Hi,
We recently commissioned a security audit of our software platform, and
since it uses CAS, some of those findings pertain to CAS.
The following libraries that are bundled into the war file during the build
process have been flagged as "High severity". Are the CAS developers aware
of these vulnerabilities and upgraded to later versions, perhaps?
CWE-20 Improper Input Validation High(7.8) geronimo-spec-jta-1.0.1B-rc4.jar
CWE-16 Configuration High(7.5) spring-webmvc-pac4j-2.0.0.jar
CWE-358 Improperly Implemented Security Check for Standard High(7.5)
spring-webmvc-pac4j-2.0.0.jar
CWE-358 Improperly Implemented Security Check for Standard High(7.5)
spring-modules-cache-0.8.jar
CWE-358 Improperly Implemented Security Check for Standard High(7.5)
spring-js-2.4.6.RELEASE.jar
CWE-502 Deserialization of Untrusted Data High(7.5)
jackson-databind-2.9.0.jar
CWE-184 Incomplete Blacklist High(7.5) jackson-databind-2.9.0.jar
CWE-358 Improperly Implemented Security Check for Standard High(7.5)
spring-shell-1.2.0.RELEASE.jar
The following were flagged as "Medium severity":
CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar
CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
org.apache.directory.api:api-ldap-codec-standalone:1.0.0)
CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
org.apache.directory.api:api-ldap-extras-aci:1.0.0)
CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
org.apache.directory.api:api-ldap-extras-codec-api:1.0.0)
CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
org.apache.directory.api:api-ldap-extras-sp:1.0.0)
CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
org.apache.directory.api:api-ldap-extras-trigger:1.0.0)
CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
org.apache.directory.api:api-ldap-extras-util:1.0.0)
CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
org.apache.directory.api:api-ldap-net-mina:1.0.0)
CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
org.apache.directory.api:api-ldap-schema-converter:1.0.0)
CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
org.apache.directory.api:api-util:1.0.0)
CWE-190 Integer Overflow or Wraparound Medium(5.0)
cas-server-core-tickets-5.2.5.jar
CWE-200 Information Exposure Medium(5.0) d3js-3.5.6.jar
CWE-254 7PK - Security Features Medium(5.0) groovy-xml-2.4.12.jar
CWE-184 Incomplete Blacklist Medium(5.1) jackson-databind-2.9.0.jar
CWE-310 Cryptographic Issues Medium(4.3) javax.el-api-3.0.0.jar
CWE-310 Cryptographic Issues Medium(4.3) javax.el-api-3.0.0.jar
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Medium(5.0) momentjs-2.18.1.jar
CWE-20 Improper Input Validation Medium(5.0) ognl-2.6.11.jar
CWE-20 Improper Input Validation Medium(4.3) spring-core-4.3.16.RELEASE.jar
CWE-254 7PK - Security Features Medium(4.3) spring-core-4.3.16.RELEASE.jar
CWE-20 Improper Input Validation Medium(4.0) spring-core-4.3.16.RELEASE.jar
CWE-264 Permissions, Privileges, and Access Controls Medium(6.0)
spring-js-2.4.6.RELEASE.jar
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') Medium(5.0) spring-js-2.4.6.RELEASE.jar
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') Medium(4.3) spring-js-2.4.6.RELEASE.jar
CWE-264 Permissions, Privileges, and Access Controls Medium(6.0)
spring-modules-cache-0.8.jar
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') Medium(5.0) spring-modules-cache-0.8.jar
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') Medium(4.3) spring-modules-cache-0.8.jar
CWE-20 Improper Input Validation Medium(5.0)
spring-security-crypto-4.2.3.RELEASE.jar
CWE-264 Permissions, Privileges, and Access Controls Medium(6.0)
spring-shell-1.2.0.RELEASE.jar
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') Medium(5.0) spring-shell-1.2.0.RELEASE.jar
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') Medium(4.3) spring-shell-1.2.0.RELEASE.jar
CWE-264 Permissions, Privileges, and Access Controls Medium(6.8)
spring-webmvc-pac4j-2.0.0.jar
CWE-264 Permissions, Privileges, and Access Controls Medium(6.8)
spring-webmvc-pac4j-2.0.0.jar
CWE-264 Permissions, Privileges, and Access Controls Medium(6.8)
spring-webmvc-pac4j-2.0.0.jar
CWE-264 Permissions, Privileges, and Access Controls Medium(6.8)
spring-webmvc-pac4j-2.0.0.jar
CWE-352 Cross-Site Request Forgery (CSRF) Medium(6.8)
spring-webmvc-pac4j-2.0.0.jar
CWE-264 Permissions, Privileges, and Access Controls Medium(6.0)
spring-webmvc-pac4j-2.0.0.jar
CWE-362 Concurrent Execution using Shared Resource with Improper
Synchronization ('Race Condition') Medium(5.1) spring-webmvc-pac4j-2.0.0.jar
CWE-264 Permissions, Privileges, and Access Controls Medium(5.0)
spring-webmvc-pac4j-2.0.0.jar
CWE-200 Information Exposure Medium(5.0) spring-webmvc-pac4j-2.0.0.jar
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') Medium(5.0) spring-webmvc-pac4j-2.0.0.jar
CWE-94 Improper Control of Generation of Code ('Code Injection') Medium(4.3)
spring-webmvc-pac4j-2.0.0.jar
CWE-79 Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting') Medium(4.3) spring-webmvc-pac4j-2.0.0.jar
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') Medium(4.3) spring-webmvc-pac4j-2.0.0.jar
I wonder what we could do in the interim. We use CAS 5.2.5.
Regards,
Ganesh
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/63918b13-343a-4195-9a0c-853afcf0f841%40apereo.org.
