Apereo Central Authentication Service
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apereo Central Authentication Service.
By the Year
In 2026 there have been 0 vulnerabilities in Apereo Central Authentication Service. Central Authentication Service did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 3 | 8.95 |
| 2023 | 2 | 8.65 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 6.10 |
| 2020 | 1 | 7.50 |
| 2019 | 1 | 8.10 |
It may take a day or so for new Central Authentication Service vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apereo Central Authentication Service Security Vulnerabilities
Apereo CAS 2FA Improper Authentication Vulnerability
CVE-2024-11209
9.8 - Critical
- November 14, 2024
A vulnerability was found in Apereo CAS 6.6. It has been classified as critical. This affects an unknown part of the file /login?service of the component 2FA. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
authentification
Apereo CAS Session Expiration Vulnerability in Login Service
CVE-2024-11208
8.1 - High
- November 14, 2024
A vulnerability was found in Apereo CAS 6.6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login?service. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Insufficient Session Expiration
Unvalidated Param SSRF in Unknown Product
CVE-2024-4399
- May 23, 2024
The does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attack
SSRF
Apereo CAS <=7.0-rc7 Improper Auth via getRemoteAddr MFA Bypass
CVE-2023-4612
9.8 - Critical
- November 09, 2023
Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr method allows Multi-Factor Authentication bypass.This issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vulnerability.
authentification
X509CredAuthHandler LDAP URL Password Leak in Apereo CAS <6.6.6
CVE-2023-28857
7.5 - High
- June 27, 2023
Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be configured to use authentication based on client X509 certificates. These certificates can be provided via TLS handshake or a special HTTP header, such as ssl_client_cert. When checking the validity of the provided client certificate, X509CredentialsAuthenticationHandler performs check that this certificate is not revoked. To do so, it fetches URLs provided in the CRL Distribution Points extension of the certificate, which are taken from the certificate itself and therefore can be controlled by a malicious user. If the CAS server is configured to use an LDAP server for x509 authentication with a password, for example by setting a cas.authn.x509.ldap.ldap-url and cas.authn.x509.ldap.bind-credential properties, X509CredentialsAuthenticationHandler fetches revocation URLs from the certificate, which can be LDAP urls. When making requests to this LDAP urls, Apereo CAS uses the same password as for initially configured LDAP server, which can lead to a password leak. An unauthenticated user can leak the password used to LDAP connection configured on server. This issue has been addressed in version 6.6.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Insufficiently Protected Credentials
Apereo CAS through 6.4.1
CVE-2021-42567
6.1 - Medium
- December 07, 2021
Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
XSS
Apereo CAS 5.3.x before 5.3.16
CVE-2020-27178
7.5 - High
- October 16, 2020
Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication.
authentification
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation
CVE-2019-10754
8.1 - High
- September 23, 2019
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
PRNG
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apereo Central Authentication Service or by Apereo? Click the Watch button to subscribe.
