My apologies, correct commit ID is b1cbcb2a1b305fb915be3dac65e130da315772c0.
PR to address the issue: https://github.com/apereo/cas/pull/4253 From: "'Evdokimov, Timur(AWF)' via CAS Developer" <[email protected]> Reply to: "Evdokimov, Timur(AWF)" <[email protected]> Date: Friday, 6 September 2019 at 13:21 To: "[email protected]" <[email protected]> Subject: [cas-dev] Race condition in org.apereo.cas.support.oauth.web.endpoints.OAuth20CallbackAuthorizeEndpointController Hi all, Seems like commit 0b465e34b6ff594a177fa9118c87a13cff349374 (July 18th 2019) has introduced a dangerous race condition in OAuth20CallbackAuthorizeEndpointController. Before, ‘callback’ was created per request, now it is shared among all threads accessing it. As a result, callback.getRedirectUrl() sometimes returns the same value for two or more threads accessing it. It looks rather like a high profile security issue, since redirect URL contains ‘state’ value that would allow one user to impersonate another, should they hit CAS at the same millisecond. Kind regards, Tim -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/F7C333C2-8EDB-4616-BE92-E24622948C6C%40ebay.com<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fapereo.org%2Fd%2Fmsgid%2Fcas-dev%2FF7C333C2-8EDB-4616-BE92-E24622948C6C%2540ebay.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=02%7C01%7Ctevdokimov%40ebay.com%7C4e39b94d47b74b4015fb08d732bc67e4%7C46326bff992841a0baca17c16c94ea99%7C0%7C0%7C637033657083727594&sdata=6Sqf1pFmYc5LQ3QUZKSojtowf5RtxcDDrRZP19KwSF0%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "CAS Developer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/807AC26E-B5A6-4C7A-8154-0AFCA2B1AAE6%40ebay.com.
