Overview
This is the initial version of an Apereo CAS project vulnerability disclosure, describing an issue in CAS that affects its REST protocol and functionality. If you are not using the CAS REST functionality to create or query for tickets, there is nothing to do here. Keep calm and carry on.
For additional details on how security issues, patches and announcements are handled, please read the Apereo CAS project vulnerability disclosure process.
Affected Deployments
The security issue described here, per the CAS maintenance policy, affects the Apereo CAS server for the following versions:
- 6.3.x
- 6.4.x
If your CAS version is not listed above and is still part of an active maintenance cycle per the CAS maintenance policy, then best effort (analysis or confirmation from reporters/testers) indicates that the version is not affected by this issue. That said, please note that per the project’s Apache2 license, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.. For additional information, please see the project license.
If you or your institution is a member of the Apereo foundation with an active support subscription supporting the CAS project, please contact the CAS subs working group to learn more about this security vulnerability report.
Severity
CAS is vulnerable to a Reflected Cross Site Scripting attack, via POST requests sent to the REST API endpoints. The payload could be injected on URLs: /cas/v1/tickets/. Malicious scripts can be submitted to CAS via parameters such as the ticket id or the username. That results in CAS rejecting the request and produce a response in which the value of the vulnerable parameter is echoed back, resulting in its execution.
CVE-2021-42567 has been reserved to track this issue.
Timeline
The issue was originally reported on October 13th, 2021 and upon confirmation, CAS releases were patched on October 16th, 2021 and released.
Patching
Big thanks to Caio Farias for reporting this issue, supplying a patch to fix the issue and working with the security team to test and discuss the fix.
Patch releases are available to address CAS deployments. Upgrades to the next patch version for each release should be a drop-in replacement.
Procedure
6.3.x
Modify your CAS overlay to point to the version 6.3.7.1.
6.4.x
Modify your CAS overlay to point to the version 6.4.2.
Support
Apereo CAS is Apache v2 open source software under the sponsorship of the Apereo Foundation, supported by community volunteers and enthusiasts. Support options may be found here.
If you or your institution is a member of the Apereo foundation with an active subscription supporting the CAS project, please contact the CAS subs working group to learn more about this security vulnerability report.
Resources
On behalf of the CAS Application Security working group,