More detail on the "High impact" vulnerabilities in CAS - libraries included in the war file:
CVE-2011-5034 CWE-20 Improper Input Validation High(7.8) geronimo-spec-jta-1.0.1B-rc4.jar CVE-2011-2730 CWE-16 Configuration High(7.5) spring-webmvc-pac4j-2.0.0.jar CVE-2018-1270 CWE-358 Improperly Implemented Security Check for Standard High(7.5) spring-webmvc-pac4j-2.0.0.jar CVE-2018-1270 CWE-358 Improperly Implemented Security Check for Standard High(7.5) spring-modules-cache-0.8.jar CVE-2018-1270 CWE-358 Improperly Implemented Security Check for Standard High(7.5) spring-js-2.4.6.RELEASE.jar CVE-2017-15095 CWE-502 Deserialization of Untrusted Data High(7.5) jackson-databind-2.9.0.jar CVE-2018-7489 CWE-184 Incomplete Blacklist High(7.5) jackson-databind-2.9.0.jar CVE-2018-1270 CWE-358 Improperly Implemented Security Check for Standard High(7.5) spring-shell-1.2.0.RELEASE.jar Check out the details of these vulnerabilities: https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2011-5034 https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2011-2730 https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2018-1270 https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2017-15095 https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2018-7489 https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2018-1270 Surely, if these are considered "High impact" security vulnerabilities by a security auditor, and CAS is a security-related product, others must also be impacted by these. Hasn't anyone else encountered this feedback? What are others doing about it? Regards, Ganesh On Monday, 15 October 2018 15:55:56 UTC+11, Ganesh Prasad wrote: > > Hi, > > We recently commissioned a security audit of our software platform, and > since it uses CAS, some of those findings pertain to CAS. > > The following libraries that are bundled into the war file during the > build process have been flagged as "High severity". Are the CAS developers > aware of these vulnerabilities and upgraded to later versions, perhaps? > > CWE-20 Improper Input Validation High(7.8) > geronimo-spec-jta-1.0.1B-rc4.jar > CWE-16 Configuration High(7.5) spring-webmvc-pac4j-2.0.0.jar > CWE-358 Improperly Implemented Security Check for Standard High(7.5) > spring-webmvc-pac4j-2.0.0.jar > CWE-358 Improperly Implemented Security Check for Standard High(7.5) > spring-modules-cache-0.8.jar > CWE-358 Improperly Implemented Security Check for Standard High(7.5) > spring-js-2.4.6.RELEASE.jar > > CWE-502 Deserialization of Untrusted Data High(7.5) > jackson-databind-2.9.0.jar > CWE-184 Incomplete Blacklist High(7.5) jackson-databind-2.9.0.jar > CWE-358 Improperly Implemented Security Check for Standard High(7.5) > spring-shell-1.2.0.RELEASE.jar > The following were flagged as "Medium severity": > > CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar > CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: > org.apache.directory.api:api-ldap-codec-standalone:1.0.0) > CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: > org.apache.directory.api:api-ldap-extras-aci:1.0.0) > CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: > org.apache.directory.api:api-ldap-extras-codec-api:1.0.0) > CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: > org.apache.directory.api:api-ldap-extras-sp:1.0.0) > CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: > org.apache.directory.api:api-ldap-extras-trigger:1.0.0) > CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: > org.apache.directory.api:api-ldap-extras-util:1.0.0) > CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: > org.apache.directory.api:api-ldap-net-mina:1.0.0) > CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: > org.apache.directory.api:api-ldap-schema-converter:1.0.0) > CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded: > org.apache.directory.api:api-util:1.0.0) > CWE-190 Integer Overflow or Wraparound Medium(5.0) > cas-server-core-tickets-5.2.5.jar > CWE-200 Information Exposure Medium(5.0) d3js-3.5.6.jar > CWE-254 7PK - Security Features Medium(5.0) groovy-xml-2.4.12.jar > CWE-184 Incomplete Blacklist Medium(5.1) jackson-databind-2.9.0.jar > CWE-310 Cryptographic Issues Medium(4.3) javax.el-api-3.0.0.jar > CWE-310 Cryptographic Issues Medium(4.3) javax.el-api-3.0.0.jar > CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion') > Medium(5.0) momentjs-2.18.1.jar > CWE-20 Improper Input Validation Medium(5.0) ognl-2.6.11.jar > CWE-20 Improper Input Validation Medium(4.3) spring-core-4.3.16.RELEASE.jar > > CWE-254 7PK - Security Features Medium(4.3) spring-core-4.3.16.RELEASE.jar > > CWE-20 Improper Input Validation Medium(4.0) spring-core-4.3.16.RELEASE.jar > > CWE-264 Permissions, Privileges, and Access Controls Medium(6.0) > spring-js-2.4.6.RELEASE.jar > > CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path > Traversal') Medium(5.0) spring-js-2.4.6.RELEASE.jar > CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path > Traversal') Medium(4.3) spring-js-2.4.6.RELEASE.jar > CWE-264 Permissions, Privileges, and Access Controls Medium(6.0) > spring-modules-cache-0.8.jar > CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path > Traversal') Medium(5.0) spring-modules-cache-0.8.jar > CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path > Traversal') Medium(4.3) spring-modules-cache-0.8.jar > CWE-20 Improper Input Validation Medium(5.0) > spring-security-crypto-4.2.3.RELEASE.jar > CWE-264 Permissions, Privileges, and Access Controls Medium(6.0) > spring-shell-1.2.0.RELEASE.jar > CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path > Traversal') Medium(5.0) spring-shell-1.2.0.RELEASE.jar > CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path > Traversal') Medium(4.3) spring-shell-1.2.0.RELEASE.jar > CWE-264 Permissions, Privileges, and Access Controls Medium(6.8) > spring-webmvc-pac4j-2.0.0.jar > CWE-264 Permissions, Privileges, and Access Controls Medium(6.8) > spring-webmvc-pac4j-2.0.0.jar > CWE-264 Permissions, Privileges, and Access Controls Medium(6.8) > spring-webmvc-pac4j-2.0.0.jar > CWE-264 Permissions, Privileges, and Access Controls Medium(6.8) > spring-webmvc-pac4j-2.0.0.jar > CWE-352 Cross-Site Request Forgery (CSRF) Medium(6.8) > spring-webmvc-pac4j-2.0.0.jar > CWE-264 Permissions, Privileges, and Access Controls Medium(6.0) > spring-webmvc-pac4j-2.0.0.jar > CWE-362 Concurrent Execution using Shared Resource with Improper > Synchronization ('Race Condition') Medium(5.1) > spring-webmvc-pac4j-2.0.0.jar > CWE-264 Permissions, Privileges, and Access Controls Medium(5.0) > spring-webmvc-pac4j-2.0.0.jar > CWE-200 Information Exposure Medium(5.0) spring-webmvc-pac4j-2.0.0.jar > CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path > Traversal') Medium(5.0) spring-webmvc-pac4j-2.0.0.jar > CWE-94 Improper Control of Generation of Code ('Code Injection') > Medium(4.3) spring-webmvc-pac4j-2.0.0.jar > CWE-79 Improper Neutralization of Input During Web Page Generation > ('Cross-site Scripting') Medium(4.3) spring-webmvc-pac4j-2.0.0.jar > CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path > Traversal') Medium(4.3) spring-webmvc-pac4j-2.0.0.jar > I wonder what we could do in the interim. We use CAS 5.2.5. > > Regards, > Ganesh > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8cb0e4a-3fcf-4330-9fb6-5d0fc671b431%40apereo.org.
