For completeness, here are the full details of the "Medium impact"
vulnerabilities. You can look up the details by replacing the reference
number with the appropriate one
(https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2015-3250):
CVE-2015-3250 CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar
CVE-2015-3250 CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar
(shaded: org.apache.directory.api:api-ldap-codec-standalone:1.0.0)
CVE-2015-3250 CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar
(shaded: org.apache.directory.api:api-ldap-extras-aci:1.0.0)
CVE-2015-3250 CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar
(shaded: org.apache.directory.api:api-ldap-extras-codec-api:1.0.0)
CVE-2015-3250 CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar
(shaded: org.apache.directory.api:api-ldap-extras-sp:1.0.0)
CVE-2015-3250 CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar
(shaded: org.apache.directory.api:api-ldap-extras-trigger:1.0.0)
CVE-2015-3250 CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar
(shaded: org.apache.directory.api:api-ldap-extras-util:1.0.0)
CVE-2015-3250 CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar
(shaded: org.apache.directory.api:api-ldap-net-mina:1.0.0)
CVE-2015-3250 CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar
(shaded: org.apache.directory.api:api-ldap-schema-converter:1.0.0)
CVE-2015-3250 CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar
(shaded: org.apache.directory.api:api-util:1.0.0)
CVE-2018-13742 CWE-190 Integer Overflow or Wraparound Medium(5.0)
cas-server-core-tickets-5.2.5.jar
CVE-2017-16044 CWE-200 Information Exposure Medium(5.0) d3js-3.5.6.jar
CVE-2016-6497 CWE-254 7PK - Security Features Medium(5.0) groovy-xml-2.4.12.jar
CVE-2018-5968 CWE-184 Incomplete Blacklist Medium(5.1)
jackson-databind-2.9.0.jar
CVE-2013-2566 CWE-310 Cryptographic Issues Medium(4.3)
javax.el-api-3.0.0.jar
CVE-2015-2808 CWE-310 Cryptographic Issues Medium(4.3)
javax.el-api-3.0.0.jar
CVE-2017-18214 CWE-400 Uncontrolled Resource Consumption ('Resource
Exhaustion') Medium(5.0) momentjs-2.18.1.jar
CVE-2016-3093 CWE-20 Improper Input Validation Medium(5.0) ognl-2.6.11.jar
CVE-2018-11039 CWE-20 Improper Input Validation Medium(4.3)
spring-core-4.3.16.RELEASE.jar
CVE-2018-11040 CWE-254 7PK - Security Features Medium(4.3)
spring-core-4.3.16.RELEASE.jar
CVE-2018-1257 CWE-20 Improper Input Validation Medium(4.0)
spring-core-4.3.16.RELEASE.jar
CVE-2018-1272 CWE-264 Permissions, Privileges, and Access Controls
Medium(6.0) spring-js-2.4.6.RELEASE.jar
CVE-2016-9878 CWE-22 Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal') Medium(5.0) spring-js-2.4.6.RELEASE.jar
CVE-2018-1271 CWE-22 Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal') Medium(4.3) spring-js-2.4.6.RELEASE.jar
CVE-2018-1272 CWE-264 Permissions, Privileges, and Access Controls
Medium(6.0) spring-modules-cache-0.8.jar
CVE-2016-9878 CWE-22 Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal') Medium(5.0) spring-modules-cache-0.8.jar
CVE-2018-1271 CWE-22 Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal') Medium(4.3) spring-modules-cache-0.8.jar
CVE-2018-1199 CWE-20 Improper Input Validation Medium(5.0)
spring-security-crypto-4.2.3.RELEASE.jar
CVE-2018-1272 CWE-264 Permissions, Privileges, and Access Controls
Medium(6.0) spring-shell-1.2.0.RELEASE.jar
CVE-2016-9878 CWE-22 Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal') Medium(5.0) spring-shell-1.2.0.RELEASE.jar
CVE-2018-1271 CWE-22 Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal') Medium(4.3) spring-shell-1.2.0.RELEASE.jar
CVE-2011-2894 CWE-264 Permissions, Privileges, and Access Controls
Medium(6.8) spring-webmvc-pac4j-2.0.0.jar
CVE-2013-4152 CWE-264 Permissions, Privileges, and Access Controls
Medium(6.8) spring-webmvc-pac4j-2.0.0.jar
CVE-2013-6429 CWE-264 Permissions, Privileges, and Access Controls
Medium(6.8) spring-webmvc-pac4j-2.0.0.jar
CVE-2013-7315 CWE-264 Permissions, Privileges, and Access Controls
Medium(6.8) spring-webmvc-pac4j-2.0.0.jar
CVE-2014-0054 CWE-352 Cross-Site Request Forgery (CSRF) Medium(6.8)
spring-webmvc-pac4j-2.0.0.jar
CVE-2018-1272 CWE-264 Permissions, Privileges, and Access Controls
Medium(6.0) spring-webmvc-pac4j-2.0.0.jar
CVE-2011-2731 CWE-362 Concurrent Execution using Shared Resource with
Improper Synchronization ('Race Condition') Medium(5.1)
spring-webmvc-pac4j-2.0.0.jar
CVE-2010-3700 CWE-264 Permissions, Privileges, and Access Controls
Medium(5.0) spring-webmvc-pac4j-2.0.0.jar
CVE-2012-5055 CWE-200 Information Exposure Medium(5.0)
spring-webmvc-pac4j-2.0.0.jar
CVE-2016-9878 CWE-22 Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal') Medium(5.0) spring-webmvc-pac4j-2.0.0.jar
CVE-2011-2732 CWE-94 Improper Control of Generation of Code ('Code
Injection') Medium(4.3) spring-webmvc-pac4j-2.0.0.jar
CVE-2014-1904 CWE-79 Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting') Medium(4.3)
spring-webmvc-pac4j-2.0.0.jar
CVE-2018-1271 CWE-22 Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')
Medium(4.3) spring-webmvc-pac4j-2.0.0.jar
Regards,
Ganesh
On Tuesday, 16 October 2018 17:28:28 UTC+11, Ganesh Prasad wrote:
>
> More detail on the "High impact" vulnerabilities in CAS - libraries
> included in the war file:
>
> CVE-2011-5034 CWE-20 Improper Input Validation High(7.8)
> geronimo-spec-jta-1.0.1B-rc4.jar
> CVE-2011-2730 CWE-16 Configuration High(7.5) spring-webmvc-pac4j-2.0.0.jar
> CVE-2018-1270 CWE-358 Improperly Implemented Security Check for Standard
> High(7.5) spring-webmvc-pac4j-2.0.0.jar
> CVE-2018-1270 CWE-358 Improperly Implemented Security Check for Standard
> High(7.5) spring-modules-cache-0.8.jar
> CVE-2018-1270 CWE-358 Improperly Implemented Security Check for Standard
> High(7.5) spring-js-2.4.6.RELEASE.jar
> CVE-2017-15095 CWE-502 Deserialization of Untrusted Data High(7.5)
> jackson-databind-2.9.0.jar
> CVE-2018-7489 CWE-184 Incomplete Blacklist High(7.5)
> jackson-databind-2.9.0.jar
> CVE-2018-1270 CWE-358 Improperly Implemented Security Check for Standard
> High(7.5) spring-shell-1.2.0.RELEASE.jar
> Check out the details of these vulnerabilities:
>
> https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2011-5034
> https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2011-2730
> https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2018-1270
> https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2017-15095
> https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2018-7489
> https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2018-1270
>
> Surely, if these are considered "High impact" security vulnerabilities by
> a security auditor, and CAS is a security-related product, others must also
> be impacted by these. Hasn't anyone else encountered this feedback? What
> are others doing about it?
>
> Regards,
> Ganesh
>
>
>
> On Monday, 15 October 2018 15:55:56 UTC+11, Ganesh Prasad wrote:
>>
>> Hi,
>>
>> We recently commissioned a security audit of our software platform, and
>> since it uses CAS, some of those findings pertain to CAS.
>>
>> The following libraries that are bundled into the war file during the
>> build process have been flagged as "High severity". Are the CAS developers
>> aware of these vulnerabilities and upgraded to later versions, perhaps?
>>
>> CWE-20 Improper Input Validation High(7.8)
>> geronimo-spec-jta-1.0.1B-rc4.jar
>> CWE-16 Configuration High(7.5) spring-webmvc-pac4j-2.0.0.jar
>> CWE-358 Improperly Implemented Security Check for Standard High(7.5)
>> spring-webmvc-pac4j-2.0.0.jar
>> CWE-358 Improperly Implemented Security Check for Standard High(7.5)
>> spring-modules-cache-0.8.jar
>> CWE-358 Improperly Implemented Security Check for Standard High(7.5)
>> spring-js-2.4.6.RELEASE.jar
>>
>> CWE-502 Deserialization of Untrusted Data High(7.5)
>> jackson-databind-2.9.0.jar
>> CWE-184 Incomplete Blacklist High(7.5) jackson-databind-2.9.0.jar
>> CWE-358 Improperly Implemented Security Check for Standard High(7.5)
>> spring-shell-1.2.0.RELEASE.jar
>> The following were flagged as "Medium severity":
>>
>> CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar
>> CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
>> org.apache.directory.api:api-ldap-codec-standalone:1.0.0)
>> CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
>> org.apache.directory.api:api-ldap-extras-aci:1.0.0)
>> CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
>> org.apache.directory.api:api-ldap-extras-codec-api:1.0.0)
>> CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
>> org.apache.directory.api:api-ldap-extras-sp:1.0.0)
>> CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
>> org.apache.directory.api:api-ldap-extras-trigger:1.0.0)
>> CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
>> org.apache.directory.api:api-ldap-extras-util:1.0.0)
>> CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
>> org.apache.directory.api:api-ldap-net-mina:1.0.0)
>> CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
>> org.apache.directory.api:api-ldap-schema-converter:1.0.0)
>> CWE-200 Information Exposure Medium(5.0) api-all-1.0.0.jar (shaded:
>> org.apache.directory.api:api-util:1.0.0)
>> CWE-190 Integer Overflow or Wraparound Medium(5.0)
>> cas-server-core-tickets-5.2.5.jar
>> CWE-200 Information Exposure Medium(5.0) d3js-3.5.6.jar
>> CWE-254 7PK - Security Features Medium(5.0) groovy-xml-2.4.12.jar
>> CWE-184 Incomplete Blacklist Medium(5.1) jackson-databind-2.9.0.jar
>> CWE-310 Cryptographic Issues Medium(4.3) javax.el-api-3.0.0.jar
>> CWE-310 Cryptographic Issues Medium(4.3) javax.el-api-3.0.0.jar
>> CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
>> Medium(5.0) momentjs-2.18.1.jar
>> CWE-20 Improper Input Validation Medium(5.0) ognl-2.6.11.jar
>> CWE-20 Improper Input Validation Medium(4.3) spring-core-4.3.16.RELEASE.jar
>>
>> CWE-254 7PK - Security Features Medium(4.3) spring-core-4.3.16.RELEASE.jar
>>
>> CWE-20 Improper Input Validation Medium(4.0) spring-core-4.3.16.RELEASE.jar
>>
>> CWE-264 Permissions, Privileges, and Access Controls Medium(6.0)
>> spring-js-2.4.6.RELEASE.jar
>>
>> CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
>> Traversal') Medium(5.0) spring-js-2.4.6.RELEASE.jar
>> CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
>> Traversal') Medium(4.3) spring-js-2.4.6.RELEASE.jar
>> CWE-264 Permissions, Privileges, and Access Controls Medium(6.0)
>> spring-modules-cache-0.8.jar
>> CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
>> Traversal') Medium(5.0) spring-modules-cache-0.8.jar
>> CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
>> Traversal') Medium(4.3) spring-modules-cache-0.8.jar
>> CWE-20 Improper Input Validation Medium(5.0)
>> spring-security-crypto-4.2.3.RELEASE.jar
>> CWE-264 Permissions, Privileges, and Access Controls Medium(6.0)
>> spring-shell-1.2.0.RELEASE.jar
>> CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
>> Traversal') Medium(5.0) spring-shell-1.2.0.RELEASE.jar
>> CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
>> Traversal') Medium(4.3) spring-shell-1.2.0.RELEASE.jar
>> CWE-264 Permissions, Privileges, and Access Controls Medium(6.8)
>> spring-webmvc-pac4j-2.0.0.jar
>> CWE-264 Permissions, Privileges, and Access Controls Medium(6.8)
>> spring-webmvc-pac4j-2.0.0.jar
>> CWE-264 Permissions, Privileges, and Access Controls Medium(6.8)
>> spring-webmvc-pac4j-2.0.0.jar
>> CWE-264 Permissions, Privileges, and Access Controls Medium(6.8)
>> spring-webmvc-pac4j-2.0.0.jar
>> CWE-352 Cross-Site Request Forgery (CSRF) Medium(6.8)
>> spring-webmvc-pac4j-2.0.0.jar
>> CWE-264 Permissions, Privileges, and Access Controls Medium(6.0)
>> spring-webmvc-pac4j-2.0.0.jar
>> CWE-362 Concurrent Execution using Shared Resource with Improper
>> Synchronization ('Race Condition') Medium(5.1)
>> spring-webmvc-pac4j-2.0.0.jar
>> CWE-264 Permissions, Privileges, and Access Controls Medium(5.0)
>> spring-webmvc-pac4j-2.0.0.jar
>> CWE-200 Information Exposure Medium(5.0) spring-webmvc-pac4j-2.0.0.jar
>> CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
>> Traversal') Medium(5.0) spring-webmvc-pac4j-2.0.0.jar
>> CWE-94 Improper Control of Generation of Code ('Code Injection')
>> Medium(4.3) spring-webmvc-pac4j-2.0.0.jar
>> CWE-79 Improper Neutralization of Input During Web Page Generation
>> ('Cross-site Scripting') Medium(4.3) spring-webmvc-pac4j-2.0.0.jar
>> CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path
>> Traversal') Medium(4.3) spring-webmvc-pac4j-2.0.0.jar
>> I wonder what we could do in the interim. We use CAS 5.2.5.
>>
>> Regards,
>> Ganesh
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d0c7eed3-6af6-4dd1-a17b-ca4eceadf485%40apereo.org.
