CVE-2012-1105
published 2019-12-05CVE-2012-1105: An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client…
PriorityP424medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EPSS
0.46%
36.9th percentile
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apereo | phpcas | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| glpi-project | glpi | >= 0 < 0.84.3+dfsg.1-1 | 0.84.3+dfsg.1-1 |
| jasig_project | php-pear-cas | — | — |
| moodle | moodle | >= 0 < 2.5.4-1ubuntu1 | 2.5.4-1ubuntu1 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
osv5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rfxh-pjwm-crgg: An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1
ghsa_unreviewed·2022-04-23
CVE-2012-1105 [MEDIUM] CWE-200 GHSA-rfxh-pjwm-crgg: An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
OSV
CVE-2012-1105: An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1
osv·2019-12-05·CVSS 5.5
CVE-2012-1105 [MEDIUM] CVE-2012-1105: An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
No detection rules found.
Bugzilla
CVE-2012-1105 php-pear-CAS: Debug log and proxy configuration session data stored in /tmp without proper protection
bugzilla·2012-03-08·CVSS 5.5
CVE-2012-1105 [MEDIUM] CVE-2012-1105 php-pear-CAS: Debug log and proxy configuration session data stored in /tmp without proper protection
CVE-2012-1105 php-pear-CAS: Debug log and proxy configuration session data stored in /tmp without proper protection
An information disclosure flaw was found in the way phpCAS, the Central Authentication Service client library in PHP language, performed archiving of debug logging file in the default debug configuration and archiving of proxy configuration session data. Both of the files were archived in /tmp directory in files with unsafe permissions. A local attacker could use this flaw to obtain private user attributes and sensitive login tokens by inspecting content of those archived files.
Upstream bug report:
[1] https://github.com/Jasig/phpCAS/issues/22
CVE request and assignment:
[2] http://www.openwall.com/lists/oss-security/2012/03/04/7
[3] http://seclists.org/oss-sec/2012/q1/55
Bugzilla
CVE-2012-1104 CVE-2012-1105 php-pear-CAS various flaws [epel-all]
bugzilla·2012-03-08·CVSS 5.3
CVE-2012-1104 [MEDIUM] CVE-2012-1104 CVE-2012-1105 php-pear-CAS various flaws [epel-all]
CVE-2012-1104 CVE-2012-1105 php-pear-CAS various flaws [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=8013
Bugzilla
CVE-2012-1104 CVE-2012-1105 php-pear-CAS various flaws [fedora-all]
bugzilla·2012-03-08·CVSS 5.3
CVE-2012-1104 [MEDIUM] CVE-2012-1104 CVE-2012-1105 php-pear-CAS various flaws [fedora-all]
CVE-2012-1104 CVE-2012-1105 php-pear-CAS various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=80
http://www.openwall.com/lists/oss-security/2012/03/05/7https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1105https://gitlab.vsb.cz/kal0178/sixmon/blob/b18bcde090dc38fc968a0b1e38d1dab08b8c369e/web/lib/CAS/CAS-1.3.5/docs/ChangeLoghttps://security-tracker.debian.org/tracker/CVE-2012-1105https://www.securityfocus.com/bid/52280http://www.openwall.com/lists/oss-security/2012/03/05/7https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1105https://gitlab.vsb.cz/kal0178/sixmon/blob/b18bcde090dc38fc968a0b1e38d1dab08b8c369e/web/lib/CAS/CAS-1.3.5/docs/ChangeLoghttps://security-tracker.debian.org/tracker/CVE-2012-1105https://www.securityfocus.com/bid/52280
2019-12-05
Published