CVE-2012-1104
published 2019-12-05CVE-2012-1104: A Security Bypass vulnerability exists in the phpCAS 1.2.2 library from the jasig project due to the way proxying of services are managed.
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
1.71%
74.5th percentile
A Security Bypass vulnerability exists in the phpCAS 1.2.2 library from the jasig project due to the way proxying of services are managed.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apereo | phpcas | — | — |
| debian | debian_linux | — | — |
| glpi-project | glpi | >= 0 < 0.84.3+dfsg.1-1 | 0.84.3+dfsg.1-1 |
| jasig_project | phpcas | — | — |
| moodle | moodle | >= 0 < 2.5.4-1ubuntu1 | 2.5.4-1ubuntu1 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w256-hx99-6r3x: A Security Bypass vulnerability exists in the phpCAS 1
ghsa_unreviewed·2022-04-23
CVE-2012-1104 [MEDIUM] GHSA-w256-hx99-6r3x: A Security Bypass vulnerability exists in the phpCAS 1
A Security Bypass vulnerability exists in the phpCAS 1.2.2 library from the jasig project due to the way proxying of services are managed.
OSV
CVE-2012-1104: A Security Bypass vulnerability exists in the phpCAS 1
osv·2019-12-05·CVSS 5.3
CVE-2012-1104 [MEDIUM] CVE-2012-1104: A Security Bypass vulnerability exists in the phpCAS 1
A Security Bypass vulnerability exists in the phpCAS 1.2.2 library from the jasig project due to the way proxying of services are managed.
No detection rules found.
Bugzilla
CVE-2012-1104 php-pear-CAS: Improper management of service proxying
bugzilla·2012-03-08·CVSS 5.3
CVE-2012-1104 [MEDIUM] CVE-2012-1104 php-pear-CAS: Improper management of service proxying
CVE-2012-1104 php-pear-CAS: Improper management of service proxying
A security flaw was found in the way phpCAS managed proxying of services. In the detault configuration an phpCAS protected application allowed to proxy any other CAS service with proxy authorization and valid user credentials in the same SSO realm to other phpCAS applications. The application, CAS services has been proxied to, could use this flaw to in unauthorized way to use these CAS services.
Upstream bug report:
[1] https://issues.jasig.org/browse/PHPCAS-69
CVE request and assignment:
[2] http://www.openwall.com/lists/oss-security/2012/03/04/7
[3] http://seclists.org/oss-sec/2012/q1/551
Upstream patch (against trunk):
[4] https://github.com/Jasig/phpCAS/commit/717009a6529d7c7ad968544a5fff4a40a21137a6
Discussion:
Bugzilla
CVE-2012-1104 CVE-2012-1105 php-pear-CAS various flaws [epel-all]
bugzilla·2012-03-08·CVSS 5.3
CVE-2012-1104 [MEDIUM] CVE-2012-1104 CVE-2012-1105 php-pear-CAS various flaws [epel-all]
CVE-2012-1104 CVE-2012-1105 php-pear-CAS various flaws [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=8013
Bugzilla
CVE-2012-1104 CVE-2012-1105 php-pear-CAS various flaws [fedora-all]
bugzilla·2012-03-08·CVSS 5.3
CVE-2012-1104 [MEDIUM] CVE-2012-1104 CVE-2012-1105 php-pear-CAS various flaws [fedora-all]
CVE-2012-1104 CVE-2012-1105 php-pear-CAS various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=80
http://www.openwall.com/lists/oss-security/2012/03/05/7https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1104https://gitlab.vsb.cz/kal0178/sixmon/blob/b18bcde090dc38fc968a0b1e38d1dab08b8c369e/web/lib/CAS/CAS-1.3.5/docs/ChangeLoghttps://security-tracker.debian.org/tracker/CVE-2012-1104https://www.securityfocus.com/bid/52279http://www.openwall.com/lists/oss-security/2012/03/05/7https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1104https://gitlab.vsb.cz/kal0178/sixmon/blob/b18bcde090dc38fc968a0b1e38d1dab08b8c369e/web/lib/CAS/CAS-1.3.5/docs/ChangeLoghttps://security-tracker.debian.org/tracker/CVE-2012-1104https://www.securityfocus.com/bid/52279
2019-12-05
Published