CVE-2014-2296

Name of the Vulnerable Software and Affected Versions Jasig CAS server versions prior to 3.4.12.1 Jasig CAS server versions 3.5.x prior to 3.5.2.1

Description The issue allows remote unauthenticated users to bypass authentication via crafted XML data when Google Accounts Integration is enabled. This is due to an XML external entity (XXE) vulnerability in the java/org/jasig/cas/util/SamlUtils.java file.

Recommendations For Jasig CAS server versions prior to 3.4.12.1, update to version 3.4.12.1 or later. For Jasig CAS server versions 3.5.x prior to 3.5.2.1, update to version 3.5.2.1 or later. As a temporary workaround, consider disabling Google Accounts Integration until a patch is available.