Bug 1131350 (CVE-2014-4172) - CVE-2014-4172 cas-client: Bypass of security constraints via URL parameter injection
Summary: CVE-2014-4172 cas-client: Bypass of security constraints via URL parameter in...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-4172
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1131351 1131352 1131353 1131354 1131355 1131356 1131371
Blocks: 1131366
TreeView+ depends on / blocked
 
Reported: 2014-08-19 05:53 UTC by David Jorm
Modified: 2021-02-17 06:17 UTC (History)
24 users (show)

Fixed In Version: cas-client 3.3.2, cas-client-core 3.3.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-22 18:25:50 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1131359 0 high CLOSED CVE-2014-3527 Spring Security CAS: Access control bypass via untrusted infomation usage in proxy ticket authentication 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHSA-2015:1009 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC

Internal Links: 1131359

Description David Jorm 2014-08-19 05:53:16 UTC 
It was found that URL encoding used in the back-channel ticket validation of the JA-SIG CAS client was improper. A remote attacker could exploit this flaw to bypass security constraints by injecting URL parameters.
Comment 1 David Jorm 2014-08-19 05:55:34 UTC 
External References:

https://www.mail-archive.com/cas-user@lists.jasig.org/msg17338.html
Comment 5 David Jorm 2014-08-19 06:20:58 UTC 
Created cas-client tracking bugs for this issue:

Affects: fedora-all [bug 1131371]
Comment 6 Arun Babu Neelicattu 2014-08-20 04:36:58 UTC 
Upstream Issue:

https://issues.jasig.org/browse/CASC-228
Comment 7 Arun Babu Neelicattu 2014-08-20 04:42:13 UTC 
Upstream Commits:

java-cas-client/master
https://github.com/Jasig/java-cas-client/commit/ae37092100c8eaec610dab6d83e5e05a8ee58814
Comment 8 Arun Babu Neelicattu 2014-08-20 05:07:22 UTC 
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/4172.yaml
Comment 9 Fedora Update System 2014-08-30 03:58:52 UTC 
cas-client-3.3.3-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Murray McAllister 2014-09-01 03:29:00 UTC 
As noted in the Debian bug, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718, php-cas 1.3.3 fixed this issue there.

php-pear-CAS 1.3.3 is already in Fedora and EPEL.
Comment 11 Murray McAllister 2014-09-01 03:33:10 UTC 
(In reply to Murray McAllister from comment #10)
> As noted in the Debian bug,
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718, php-cas 1.3.3
> fixed this issue there.
> 
> php-pear-CAS 1.3.3 is already in Fedora and EPEL.

https://github.com/Jasig/phpCAS/blob/master/docs/ChangeLog
Comment 13 errata-xmlrpc 2015-05-14 15:23:13 UTC 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Comment 14 Kurt Seifried 2016-01-22 18:25:50 UTC 
This issue does not affect JasperReports as used in Red Hat Enterprise Virtualization Manager, marking wontfix.
Note You need to log in before you can comment on or make changes to this bug.