CVE-2023-28857

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-28857

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28857.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-28857

Aliases

GHSA-p78h-m8pv-g9gm

Published

2023-06-27T17:10:47.930Z

Modified

2025-12-02T23:57:31.866010Z

Severity

4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Summary

LDAP password leak in Apereo CAS - GHSL-2023-009

Details

Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be configured to use authentication based on client X509 certificates. These certificates can be provided via TLS handshake or a special HTTP header, such as “sslclientcert”. When checking the validity of the provided client certificate, X509CredentialsAuthenticationHandler performs check that this certificate is not revoked. To do so, it fetches URLs provided in the “CRL Distribution Points” extension of the certificate, which are taken from the certificate itself and therefore can be controlled by a malicious user. If the CAS server is configured to use an LDAP server for x509 authentication with a password, for example by setting a “cas.authn.x509.ldap.ldap-url” and “cas.authn.x509.ldap.bind-credential” properties, X509CredentialsAuthenticationHandler fetches revocation URLs from the certificate, which can be LDAP urls. When making requests to this LDAP urls, Apereo CAS uses the same password as for initially configured LDAP server, which can lead to a password leak. An unauthenticated user can leak the password used to LDAP connection configured on server. This issue has been addressed in version 6.6.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28857.json"
}

References

Affected packages

Git / github.com/apereo/cas

Affected ranges

Type: GIT
Repo: https://github.com/apereo/cas
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

adee006544f6e82d43606ff0512b8d93853da3d6

Affected versions

3.*

3.4.11-RC1

6.*

6.3.0-RC1

v3.*

v3.4.11

v3.5.0

v3.5.0-RC1

v3.5.0-RC2

v3.5.1

v3.5.1-RC1

v4.*

v4.0.0-RC1

v6.*

v6.1.0-RC5

v6.1.0-RC6

v6.2.0-RC1

v6.2.0-RC2

v6.2.0-RC3

v6.2.0-RC4

v6.2.0-RC5

v6.3.0-RC2

v6.3.0-RC3

v6.3.0-RC4

v6.3.0-RC5

v6.4.0-RC1

v6.4.0-RC2

v6.4.0-RC3

v6.4.0-RC4

v6.4.0-RC5

v6.4.0-RC6

v6.5.0-RC1

v6.5.0-RC2

v6.5.0-RC3

v6.5.0-RC4

v6.5.0-RC5

v6.6.0

v6.6.0-RC1

v6.6.0-RC2

v6.6.0-RC3

v6.6.0-RC4

v6.6.0-RC5

v6.6.1

v6.6.2

v6.6.3

v6.6.4

v6.6.5

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "id": "CVE-2023-28857-4ff42509",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "264961458287417714707294800830550887983",
                "105109564877415067348130269570313055837",
                "21993627550315214828746452553276050420",
                "139643187003259681287323476306782309703"
            ]
        },
        "target": {
            "file": "support/cas-server-support-x509-core/src/main/java/org/apereo/cas/adaptors/x509/authentication/ldap/LdaptiveResourceCRLFetcher.java"
        },
        "source": "https://github.com/apereo/cas/commit/adee006544f6e82d43606ff0512b8d93853da3d6"
    },
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "id": "CVE-2023-28857-89dd0f0e",
        "deprecated": false,
        "digest": {
            "function_hash": "282329613634731693422757852303318082076",
            "length": 167.0
        },
        "target": {
            "function": "prepareConnectionFactory",
            "file": "support/cas-server-support-x509-core/src/main/java/org/apereo/cas/adaptors/x509/authentication/ldap/LdaptiveResourceCRLFetcher.java"
        },
        "source": "https://github.com/apereo/cas/commit/adee006544f6e82d43606ff0512b8d93853da3d6"
    }
]

Git / github.com/jasig/cas

Affected ranges

Type: GIT
Repo: https://github.com/jasig/cas
Events: Introduced

e1e6e653906ddcaa6f9ab62064bfee379f966d11

Fixed

ac34a21fbb515307bdcd749bd0901c8e41ff4964

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "id": "CVE-2023-28857-0112d97e",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "264961458287417714707294800830550887983",
                "105109564877415067348130269570313055837",
                "21993627550315214828746452553276050420",
                "139643187003259681287323476306782309703"
            ]
        },
        "target": {
            "file": "support/cas-server-support-x509-core/src/main/java/org/apereo/cas/adaptors/x509/authentication/ldap/LdaptiveResourceCRLFetcher.java"
        },
        "source": "https://github.com/jasig/cas/commit/ac34a21fbb515307bdcd749bd0901c8e41ff4964"
    },
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "id": "CVE-2023-28857-3bc8ecb5",
        "deprecated": false,
        "digest": {
            "function_hash": "282329613634731693422757852303318082076",
            "length": 167.0
        },
        "target": {
            "function": "prepareConnectionFactory",
            "file": "support/cas-server-support-x509-core/src/main/java/org/apereo/cas/adaptors/x509/authentication/ldap/LdaptiveResourceCRLFetcher.java"
        },
        "source": "https://github.com/jasig/cas/commit/ac34a21fbb515307bdcd749bd0901c8e41ff4964"
    }
]