Vulnerabilities > CVE-2014-2296 - XXE vulnerability in Apereo CAS Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
References
- http://jasig.275507.n4.nabble.com/CAS-3-5-2-1-and-3-4-12-1-Security-Releases-td4662444.html
- http://jasig.275507.n4.nabble.com/CAS-3-5-2-1-and-3-4-12-1-Security-Releases-td4662444.html
- https://vigilance.fr/vulnerability/Jasig-CAS-Server-bypassing-authentication-via-Google-Accounts-Integration-14512
- https://vigilance.fr/vulnerability/Jasig-CAS-Server-bypassing-authentication-via-Google-Accounts-Integration-14512