Overview
This is an Apereo CAS project vulnerability disclosure, describing an issue in CAS when it’s acting as an OpenID Connect identity provider. If you are not using CAS as an OpenID Connect Provider, there is nothing to do here. Keep calm and carry on.
For additional details on how security issues, patches and announcements are handled, please read the Apereo CAS project vulnerability disclosure process.
Credits
The issue was originally reported by Jérôme Leleu, a fellow CAS committer and long-time supporter. Jérôme was also kind enough to supply the fix and follow up with tests and confirmations, all of which were ultimately incorporated into the published releases. Thank you!
Affected Deployments
The security issue described here, per the CAS maintenance policy, affects the Apereo CAS server for the following versions:
- 6.5.x
- 6.6.x
If your CAS version is not listed above AND is still part of an active maintenance cycle per the CAS maintenance policy, then best effort (analysis or confirmation from reporters/testers) indicates that the version is not affected by this issue. That said, please note that per the project’s Apache2 license, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. For additional information, please see the project license.
If you or your institution is a member of the Apereo foundation with an active support subscription supporting the CAS project, please contact the CAS subs working group to learn more about this security vulnerability report.
Severity
The problem affects CAS deployments that are configured to act as an OAuth or OpenID Connect identity provider and it appears when the authorization endpoint receives a request that contains an unknown, unregistered, invalid value for the scope parameter. This unknown scope forces CAS, once authentication flow is completed, to mistakenly bypass claim/attribute release rules and build ID/access tokens that contain all available user claims rather than those explicitly authorized and allowed for the request and relying party. In other words, the security issue can be classified as data leak where the OpenID Connect caller (or relying party) is allowed to receive more information about the caller, when claim release rules say otherwise.
Timeline
The issue was originally reported on July 19th, 2023 and upon confirmation, CAS releases were patched and published on July 21st, 2023.
Patching
Patch releases are available to address CAS deployments. Upgrades to the next patch version for each release should be a drop-in replacement.
Procedure
6.5.x
Modify your CAS overlay to point to the version 6.5.9.2.
6.6.x
Modify your CAS overlay to point to the version 6.6.10.
Support
Apereo CAS is Apache v2 open source software under the sponsorship of the Apereo Foundation, supported by community volunteers and enthusiasts. Support options may be found here.
If you or your institution is a member of the Apereo foundation with an active subscription supporting the CAS project, please contact the CAS subs working group to learn more about this security vulnerability report.
Resources
On behalf of the CAS Application Security working group,