Hi, We recently commissioned a security audit of our software platform, and since it uses CAS, some of those findings pertain to CAS.
The following libraries that are bundled into the war file during the build process have been flagged as "High severity". Are the CAS developers aware of these vulnerabilities and upgraded to later versions, perhaps? CWE-20 Improper Input Validation High(7.8) geronimo-spec-jta-1.0.1B-rc4.jar CWE-16 Configuration High(7.5) spring-webmvc-pac4j-2.0.0.jar CWE-358 Improperly Implemented Security Check for Standard High(7.5) spring-webmvc-pac4j-2.0.0.jar CWE-358 Improperly Implemented Security Check for Standard High(7.5) spring-modules-cache-0.8.jar CWE-358 Improperly Implemented Security Check for Standard High(7.5) spring-js-2.4.6.RELEASE.jar CWE-502 Deserialization of Untrusted Data High(7.5) jackson-databind-2.9.0.jar CWE-184 Incomplete Blacklist High(7.5) jackson-databind-2.9.0.jar CWE-358 Improperly Implemented Security Check for Standard High(7.5) spring-shell-1.2.0.RELEASE.jar The following were flagged as "Medium severity": CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: org.apache.directory.api:api-ldap-codec-standalone:1.0.0) CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: org.apache.directory.api:api-ldap-extras-aci:1.0.0) CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: org.apache.directory.api:api-ldap-extras-codec-api:1.0.0) CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: org.apache.directory.api:api-ldap-extras-sp:1.0.0) CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: org.apache.directory.api:api-ldap-extras-trigger:1.0.0) CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: org.apache.directory.api:api-ldap-extras-util:1.0.0) CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: org.apache.directory.api:api-ldap-net-mina:1.0.0) CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: org.apache.directory.api:api-ldap-schema-converter:1.0.0) CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: org.apache.directory.api:api-util:1.0.0) CWE-190 Integer Overflow or Wraparound Medium(5.0) cas-server-core-tickets-5.2.5.jar CWE-200 Information Exposure Medium(5.0) d3js-3.5.6.jar CWE-254 7PK - Security Features Medium(5.0) groovy-xml-2.4.12.jar CWE-184 Incomplete Blacklist Medium(5.1) jackson-databind-2.9.0.jar CWE-310 Cryptographic Issues Medium(4.3) javax.el-api-3.0.0.jar CWE-310 Cryptographic Issues Medium(4.3) javax.el-api-3.0.0.jar CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion') Medium(5.0) momentjs-2.18.1.jar CWE-20 Improper Input Validation Medium(5.0) ognl-2.6.11.jar CWE-20 Improper Input Validation Medium(4.3) spring-core-4.3.16.RELEASE.jar CWE-254 7PK - Security Features Medium(4.3) spring-core-4.3.16.RELEASE.jar CWE-20 Improper Input Validation Medium(4.0) spring-core-4.3.16.RELEASE.jar CWE-264 Permissions, Privileges, and Access Controls Medium(6.0) spring-js-2.4.6.RELEASE.jar CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Medium(5.0) spring-js-2.4.6.RELEASE.jar CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Medium(4.3) spring-js-2.4.6.RELEASE.jar CWE-264 Permissions, Privileges, and Access Controls Medium(6.0) spring-modules-cache-0.8.jar CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Medium(5.0) spring-modules-cache-0.8.jar CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Medium(4.3) spring-modules-cache-0.8.jar CWE-20 Improper Input Validation Medium(5.0) spring-security-crypto-4.2.3.RELEASE.jar CWE-264 Permissions, Privileges, and Access Controls Medium(6.0) spring-shell-1.2.0.RELEASE.jar CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Medium(5.0) spring-shell-1.2.0.RELEASE.jar CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Medium(4.3) spring-shell-1.2.0.RELEASE.jar CWE-264 Permissions, Privileges, and Access Controls Medium(6.8) spring-webmvc-pac4j-2.0.0.jar CWE-264 Permissions, Privileges, and Access Controls Medium(6.8) spring-webmvc-pac4j-2.0.0.jar CWE-264 Permissions, Privileges, and Access Controls Medium(6.8) spring-webmvc-pac4j-2.0.0.jar CWE-264 Permissions, Privileges, and Access Controls Medium(6.8) spring-webmvc-pac4j-2.0.0.jar CWE-352 Cross-Site Request Forgery (CSRF) Medium(6.8) spring-webmvc-pac4j-2.0.0.jar CWE-264 Permissions, Privileges, and Access Controls Medium(6.0) spring-webmvc-pac4j-2.0.0.jar CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Medium(5.1) spring-webmvc-pac4j-2.0.0.jar CWE-264 Permissions, Privileges, and Access Controls Medium(5.0) spring-webmvc-pac4j-2.0.0.jar CWE-200 Information Exposure Medium(5.0) spring-webmvc-pac4j-2.0.0.jar CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Medium(5.0) spring-webmvc-pac4j-2.0.0.jar CWE-94 Improper Control of Generation of Code ('Code Injection') Medium(4.3) spring-webmvc-pac4j-2.0.0.jar CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Medium(4.3) spring-webmvc-pac4j-2.0.0.jar CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Medium(4.3) spring-webmvc-pac4j-2.0.0.jar I wonder what we could do in the interim. We use CAS 5.2.5. Regards, Ganesh -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/63918b13-343a-4195-9a0c-853afcf0f841%40apereo.org.