Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr method allows Multi-Factor Authentication bypass.This issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vulnerability.
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Central_authentication_service | Apereo | * | 7.0.0 (excluding) |
| Central_authentication_service | Apereo | 7.0.0-rc1 (including) | 7.0.0-rc1 (including) |
| Central_authentication_service | Apereo | 7.0.0-rc2 (including) | 7.0.0-rc2 (including) |
| Central_authentication_service | Apereo | 7.0.0-rc3 (including) | 7.0.0-rc3 (including) |
| Central_authentication_service | Apereo | 7.0.0-rc4 (including) | 7.0.0-rc4 (including) |
| Central_authentication_service | Apereo | 7.0.0-rc5 (including) | 7.0.0-rc5 (including) |
| Central_authentication_service | Apereo | 7.0.0-rc6 (including) | 7.0.0-rc6 (including) |
| Central_authentication_service | Apereo | 7.0.0-rc7 (including) | 7.0.0-rc7 (including) |