Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr method allows Multi-Factor Authentication bypass.This issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vulnerability.
Weakness
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Central_authentication_service | Apereo | * | 7.0.0 (excluding) |
| Central_authentication_service | Apereo | 7.0.0-rc1 (including) | 7.0.0-rc1 (including) |
| Central_authentication_service | Apereo | 7.0.0-rc2 (including) | 7.0.0-rc2 (including) |
| Central_authentication_service | Apereo | 7.0.0-rc3 (including) | 7.0.0-rc3 (including) |
| Central_authentication_service | Apereo | 7.0.0-rc4 (including) | 7.0.0-rc4 (including) |
| Central_authentication_service | Apereo | 7.0.0-rc5 (including) | 7.0.0-rc5 (including) |
| Central_authentication_service | Apereo | 7.0.0-rc6 (including) | 7.0.0-rc6 (including) |
| Central_authentication_service | Apereo | 7.0.0-rc7 (including) | 7.0.0-rc7 (including) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/10.html
- https://cwe.mitre.org/data/definitions/13.html
- https://cwe.mitre.org/data/definitions/21.html
- https://cwe.mitre.org/data/definitions/274.html
- https://cwe.mitre.org/data/definitions/31.html
- https://cwe.mitre.org/data/definitions/39.html
- https://cwe.mitre.org/data/definitions/45.html
- https://cwe.mitre.org/data/definitions/77.html