Bug#1077984: bullseye-pu: package php-cas/1.3.8-1+deb11u1
Control: tags -1 + confirmed
On Mon, 2024-08-05 at 13:16 +0000, Bastien Roucariès wrote:
> [ Reason ]
> CVE-2022-39369
>
> [ Impact ]
> Service Hostname Discovery Exploitation
>
> The phpCAS library uses HTTP headers to determine the service URL
> used to validate tickets. This allows an attacker to control the host
> header and use a valid ticket granted for any authorized service in
> the same SSO realm (CAS server) to authenticate to the service
> protected by phpCAS. Depending on the settings of the CAS server
> service registry in worst case this may be any other service URL (if
> the allowed URLs are configured to "^(https)://.*") or may be
> strictly limited to known and authorized services in the same SSO
> federation if proper URL service validation is applied.
>
> This vulnerability may allow an attacker to gain access to a victim's
> account on a vulnerable CASified service without victim's knowledge,
> when the victim visits attacker's website while being logged in to
> the same CAS server.
+php-cas (1.3.8-1+deb11u1) bullseye-security; urgency=high
Both the changelog and NEWS file should use "bullseye" as the
distribution.
With that fixed, please go ahead.
Regards,
Adam
Reply to: