CVE-2014-4172
Summary
| CVE | CVE-2014-4172 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-01-24 19:15:00 UTC |
| Updated | 2023-11-07 02:20:00 UTC |
| Description | A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java. |
Risk And Classification
Problem Types: CWE-74
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apereo | .net Cas Client | All | All | All | All |
| Application | Apereo | .net Cas Client | All | All | All | All |
| Application | Apereo | Java Cas Client | All | All | All | All |
| Application | Apereo | Java Cas Client | All | All | All | All |
| Application | Apereo | Phpcas | All | All | All | All |
| Application | Apereo | Phpcas | All | All | All | All |
| Operating System | Debian | Debian Linux | 7.0 | All | All | All |
| Operating System | Debian | Debian Linux | 7.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 20 | All | All | All |
| Operating System | Fedoraproject | Fedora | 20 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| phpCAS/ChangeLog at master · apereo/phpCAS · GitHub | MISC | github.com | Release Notes, Third Party Advisory |
| Debian -- Security Information -- DSA-3017-1 php-cas | MISC | www.debian.org | Third Party Advisory |
| #759718 - php-cas needs to urlencode all tickets (CVE-2014-4172) - Debian Bug report logs | MISC | bugs.debian.org | Third Party Advisory |
| [cas-user] CAS Client Security Vulnerability CVE-2014-4172 | www.mail-archive.com | ||
| [SECURITY] Fedora 20 Update: cas-client-3.3.3-1.fc20 | MISC | lists.fedoraproject.org | Third Party Advisory |
| IBM X-Force Exchange | MISC | exchange.xforce.ibmcloud.com | Third Party Advisory, VDB Entry |
| URL Encode ticket parameter when presented for validation. by serac · Pull Request #125 · apereo/phpCAS · GitHub | MISC | github.com | Third Party Advisory |
| NETC-60 URL encode ticket parameter value. · apereo/dotnet-cas-client@f0e0300 · GitHub | MISC | github.com | Patch, Third Party Advisory |
| 1131350 – (CVE-2014-4172) CVE-2014-4172 cas-client: Bypass of security constraints via URL parameter injection | MISC | bugzilla.redhat.com | Issue Tracking, Third Party Advisory |
| [cas-user] CAS Client Security Vulnerability CVE-2014-4172 | MISC | www.mail-archive.com | Patch, Third Party Advisory |
| CASC-228 URL Encode Paramaters Passed to Server via Validate · apereo/java-cas-client@ae37092 · GitHub | MISC | github.com | Patch, Third Party Advisory |
| [CASC-228] CVE-2014-4172 URL Encode Parameters Passed to Validate Endpoints - Jira | MISC | issues.jasig.org | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.