Apereo Central Authentication Service
By the Year
In 2024 there have been 0 vulnerabilities in Apereo Central Authentication Service . Last year Central Authentication Service had 2 security vulnerabilities published. Right now, Central Authentication Service is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 2 | 8.65 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 6.10 |
| 2020 | 1 | 7.50 |
| 2019 | 1 | 8.10 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Central Authentication Service vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apereo Central Authentication Service Security Vulnerabilities
Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr method
CVE-2023-4612
9.8 - Critical
- November 09, 2023
Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr method allows Multi-Factor Authentication bypass.This issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vulnerability.
authentification
Apereo CAS is an open source multilingual single sign-on solution for the web
CVE-2023-28857
7.5 - High
- June 27, 2023
Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be configured to use authentication based on client X509 certificates. These certificates can be provided via TLS handshake or a special HTTP header, such as ssl_client_cert. When checking the validity of the provided client certificate, X509CredentialsAuthenticationHandler performs check that this certificate is not revoked. To do so, it fetches URLs provided in the CRL Distribution Points extension of the certificate, which are taken from the certificate itself and therefore can be controlled by a malicious user. If the CAS server is configured to use an LDAP server for x509 authentication with a password, for example by setting a cas.authn.x509.ldap.ldap-url and cas.authn.x509.ldap.bind-credential properties, X509CredentialsAuthenticationHandler fetches revocation URLs from the certificate, which can be LDAP urls. When making requests to this LDAP urls, Apereo CAS uses the same password as for initially configured LDAP server, which can lead to a password leak. An unauthenticated user can leak the password used to LDAP connection configured on server. This issue has been addressed in version 6.6.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Insufficiently Protected Credentials
Apereo CAS through 6.4.1
CVE-2021-42567
6.1 - Medium
- December 07, 2021
Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
XSS
Apereo CAS 5.3.x before 5.3.16
CVE-2020-27178
7.5 - High
- October 16, 2020
Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication.
authentification
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation
CVE-2019-10754
8.1 - High
- September 23, 2019
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
PRNG
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apereo Central Authentication Service or by Apereo? Click the Watch button to subscribe.
