Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2014-3527

Опубликовано: 25 мая 2017
Источник: nvd
CVSS3: 9.8
CVSS2: 7.5
EPSS Низкий

Описание

When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed. If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:vmware:spring_security:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.1.1:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.1.2:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.1.3:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.1.4:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.2.1:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.2.2:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.2.3:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:3.2.4:*:*:*:*:*:*:*

EPSS

Процентиль: 58%
0.00359
Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-287

Связанные уязвимости

ubuntu логотип

CVE-2014-3527

CVSS3: 9.8
ubuntu
больше 8 лет назад

When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed. If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users.

redhat логотип

CVE-2014-3527

redhat
больше 11 лет назад

When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed. If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users.

debian логотип

CVE-2014-3527

CVSS3: 9.8
debian
больше 8 лет назад

When using the CAS Proxy ticket authentication from Spring Security 3. ...

github логотип

GHSA-wmv4-5w76-vp9g

CVSS3: 9.8
github
больше 5 лет назад

Authorization Bypass in Spring Security

EPSS

Процентиль: 58%
0.00359
Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-287