CVE-2023-4612
09.11.2023, 14:15
Improper Authentication vulnerability in Apereo CAS injakarta.servlet.http.HttpServletRequest.getRemoteAddr method allows Multi-Factor Authentication bypass.This issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vulnerability.Enginsight
| Vendor | Product | Version |
|---|---|---|
| apereo | central_authentication_service | 𝑥 < 7.0.0 |
| apereo | central_authentication_service | 7.0.0:rc1 |
| apereo | central_authentication_service | 7.0.0:rc2 |
| apereo | central_authentication_service | 7.0.0:rc3 |
| apereo | central_authentication_service | 7.0.0:rc4 |
| apereo | central_authentication_service | 7.0.0:rc5 |
| apereo | central_authentication_service | 7.0.0:rc6 |
| apereo | central_authentication_service | 7.0.0:rc7 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-302 - Authentication Bypass by Assumed-Immutable DataThe authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
- CWE-287 - Improper AuthenticationWhen an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.