CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
60.9%
Package : php-cas
Version : 1.3.6-1+deb10u1
CVE ID : CVE-2022-39369
Debian Bug : 1023571
A vulnerability has been found in phpCAS, a Central Authentication
Service client library in php, which may allow an attacker to gain
access to a victim's account on a vulnerable CASified service without
victim's knowledge, when the victim visits attacker's website while
being logged in to the same CAS server.
The fix for this vulnerabilty requires an API breaking change in php-cas
and will require that software using the library be updated.
For buster, all packages in the Debian repositories which are using
php-cas have been updated, though additional manual configuration is to
be expected, as php-cas needs additional site information – the service
base URL – for it to function. The DLAs for the respective packages
will have additional information, as well as the package's NEWS files.
For 3rd party software using php-cas, please be note that upstream
provided following instructions how to update this software [1]:
phpCAS now requires an additional service base URL argument when constructing
the client class. It accepts any argument of:
Constructing the client class is usually done with phpCAS::client().
For example, using the first possiblity:
phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
could become:
phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, "https://casified-service.example.org:8080");
Details of the vulnerability:
CVE-2022-39369
The phpCAS library uses HTTP headers to determine the service URL used
to validate tickets. This allows an attacker to control the host header
and use a valid ticket granted for any authorized service in the same
SSO realm (CAS server) to authenticate to the service protected by
phpCAS. Depending on the settings of the CAS server service registry in
worst case this may be any other service URL (if the allowed URLs are
configured to "^(https)://.*") or may be strictly limited to known and
authorized services in the same SSO federation if proper URL service
validation is applied.
For Debian 10 buster, this problem has been fixed in version
1.3.6-1+deb10u1.
We recommend that you upgrade your php-cas packages.
For the detailed security status of php-cas please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-cas
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 11 | all | php-cas | < 1.3.8-1+deb11u1 | php-cas_1.3.8-1+deb11u1_all.deb |
Debian | 10 | all | php-cas | < 1.3.6-1+deb10u1 | php-cas_1.3.6-1+deb10u1_all.deb |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
60.9%