CVE-2022-39369

Improper Validation of Specified Type of Input (CWE-1287)

Published: Nov 1, 2022 / Updated: 24mo ago

010
CVSS 8EPSS 0.08%High
CVE info copied to clipboard

phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to "^(https)://.*") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied. This vulnerability may allow an attacker to gain access to a victim's account on a vulnerable CASified service without victim's knowledge, when the victim visits attacker's website while being logged in to the same CAS server. phpCAS 1.6.0 is a major version upgrade that starts enforcing service URL discovery validation, because there is unfortunately no 100% safe default config to use in PHP. Starting this version, it is required to pass in an additional service base URL argument when constructing the client class. For more information, please refer to the upgrading doc. This vulnerability only impacts the CAS client that the phpCAS library protects against. The problematic service URL discovery behavior in phpCAS < 1.6.0 will only be disabled, and thus you are not impacted from it, if the phpCAS configuration has the following setup: 1. `phpCAS::setUrl()` is called (a reminder that you have to pass in the full URL of the current page, rather than your service base URL), and 2. `phpCAS::setCallbackURL()` is called, only when the proxy mode is enabled. 3. If your PHP's HTTP header input `X-Forwarded-Host`, `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-Protocol` is sanitized before reaching PHP (by a reverse proxy, for example), you will not be impacted by this vulnerability either. If your CAS server service registry is configured to only allow known and trusted service URLs the severity of the vulnerability is reduced substantially in its severity since an attacker must be in control of another authorized service. Otherwise, you should upgrade the library to get the safe service discovery behavior.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2022-39369. See article

Nov 1, 2022 at 4:44 PM / twitter.com
EPSS

EPSS Score was set to: 0.08% (Percentile: 33%)

Sep 23, 2023 at 5:33 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (200532)

Jul 25, 2024 at 5:15 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (204923)

Aug 3, 2024 at 3:15 AM
Static CVE Timeline Graph

Affected Systems

Fedoraproject/fedora
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

Vendor Advisory

phpCAS vulnerable to Service Hostname Discovery Exploitation
This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. phpCAS 1.6.0 is a major version upgrade that starts enforcing service URL discovery validation, because there is unfortunately no 100% safe default config to use in PHP.

News

Fedora 37 : php-pear-CAS (2022-d6c6782130)
The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-d6c6782130 advisory. The remote Fedora host is missing one or more security updates.
Federicoquattrin ~ubuntu-security membership application
: Bugs : openjdk-7 package : Ubuntu (OpenJDK) and fixed the FTBFS issue by adding the missing ciphers back to the test suite only. I also found that Moodle (another source package not related to this collaboration) had a vendored version of php-cas so I updated the CVE to reflect that.
Debian GNU/Linux 11.11 released
The Debian project has released the eleventh and final update of their oldstable distribution, Debian 11, which includes security fixes and changes to major issues.
Updated Debian 11: 11.11 released
Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included.
phpCAS vulnerability
Releases Ubuntu 16.04 ESM Packages php-cas - Central Authentication Service client library in php Details USN-6913-1 fixed CVE-2022-39369 for Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. This update provides the corresponding fix for Ubuntu 16.04 LTS. Original advisory details: Filip Hejsek discovered that phpCAS was using HTTP headers to determine the service URL used to validate tickets. A remote attacker could possibly use this issue to gain access to a victim&#x27;s account on a vulnerable CASified service. This security update introduces an incompatible API change. After applying this update, third party applications need to be modified to pass in an additional service base URL argument when constructing the client class. For more information please refer to the section &quot;Upgrading 1.5.0 -&gt; 1.6.0&quot; of the phpCAS upgrading document:...
See 53 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI