Hi all, Seems like commit 0b465e34b6ff594a177fa9118c87a13cff349374 (July 18th 2019) has introduced a dangerous race condition in OAuth20CallbackAuthorizeEndpointController.
Before, ‘callback’ was created per request, now it is shared among all threads accessing it. As a result, callback.getRedirectUrl() sometimes returns the same value for two or more threads accessing it. It looks rather like a high profile security issue, since redirect URL contains ‘state’ value that would allow one user to impersonate another, should they hit CAS at the same millisecond. Kind regards, Tim -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/F7C333C2-8EDB-4616-BE92-E24622948C6C%40ebay.com.
