Proxy Ticket Authentication Vulnerability in Spring Security by Pivotal
CVE-2014-3527
9.8CRITICAL
What is CVE-2014-3527?
A vulnerability exists in the Spring Security framework affecting versions 3.1 to 3.2.4, where the CAS Proxy ticket authentication mechanism can be exploited by a malicious CAS Service. This exploitation occurs due to improper handling of untrusted information within the HTTP request, allowing the malicious service to trick another CAS Service into accepting proxy tickets that should not be authorized. While access control restrictions may be set to limit which CAS services can authenticate, the flaw allows these restrictions to be circumvented. Users not utilizing CAS Proxy tickets or not relying solely on CAS Service information for access control are not directly impacted.
Affected Version(s)
Spring Security 3.1 to 3.2.4
