CVE-2022-39369Resource Injection in Phpcas

CWE-99Resource InjectionCWE-1287Improper Validation of Specified Type of Input9 documents5 sources
Severity
8.0HIGHNVD
EPSS
0.9%
top 23.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apereo PhpcasDebian Php-casFedoraproject Fedora
Timeline
PublishedNov 1
Latest updateJul 31

Description

phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in wor

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 2.1 | Impact: 5.9

Affected Packages3 packages

NVDapereo/phpcas< 1.6.0
Packagistapereo/phpcas< 1.6.0
debiandebian/php-cas< php-cas 1.6.0-1 (bookworm)

Also affects: Fedora 35, 36, 37

🔴Vulnerability Details

4
OSV
php-cas vulnerability2024-07-31
GHSA
phpCAS vulnerable to Service Hostname Discovery Exploitation2022-11-01
OSV
phpCAS vulnerable to Service Hostname Discovery Exploitation2022-11-01
OSV
CVE-2022-39369: phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server2022-11-01

📋Vendor Advisories

4
Ubuntu
phpCAS vulnerability2024-07-31
Ubuntu
OCS Inventory vulnerability2024-07-24
Ubuntu
phpCAS vulnerability2024-07-24
Debian
CVE-2022-39369: php-cas - phpCAS is an authentication library that allows PHP applications to easily authe...2022
CVE-2022-39369 — Resource Injection in Apereo Phpcas | cvebase