Hi,
AFAIK you are only vulnerable if you use "inline groovy" scripts
(as can be seen in
https://apereo.github.io/cas/6.6.x/integration/Attribute-Release-Policy-InlineGroovy.html
)
So AFAIK groovy scripts in their own xxx.groovy file are not vulnerable
(non vulnerable examples: "cas.authn.mfa.groovy-script.location=file:xxx"
"cas.interrupt.groovy.location=file:..." )
cu
On 30/08/2023 21:14, Graham Ballantyne wrote:
Hi Misagh,
Does this vulnerability extend to CAS versions before 6.5? We're planning an upgrade to 6.6 right now but it would be useful to know if we're currently vulnerable on 6.3.x (we have
one Groovy script in our MFA flow).
Cheers,
Graham.
On Aug 30, 2023, at 01:35, Misagh <[email protected]> wrote:
Please see: https://apereo.github.io/2023/08/30/groovy-vuln/
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1398bf0e-69b3-48d2-9403-b237754c2ec6%40univ-paris1.fr.
