cve-2022-39369
Vulnerability from cvelistv5
Published
2022-11-01 00:00
Modified
2024-08-03 12:00
Severity ?
EPSS score ?
Summary
phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to "^(https)://.*") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied. This vulnerability may allow an attacker to gain access to a victim's account on a vulnerable CASified service without victim's knowledge, when the victim visits attacker's website while being logged in to the same CAS server. phpCAS 1.6.0 is a major version upgrade that starts enforcing service URL discovery validation, because there is unfortunately no 100% safe default config to use in PHP. Starting this version, it is required to pass in an additional service base URL argument when constructing the client class. For more information, please refer to the upgrading doc. This vulnerability only impacts the CAS client that the phpCAS library protects against. The problematic service URL discovery behavior in phpCAS < 1.6.0 will only be disabled, and thus you are not impacted from it, if the phpCAS configuration has the following setup: 1. `phpCAS::setUrl()` is called (a reminder that you have to pass in the full URL of the current page, rather than your service base URL), and 2. `phpCAS::setCallbackURL()` is called, only when the proxy mode is enabled. 3. If your PHP's HTTP header input `X-Forwarded-Host`, `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-Protocol` is sanitized before reaching PHP (by a reverse proxy, for example), you will not be impacted by this vulnerability either. If your CAS server service registry is configured to only allow known and trusted service URLs the severity of the vulnerability is reduced substantially in its severity since an attacker must be in control of another authorized service. Otherwise, you should upgrade the library to get the safe service discovery behavior.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:00:44.178Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64" }, { "name": "FEDORA-2022-37c2d26f59", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RUA2JM6YT3ZXSZLBJVRA32AXYM3GJMO3/" }, { "name": "FEDORA-2022-d6c6782130", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XL7SMW6ESSP2Y6HHRYWW2MMCZSI4LBZ/" }, { "name": "FEDORA-2022-76b3530ac2", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJZGTWJ5ZXUUT47EHARNOUUNTH6SYDSE/" }, { "name": "[debian-lts-announce] 20230708 [SECURITY] [DLA 3485-1] php-cas security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00007.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "phpCAS", "vendor": "apereo", "versions": [ { "status": "affected", "version": "\u003c 1.6.0" } ] } ], "descriptions": [ { "lang": "en", "value": "phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to \"^(https)://.*\") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied. This vulnerability may allow an attacker to gain access to a victim\u0027s account on a vulnerable CASified service without victim\u0027s knowledge, when the victim visits attacker\u0027s website while being logged in to the same CAS server. phpCAS 1.6.0 is a major version upgrade that starts enforcing service URL discovery validation, because there is unfortunately no 100% safe default config to use in PHP. Starting this version, it is required to pass in an additional service base URL argument when constructing the client class. For more information, please refer to the upgrading doc. This vulnerability only impacts the CAS client that the phpCAS library protects against. The problematic service URL discovery behavior in phpCAS \u003c 1.6.0 will only be disabled, and thus you are not impacted from it, if the phpCAS configuration has the following setup: 1. `phpCAS::setUrl()` is called (a reminder that you have to pass in the full URL of the current page, rather than your service base URL), and 2. `phpCAS::setCallbackURL()` is called, only when the proxy mode is enabled. 3. If your PHP\u0027s HTTP header input `X-Forwarded-Host`, `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-Protocol` is sanitized before reaching PHP (by a reverse proxy, for example), you will not be impacted by this vulnerability either. If your CAS server service registry is configured to only allow known and trusted service URLs the severity of the vulnerability is reduced substantially in its severity since an attacker must be in control of another authorized service. Otherwise, you should upgrade the library to get the safe service discovery behavior." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-99", "description": "CWE-99: Improper Control of Resource Identifiers (\u0027Resource Injection\u0027)", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-1287", "description": "CWE-1287: Improper Validation of Specified Type of Input", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-07-08T00:00:00", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "url": "https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64" }, { "name": "FEDORA-2022-37c2d26f59", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RUA2JM6YT3ZXSZLBJVRA32AXYM3GJMO3/" }, { "name": "FEDORA-2022-d6c6782130", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XL7SMW6ESSP2Y6HHRYWW2MMCZSI4LBZ/" }, { "name": "FEDORA-2022-76b3530ac2", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJZGTWJ5ZXUUT47EHARNOUUNTH6SYDSE/" }, { "name": "[debian-lts-announce] 20230708 [SECURITY] [DLA 3485-1] php-cas security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00007.html" } ], "source": { "advisory": "GHSA-8q72-6qq8-xv64", "discovery": "UNKNOWN" }, "title": "Service Hostname Discovery Exploitation in phpCAS" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-39369", "datePublished": "2022-11-01T00:00:00", "dateReserved": "2022-09-02T00:00:00", "dateUpdated": "2024-08-03T12:00:44.178Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2022-39369\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-11-01T17:15:10.267\",\"lastModified\":\"2024-11-21T07:18:09.047\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to \\\"^(https)://.*\\\") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied. This vulnerability may allow an attacker to gain access to a victim\u0027s account on a vulnerable CASified service without victim\u0027s knowledge, when the victim visits attacker\u0027s website while being logged in to the same CAS server. phpCAS 1.6.0 is a major version upgrade that starts enforcing service URL discovery validation, because there is unfortunately no 100% safe default config to use in PHP. Starting this version, it is required to pass in an additional service base URL argument when constructing the client class. For more information, please refer to the upgrading doc. This vulnerability only impacts the CAS client that the phpCAS library protects against. The problematic service URL discovery behavior in phpCAS \u003c 1.6.0 will only be disabled, and thus you are not impacted from it, if the phpCAS configuration has the following setup: 1. `phpCAS::setUrl()` is called (a reminder that you have to pass in the full URL of the current page, rather than your service base URL), and 2. `phpCAS::setCallbackURL()` is called, only when the proxy mode is enabled. 3. If your PHP\u0027s HTTP header input `X-Forwarded-Host`, `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-Protocol` is sanitized before reaching PHP (by a reverse proxy, for example), you will not be impacted by this vulnerability either. If your CAS server service registry is configured to only allow known and trusted service URLs the severity of the vulnerability is reduced substantially in its severity since an attacker must be in control of another authorized service. Otherwise, you should upgrade the library to get the safe service discovery behavior.\"},{\"lang\":\"es\",\"value\":\"phpCAS es una librer\u00eda de autenticaci\u00f3n que permite que las aplicaciones PHP autentiquen f\u00e1cilmente a los usuarios a trav\u00e9s del servidor Central Authentication Service (CAS). La librer\u00eda phpCAS utiliza encabezados HTTP para determinar la URL del servicio utilizada para validar tickets. Esto permite a un atacante controlar el encabezado del host y utilizar un ticket v\u00e1lido otorgado para cualquier servicio autorizado en el mismo \u00e1mbito SSO (servidor CAS) para autenticarse en el servicio protegido por phpCAS. Dependiendo de la configuraci\u00f3n del registro de servicios del servidor CAS, en el peor de los casos, esta puede ser cualquier otra URL de servicio (si las URL permitidas est\u00e1n configuradas en \\\"^(https)://.*\\\") o puede estar estrictamente limitada a servicios conocidos y autorizados. en la misma federaci\u00f3n SSO si se aplica la validaci\u00f3n adecuada del servicio URL. Esta vulnerabilidad puede permitir que un atacante obtenga acceso a la cuenta de una v\u00edctima en un servicio CASified vulnerable sin el conocimiento de la v\u00edctima, cuando la v\u00edctima visita el sitio web del atacante mientras est\u00e1 conectado al mismo servidor CAS. phpCAS 1.6.0 es una actualizaci\u00f3n de versi\u00f3n importante que comienza a imponer la validaci\u00f3n de descubrimiento de URL del servicio, porque desafortunadamente no existe una configuraci\u00f3n predeterminada 100% segura para usar en PHP. A partir de esta versi\u00f3n, es necesario pasar un argumento de URL base de servicio adicional al construir la clase de cliente. Para obtener m\u00e1s informaci\u00f3n, consulte el documento de actualizaci\u00f3n. Esta vulnerabilidad solo afecta al cliente CAS contra el que protege la librer\u00eda phpCAS. El comportamiento problem\u00e1tico de descubrimiento de URL del servicio en phpCAS \u0026lt; 1.6.0 solo se deshabilitar\u00e1 y, por lo tanto, usted no se ver\u00e1 afectado si la configuraci\u00f3n de phpCAS tiene la siguiente configuraci\u00f3n: 1. Se llama a `phpCAS::setUrl()` (un recordatorio de que debe pasar la URL completa). de la p\u00e1gina actual, en lugar de la URL base de su servicio), y 2. Se llama a `phpCAS::setCallbackURL()`, solo cuando el modo proxy est\u00e1 habilitado. 3. Si la entrada del encabezado HTTP de PHP `X-Forwarded-Host`, `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-Protocol` se sanitiza antes de llegar a PHP (por un proxy inverso, por ejemplo), esta vulnerabilidad tampoco le afectar\u00e1. Si el registro de servicios de su servidor CAS est\u00e1 configurado para permitir solo URL de servicios conocidos y confiables, la gravedad de la vulnerabilidad se reduce sustancialmente ya que un atacante debe tener el control de otro servicio autorizado. De lo contrario, debe actualizar la librer\u00eda para obtener un comportamiento de descubrimiento de servicios seguro.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-99\"},{\"lang\":\"en\",\"value\":\"CWE-1287\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apereo:phpcas:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.6.0\",\"matchCriteriaId\":\"BFCFFAD3-7480-4042-B960-36ECB28467FB\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E30D0E6F-4AE8-4284-8716-991DFA48CC5D\"}]}]}],\"references\":[{\"url\":\"https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/07/msg00007.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XL7SMW6ESSP2Y6HHRYWW2MMCZSI4LBZ/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RUA2JM6YT3ZXSZLBJVRA32AXYM3GJMO3/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJZGTWJ5ZXUUT47EHARNOUUNTH6SYDSE/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/07/msg00007.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XL7SMW6ESSP2Y6HHRYWW2MMCZSI4LBZ/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RUA2JM6YT3ZXSZLBJVRA32AXYM3GJMO3/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJZGTWJ5ZXUUT47EHARNOUUNTH6SYDSE/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.