{"api_version":"1","generated_at":"2026-04-23T19:31:03+00:00","cve":"CVE-2014-4172","urls":{"html":"https://cve.report/CVE-2014-4172","api":"https://cve.report/api/cve/CVE-2014-4172.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2014-4172","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2014-4172"},"summary":{"title":"CVE-2014-4172","description":"A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-01-24 19:15:00","updated_at":"2023-11-07 02:20:00"},"problem_types":["CWE-74"],"metrics":[],"references":[{"url":"https://github.com/Jasig/phpCAS/blob/master/docs/ChangeLog","name":"https://github.com/Jasig/phpCAS/blob/master/docs/ChangeLog","refsource":"MISC","tags":["Release Notes","Third Party Advisory"],"title":"phpCAS/ChangeLog at master · apereo/phpCAS · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2014/dsa-3017.en.html","name":"https://www.debian.org/security/2014/dsa-3017.en.html","refsource":"MISC","tags":["Third Party Advisory"],"title":"Debian -- Security Information -- DSA-3017-1 php-cas","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718","name":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718","refsource":"MISC","tags":["Third Party Advisory"],"title":"#759718 - php-cas needs to urlencode all tickets (CVE-2014-4172) - Debian Bug report logs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mail-archive.com/cas-user%40lists.jasig.org/msg17338.html","name":"https://www.mail-archive.com/cas-user%40lists.jasig.org/msg17338.html","refsource":"","tags":[],"title":"[cas-user] CAS Client Security Vulnerability CVE-2014-4172","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.fedoraproject.org/pipermail/package-announce/2014-August/137182.html","name":"http://lists.fedoraproject.org/pipermail/package-announce/2014-August/137182.html","refsource":"MISC","tags":["Third Party Advisory"],"title":"[SECURITY] Fedora 20 Update: cas-client-3.3.3-1.fc20","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/95673","name":"https://exchange.xforce.ibmcloud.com/vulnerabilities/95673","refsource":"MISC","tags":["Third Party Advisory","VDB Entry"],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/Jasig/phpCAS/pull/125","name":"https://github.com/Jasig/phpCAS/pull/125","refsource":"MISC","tags":["Third Party Advisory"],"title":"URL Encode ticket parameter when presented for validation. by serac · Pull Request #125 · apereo/phpCAS · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/Jasig/dotnet-cas-client/commit/f0e030014fb7a39e5f38469f43199dc590fd0e8d","name":"https://github.com/Jasig/dotnet-cas-client/commit/f0e030014fb7a39e5f38469f43199dc590fd0e8d","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"NETC-60 URL encode ticket parameter value. · apereo/dotnet-cas-client@f0e0300 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1131350","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1131350","refsource":"MISC","tags":["Issue Tracking","Third Party Advisory"],"title":"1131350 – (CVE-2014-4172) CVE-2014-4172 cas-client: Bypass of security constraints via URL parameter injection","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mail-archive.com/cas-user@lists.jasig.org/msg17338.html","name":"https://www.mail-archive.com/cas-user@lists.jasig.org/msg17338.html","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"[cas-user] CAS Client Security Vulnerability CVE-2014-4172","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/Jasig/java-cas-client/commit/ae37092100c8eaec610dab6d83e5e05a8ee58814","name":"https://github.com/Jasig/java-cas-client/commit/ae37092100c8eaec610dab6d83e5e05a8ee58814","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"CASC-228 URL Encode Paramaters Passed to Server via Validate · apereo/java-cas-client@ae37092 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://issues.jasig.org/browse/CASC-228","name":"https://issues.jasig.org/browse/CASC-228","refsource":"MISC","tags":["Third Party Advisory"],"title":"[CASC-228] CVE-2014-4172 URL Encode Parameters Passed to Validate Endpoints - Jira","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2014-4172","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-4172","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2014","cve_id":"4172","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apereo","cpe5":".net_cas_client","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"4172","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apereo","cpe5":".net_cas_client","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"4172","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apereo","cpe5":"java_cas_client","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"4172","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apereo","cpe5":"java_cas_client","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"4172","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apereo","cpe5":"phpcas","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"4172","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apereo","cpe5":"phpcas","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"4172","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"4172","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"4172","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"20","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2014","cve_id":"4172","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"20","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2014-4172","STATE":"PUBLIC"},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"references":{"reference_data":[{"refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1131350","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1131350"},{"refsource":"MISC","name":"https://www.mail-archive.com/cas-user@lists.jasig.org/msg17338.html","url":"https://www.mail-archive.com/cas-user@lists.jasig.org/msg17338.html"},{"refsource":"MISC","name":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718","url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718"},{"refsource":"MISC","name":"https://github.com/Jasig/dotnet-cas-client/commit/f0e030014fb7a39e5f38469f43199dc590fd0e8d","url":"https://github.com/Jasig/dotnet-cas-client/commit/f0e030014fb7a39e5f38469f43199dc590fd0e8d"},{"refsource":"MISC","name":"https://github.com/Jasig/java-cas-client/commit/ae37092100c8eaec610dab6d83e5e05a8ee58814","url":"https://github.com/Jasig/java-cas-client/commit/ae37092100c8eaec610dab6d83e5e05a8ee58814"},{"refsource":"MISC","name":"https://github.com/Jasig/phpCAS/blob/master/docs/ChangeLog","url":"https://github.com/Jasig/phpCAS/blob/master/docs/ChangeLog"},{"refsource":"MISC","name":"https://github.com/Jasig/phpCAS/pull/125","url":"https://github.com/Jasig/phpCAS/pull/125"},{"refsource":"MISC","name":"https://issues.jasig.org/browse/CASC-228","url":"https://issues.jasig.org/browse/CASC-228"},{"refsource":"MISC","name":"https://www.debian.org/security/2014/dsa-3017.en.html","url":"https://www.debian.org/security/2014/dsa-3017.en.html"},{"refsource":"MISC","name":"http://lists.fedoraproject.org/pipermail/package-announce/2014-August/137182.html","url":"http://lists.fedoraproject.org/pipermail/package-announce/2014-August/137182.html"},{"refsource":"MISC","name":"https://exchange.xforce.ibmcloud.com/vulnerabilities/95673","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/95673"}]}},"nvd":{"publishedDate":"2020-01-24 19:15:00","lastModifiedDate":"2023-11-07 02:20:00","problem_types":["CWE-74"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apereo:.net_cas_client:*:*:*:*:*:*:*:*","versionEndExcluding":"1.0.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apereo:java_cas_client:*:*:*:*:*:*:*:*","versionEndExcluding":"3.3.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apereo:phpcas:*:*:*:*:*:*:*:*","versionEndExcluding":"1.3.3","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2014","CveId":"4172","Ordinal":"71141","Title":"CVE-2014-4172","CVE":"CVE-2014-4172","Year":"2014"},"notes":[{"CveYear":"2014","CveId":"4172","Ordinal":"1","NoteData":"A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java.","Type":"Description","Title":null},{"CveYear":"2014","CveId":"4172","Ordinal":"2","NoteData":"2020-01-24","Type":"Other","Title":"Published"},{"CveYear":"2014","CveId":"4172","Ordinal":"3","NoteData":"2020-01-24","Type":"Other","Title":"Modified"}]}}}