It was found that URL encoding used in the back-channel ticket validation of the JA-SIG CAS client was improper. A remote attacker could exploit this flaw to bypass security constraints by injecting URL parameters.
External References: https://www.mail-archive.com/cas-user@lists.jasig.org/msg17338.html
Created cas-client tracking bugs for this issue: Affects: fedora-all [bug 1131371]
Upstream Issue: https://issues.jasig.org/browse/CASC-228
Upstream Commits: java-cas-client/master https://github.com/Jasig/java-cas-client/commit/ae37092100c8eaec610dab6d83e5e05a8ee58814
Victims Record: https://github.com/victims/victims-cve-db/blob/master/database/java/2014/4172.yaml
cas-client-3.3.3-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
As noted in the Debian bug, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718, php-cas 1.3.3 fixed this issue there. php-pear-CAS 1.3.3 is already in Fedora and EPEL.
(In reply to Murray McAllister from comment #10) > As noted in the Debian bug, > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718, php-cas 1.3.3 > fixed this issue there. > > php-pear-CAS 1.3.3 is already in Fedora and EPEL. https://github.com/Jasig/phpCAS/blob/master/docs/ChangeLog
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
This issue does not affect JasperReports as used in Red Hat Enterprise Virtualization Manager, marking wontfix.