Control: tags -1 + confirmed On Mon, 2024-08-05 at 13:16 +0000, Bastien Roucariès wrote: > [ Reason ] > CVE-2022-39369 > > [ Impact ] > Service Hostname Discovery Exploitation > > The phpCAS library uses HTTP headers to determine the service URL > used to validate tickets. This allows an attacker to control the host > header and use a valid ticket granted for any authorized service in > the same SSO realm (CAS server) to authenticate to the service > protected by phpCAS. Depending on the settings of the CAS server > service registry in worst case this may be any other service URL (if > the allowed URLs are configured to "^(https)://.*") or may be > strictly limited to known and authorized services in the same SSO > federation if proper URL service validation is applied. > > This vulnerability may allow an attacker to gain access to a victim's > account on a vulnerable CASified service without victim's knowledge, > when the victim visits attacker's website while being logged in to > the same CAS server.
+php-cas (1.3.8-1+deb11u1) bullseye-security; urgency=high Both the changelog and NEWS file should use "bullseye" as the distribution. With that fixed, please go ahead. Regards, Adam
