The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Jasig CAS: access control bypass

Synthesis of the vulnerability 

An attacker can use several vulnerabilities of URL of Jasig CAS.
Impacted products: CAS Client Java, Debian, Fedora.
Severity of this bulletin: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 12/08/2014.
Références of this threat: CVE-2014-4172, DSA-3017-1, FEDORA-2014-9662, RHSA-2015:1009, VIGILANCE-VUL-15147.

Description of the vulnerability 

Several vulnerabilities were announced in Jasig CAS.

A client attacker who have an authorization for a service can use it to access another service, in order to escalate his privileges. [severity:3/4]

A server attacker A can use a client authorization for A to access another server B with the access rights of this client. [severity:2/4]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness bulletin impacts software or systems such as CAS Client Java, Debian, Fedora.

Our Vigil@nce team determined that the severity of this computer weakness is important.

The trust level is of type confirmed by the editor, with an origin of intranet client.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this vulnerability announce.

Solutions for this threat 

Jasig CAS Client: Java client version 3.3.2.
The version 3.3.2 is fixed:
  http://search.maven.org/#browse%7C1586013685
Note: thera are also PHP and .NET fixed versions of the client.

Debian: new php-cas packages.
New packages are available:
  Debian 7: php-cas 1.3.1-4+deb7u1

Fedora 20: new cas-client packages.
New packages are available:
  Fedora 20: cas-client 3.3.3-1.fc20

Red Hat JBoss Portal: version 6.2.0.
The version 6.2.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=distributions
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer vulnerability database. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.