CVE-2023-28857

Name of the Vulnerable Software and Affected Versions Apereo CAS versions prior to 6.6.6

Description The issue concerns Apereo CAS, an open source single sign-on solution. It can be configured to use authentication based on client X509 certificates, which can be provided via TLS handshake or a special HTTP header, such as "ssl client cert". When checking the validity of the provided client certificate, the system fetches URLs from the "CRL Distribution Points" extension of the certificate. If the CAS server is configured to use an LDAP server for x509 authentication with a password, it can lead to a password leak when making requests to LDAP URLs from the certificate, as it uses the same password as for the initially configured LDAP server. This allows an unauthenticated user to leak the password used for the LDAP connection configured on the server.

Recommendations For versions prior to 6.6.6, upgrade to version 6.6.6 to address the issue. As a temporary workaround, consider restricting access to the LDAP server or changing the password used for the LDAP connection to minimize the risk of exploitation. Avoid using the same password for multiple LDAP connections until the issue is resolved.