via URL parameter injection
CVE-2014-4172 cas-client: Bypass of security constraints via URL parameter in...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20140811,repo...
: Security
Depends On: 1131351 1131352 1131353 1131354 1131355 1131356 1131371
Blocks: 1131366
  Show dependency treegraph
 
Reported: 2014-08-19 01:53 EDT by David Jorm
Modified: 2016-01-22 13:25 EST (History)
24 users (show)

See Also:
Fixed In Version: cas-client 3.3.2, cas-client-core 3.3.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-22 13:25:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1009 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 15:14:47 EDT

  None (edit)
Description David Jorm 2014-08-19 01:53:16 EDT 
It was found that URL encoding used in the back-channel ticket validation of the JA-SIG CAS client was improper. A remote attacker could exploit this flaw to bypass security constraints by injecting URL parameters.
Comment 1 David Jorm 2014-08-19 01:55:34 EDT 
External References:

https://www.mail-archive.com/cas-user@lists.jasig.org/msg17338.html
Comment 5 David Jorm 2014-08-19 02:20:58 EDT 
Created cas-client tracking bugs for this issue:

Affects: fedora-all [bug 1131371]
Comment 6 Arun Babu Neelicattu 2014-08-20 00:36:58 EDT 
Upstream Issue:

https://issues.jasig.org/browse/CASC-228
Comment 7 Arun Babu Neelicattu 2014-08-20 00:42:13 EDT 
Upstream Commits:

java-cas-client/master
https://github.com/Jasig/java-cas-client/commit/ae37092100c8eaec610dab6d83e5e05a8ee58814
Comment 8 Arun Babu Neelicattu 2014-08-20 01:07:22 EDT 
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/4172.yaml
Comment 9 Fedora Update System 2014-08-29 23:58:52 EDT 
cas-client-3.3.3-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Murray McAllister 2014-08-31 23:29:00 EDT 
As noted in the Debian bug, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718, php-cas 1.3.3 fixed this issue there.

php-pear-CAS 1.3.3 is already in Fedora and EPEL.
Comment 11 Murray McAllister 2014-08-31 23:33:10 EDT 
(In reply to Murray McAllister from comment #10)
> As noted in the Debian bug,
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718, php-cas 1.3.3
> fixed this issue there.
> 
> php-pear-CAS 1.3.3 is already in Fedora and EPEL.

https://github.com/Jasig/phpCAS/blob/master/docs/ChangeLog
Comment 13 errata-xmlrpc 2015-05-14 11:23:13 EDT 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Comment 14 Kurt Seifried 2016-01-22 13:25:50 EST 
This issue does not affect JasperReports as used in Red Hat Enterprise Virtualization Manager, marking wontfix.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.