Advisories for Maven/Org.apereo.cas/Cas-Server-Core-Services-Authentication package

2023

Insufficiently Protected Credentials

Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be configured to use authentication based on client X509 certificates. These certificates can be provided via TLS handshake or a special HTTP header, such as “ssl_client_cert”. When checking the validity of the provided client certificate, X509CredentialsAuthenticationHandler performs check that this certificate is not revoked. To do so, it fetches URLs provided in the “CRL …

2021

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Apereo CAS allows XSS via POST requests sent to the REST API endpoints.

2020

Improper Authentication

Apereo CAS mishandles secret keys with Google Authenticator for multifactor authentication.

2019

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Multiple classes used within Apereo CAS make use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.