A critical security vulnerability has been discovered in several Jasig
CAS clients that allows URL parameter injection due to improper URL
encoding at the back-channel ticket validation step of the CAS
protocol. The following CVE number has been assigned to track this


Affected Software
Jasig Java CAS Client
Vulnerable versions: <3.3.2
Fix version: 3.3.2, http://search.maven.org/#browse%7C1586013685

.NET CAS Client
Vulnerable versions: <1.0.2
Fix version: 1.0.2,

Vulnerable versions: <1.3.3
Fix version: 1.3.3,

There may be other CAS clients that are vulnerable.

The nature of the vulnerability allows malicious remote (network)
agents to craft attack URLs that bypass security constraints of the
CAS protocol. The following attack scenarios are known and have been

1. A malicious service that can obtain a valid ticket can use it to
access another service in violation of the CAS protocol requirement
that a ticket issued for a service can only be used to access the
service for which the ticket was granted. This type of access amounts
to an illicit proxy: the attacker is proxying authentication for the
2. A malicious user can request a ticket for service A and use it to
access service B with the access privileges of A.

Attacks like scenario 1 could result in unauthorized data disclosure,
while scenario 2 could result in privilege escalation. Other attack
scenarios may be possible.

Upgrade affected CAS clients as soon as possible. Consider mitigation
if upgrading is not possible.

The CAS Service Management facility [1], which is enabled by default,
can be used to restrict services that are permitted to use CAS (i.e.
allowed to request tickets). Whitelisting trusted services can reduce
the scope of attacks like scenario 1 above.

The following servlet filter may provide additional defense at the CAS
server against some forms of this attack:


Marvin Addison
CAS Developer

[1] http://jasig.github.io/cas/4.0.0/installation/Service-Management.html

You are currently subscribed to cas-user@lists.jasig.org as: 
To unsubscribe, change settings or access archives, see 

Reply via email to