Vulnerability Details : CVE-2014-4172
A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java.
Products affected by CVE-2014-4172
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
- cpe:2.3:a:apereo:phpcas:*:*:*:*:*:*:*:*
- cpe:2.3:a:apereo:.net_cas_client:*:*:*:*:*:*:*:*
- cpe:2.3:a:apereo:java_cas_client:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-4172
2.41%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-4172
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2014-4172
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-4172
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/95673
Jasig multiple CAS clients security bypass CVE-2014-4172 Vulnerability ReportThird Party Advisory;VDB Entry
-
https://bugzilla.redhat.com/show_bug.cgi?id=1131350
1131350 – (CVE-2014-4172) CVE-2014-4172 cas-client: Bypass of security constraints via URL parameter injectionIssue Tracking;Third Party Advisory
-
https://issues.jasig.org/browse/CASC-228
[CASC-228] CVE-2014-4172 URL Encode Parameters Passed to Validate Endpoints - JiraThird Party Advisory
-
https://github.com/Jasig/phpCAS/blob/master/docs/ChangeLog
phpCAS/ChangeLog at master · apereo/phpCAS · GitHubRelease Notes;Third Party Advisory
-
https://www.debian.org/security/2014/dsa-3017.en.html
Debian -- Security Information -- DSA-3017-1 php-casThird Party Advisory
-
https://github.com/Jasig/phpCAS/pull/125
URL Encode ticket parameter when presented for validation. by serac · Pull Request #125 · apereo/phpCAS · GitHubThird Party Advisory
-
https://github.com/Jasig/java-cas-client/commit/ae37092100c8eaec610dab6d83e5e05a8ee58814
CASC-228 URL Encode Paramaters Passed to Server via Validate · apereo/java-cas-client@ae37092 · GitHubPatch;Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/137182.html
[SECURITY] Fedora 20 Update: cas-client-3.3.3-1.fc20Third Party Advisory
-
https://www.mail-archive.com/cas-user@lists.jasig.org/msg17338.html
[cas-user] CAS Client Security Vulnerability CVE-2014-4172Patch;Third Party Advisory
-
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718
#759718 - php-cas needs to urlencode all tickets (CVE-2014-4172) - Debian Bug report logsThird Party Advisory
-
https://github.com/Jasig/dotnet-cas-client/commit/f0e030014fb7a39e5f38469f43199dc590fd0e8d
NETC-60 URL encode ticket parameter value. · apereo/dotnet-cas-client@f0e0300 · GitHubPatch;Third Party Advisory
Jump to