Vulnerabilites related to Apereo Foundation - CAS
cve-2023-4612
Vulnerability from cvelistv5
Published
2023-11-09 13:41
Modified
2024-10-10 15:35
Severity ?
EPSS score ?
Summary
Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr method allows Multi-Factor Authentication bypass.This issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://cert.pl/posts/2023/11/CVE-2023-4612/ | third-party-advisory | |
| https://cert.pl/en/posts/2023/11/CVE-2023-4612/ | third-party-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apereo Foundation | CAS |
Version: 0 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:06.563Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/posts/2023/11/CVE-2023-4612/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/en/posts/2023/11/CVE-2023-4612/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.apereo.org/projects/cas",
"defaultStatus": "unknown",
"product": "CAS",
"vendor": "Apereo Foundation",
"versions": [
{
"lessThanOrEqual": "7.0.0-RC7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Maksym Brz\u0119czek (efigo.pl)"
}
],
"datePublic": "2023-11-09T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in Apereo CAS in\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ejakarta.servlet.http.HttpServletRequest.getRemoteAddr method\u003c/span\u003e allows Multi-Factor Authentication bypass.\u003cp\u003eThis issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vulnerability.\u003c/p\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Improper Authentication vulnerability in Apereo CAS in\u00a0jakarta.servlet.http.HttpServletRequest.getRemoteAddr method allows Multi-Factor Authentication bypass.This issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vulnerability."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-302",
"description": "CWE-302 Authentication Bypass by Assumed-Immutable Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T15:35:59.524Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2023/11/CVE-2023-4612/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2023/11/CVE-2023-4612/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MFA bypass in Apereo CAS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2023-4612",
"datePublished": "2023-11-09T13:41:38.189Z",
"dateReserved": "2023-08-30T06:31:53.251Z",
"dateUpdated": "2024-10-10T15:35:59.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}