Vulnerability Details : CVE-2023-4612
Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr method allows Multi-Factor Authentication bypass.This issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vulnerability.
Products affected by CVE-2023-4612
- cpe:2.3:a:apereo:central_authentication_service:*:*:*:*:*:*:*:*
- cpe:2.3:a:apereo:central_authentication_service:7.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:apereo:central_authentication_service:7.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:apereo:central_authentication_service:7.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:apereo:central_authentication_service:7.0.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:apereo:central_authentication_service:7.0.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:apereo:central_authentication_service:7.0.0:rc6:*:*:*:*:*:*
- cpe:2.3:a:apereo:central_authentication_service:7.0.0:rc7:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-4612
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 57 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-4612
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2023-4612
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by:
- cvd@cert.pl (Secondary)
- nvd@nist.gov (Primary)
-
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.Assigned by: cvd@cert.pl (Secondary)
References for CVE-2023-4612
-
https://cert.pl/posts/2023/11/CVE-2023-4612/
Podatność w oprogramowaniu Apereo CAS | CERT PolskaThird Party Advisory
-
https://cert.pl/en/posts/2023/11/CVE-2023-4612/
Vulnerability in Apereo CAS software | CERT PolskaThird Party Advisory
Jump to