Bug 1131350 (CVE-2014-4172) - CVE-2014-4172 cas-client: Bypass of security constraints via URL parameter injection
Summary: CVE-2014-4172 cas-client: Bypass of security constraints via URL parameter in...
Status: CLOSED ERRATA
Alias: CVE-2014-4172
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20140811,repo...
Keywords: Security
Depends On: 1131351 1131352 1131353 1131354 1131355 1131356 1131371
Blocks: 1131366
TreeView+ depends on / blocked
 
Reported: 2014-08-19 05:53 UTC by David Jorm
Modified: 2016-01-22 18:25 UTC (History)
24 users (show)

Fixed In Version: cas-client 3.3.2, cas-client-core 3.3.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-22 18:25:50 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1009 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC
Red Hat Bugzilla 1131359 None None None Never

Internal Trackers: 1131359

Description David Jorm 2014-08-19 05:53:16 UTC
It was found that URL encoding used in the back-channel ticket validation of the JA-SIG CAS client was improper. A remote attacker could exploit this flaw to bypass security constraints by injecting URL parameters.

Comment 1 David Jorm 2014-08-19 05:55:34 UTC
External References:

https://www.mail-archive.com/cas-user@lists.jasig.org/msg17338.html

Comment 5 David Jorm 2014-08-19 06:20:58 UTC
Created cas-client tracking bugs for this issue:

Affects: fedora-all [bug 1131371]

Comment 6 Arun Babu Neelicattu 2014-08-20 04:36:58 UTC
Upstream Issue:

https://issues.jasig.org/browse/CASC-228

Comment 7 Arun Babu Neelicattu 2014-08-20 04:42:13 UTC
Upstream Commits:

java-cas-client/master
https://github.com/Jasig/java-cas-client/commit/ae37092100c8eaec610dab6d83e5e05a8ee58814

Comment 8 Arun Babu Neelicattu 2014-08-20 05:07:22 UTC
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/4172.yaml

Comment 9 Fedora Update System 2014-08-30 03:58:52 UTC
cas-client-3.3.3-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Murray McAllister 2014-09-01 03:29:00 UTC
As noted in the Debian bug, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718, php-cas 1.3.3 fixed this issue there.

php-pear-CAS 1.3.3 is already in Fedora and EPEL.

Comment 11 Murray McAllister 2014-09-01 03:33:10 UTC
(In reply to Murray McAllister from comment #10)
> As noted in the Debian bug,
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718, php-cas 1.3.3
> fixed this issue there.
> 
> php-pear-CAS 1.3.3 is already in Fedora and EPEL.

https://github.com/Jasig/phpCAS/blob/master/docs/ChangeLog

Comment 13 errata-xmlrpc 2015-05-14 15:23:13 UTC
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html

Comment 14 Kurt Seifried 2016-01-22 18:25:50 UTC
This issue does not affect JasperReports as used in Red Hat Enterprise Virtualization Manager, marking wontfix.


Note You need to log in before you can comment on or make changes to this bug.