CVE-2022-39369

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions phpCAS versions prior to 1.6.0

Description The phpCAS library uses HTTP headers to determine the service URL used to validate tickets, allowing an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm to authenticate to the service protected by phpCAS. This vulnerability may allow an attacker to gain access to a victim's account on a vulnerable CASified service without the victim's knowledge, when the victim visits the attacker's website while being logged in to the same CAS server. The severity of the vulnerability is reduced substantially if the CAS server service registry is configured to only allow known and trusted service URLs.

Recommendations For phpCAS versions prior to 1.6.0, upgrade the library to version 1.6.0 or later to get the safe service discovery behavior. Alternatively, if the phpCAS configuration has the following setup:

phpCAS::setUrl() is called with the full URL of the current page, and
phpCAS::setCallbackURL() is called when the proxy mode is enabled, or if the PHP's HTTP header input is sanitized before reaching PHP, the vulnerability will be mitigated.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1287CWE-99

Related Identifiers

ALSA-2025_16880

ALT-PU-2023-6265

ALT-PU-2023-6282

ALT-PU-2023-6850

ALT-PU-2024-1229

BDU:2024-06190

CVE-2022-39369

DLA-3485-1

DLA-3486-1

DLA-3487-1

GHSA-8Q72-6QQ8-XV64

MGASA-2022-0432

USN-6913-1

USN-6913-2

USN-6914-1

Affected Products

Alt Linux

Linuxmint

Red Os

Ubuntu

Phpcas

CVE-2022-39369

Weakness Enumeration

Related Identifiers

Affected Products

References · 38