GHSA-q39c-5vh5-vw2p

Suggest an improvement
Source
https://github.com/advisories/GHSA-q39c-5vh5-vw2p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-q39c-5vh5-vw2p/GHSA-q39c-5vh5-vw2p.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-q39c-5vh5-vw2p
Aliases
Published
2021-08-02T16:47:10Z
Modified
2024-02-17T05:35:20.937396Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Improper Authentication in Apereo CAS
Details

Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication.

Database specific
{
    "nvd_published_at": "2020-10-16T16:15:00Z",
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-26T18:43:04Z"
}
References

Affected packages

Maven / org.apereo.cas:cas-server-webapp

Package

Name
org.apereo.cas:cas-server-webapp
View open source insights on deps.dev
Purl
pkg:maven/org.apereo.cas/cas-server-webapp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.3.0
Fixed
5.3.16

Affected versions

5.*

5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.12.1
5.3.13
5.3.14
5.3.15
5.3.15.1

Maven / org.apereo.cas:cas-server-webapp

Package

Name
org.apereo.cas:cas-server-webapp
View open source insights on deps.dev
Purl
pkg:maven/org.apereo.cas/cas-server-webapp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.1.7.2

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.5.1
6.0.6
6.0.7
6.0.8
6.0.8.1
6.1.0-RC1
6.1.0-RC2
6.1.0-RC3
6.1.0-RC4
6.1.0-RC5
6.1.0-RC6
6.1.0
6.1.1
6.1.2
6.1.3
6.1.4
6.1.5
6.1.6
6.1.7
6.1.7.1

Database specific

{
    "last_known_affected_version_range": "<= 6.1.7.1"
}

Maven / org.apereo.cas:cas-server-webapp

Package

Name
org.apereo.cas:cas-server-webapp
View open source insights on deps.dev
Purl
pkg:maven/org.apereo.cas/cas-server-webapp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.2.4

Affected versions

6.*

6.2.0
6.2.1
6.2.2
6.2.3

Maven / org.apereo.cas:cas-server-support-otp-mfa-core

Package

Name
org.apereo.cas:cas-server-support-otp-mfa-core
View open source insights on deps.dev
Purl
pkg:maven/org.apereo.cas/cas-server-support-otp-mfa-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.3.0
Fixed
5.3.16

Maven / org.apereo.cas:cas-server-support-otp-mfa-core

Package

Name
org.apereo.cas:cas-server-support-otp-mfa-core
View open source insights on deps.dev
Purl
pkg:maven/org.apereo.cas/cas-server-support-otp-mfa-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.1.7.2

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.5.1
6.0.6
6.0.7
6.0.8
6.0.8.1
6.1.0-RC1
6.1.0-RC2
6.1.0-RC3
6.1.0-RC4
6.1.0-RC5
6.1.0-RC6
6.1.0
6.1.1
6.1.2
6.1.3
6.1.4
6.1.5
6.1.6
6.1.7
6.1.7.1

Database specific

{
    "last_known_affected_version_range": "<= 6.1.7.1"
}

Maven / org.apereo.cas:cas-server-support-otp-mfa-core

Package

Name
org.apereo.cas:cas-server-support-otp-mfa-core
View open source insights on deps.dev
Purl
pkg:maven/org.apereo.cas/cas-server-support-otp-mfa-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.2.4

Affected versions

6.*

6.2.0
6.2.1
6.2.2
6.2.3