XML External Entity Vulnerability in Jasig CAS Server
CVE-2014-2296

8.8HIGH

Key Information:

Vendor

Apereo

Vendor
CVE Published:
20 July 2018

What is CVE-2014-2296?

An XML external entity (XXE) vulnerability exists in the Jasig CAS Server, specifically in the SamlUtils.java component. This issue occurs when Google Accounts Integration is enabled and enables remote, unauthenticated users to exploit crafted XML data to bypass standard authentication mechanisms. The vulnerability is present in CAS Server versions prior to 3.4.12.1 and in 3.5.x before 3.5.2.1. Organizations using affected versions should promptly upgrade to secure their applications and protect against potential unauthorized access.

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.