GHSA-q39c-5vh5-vw2p

Source

https://github.com/advisories/GHSA-q39c-5vh5-vw2p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-q39c-5vh5-vw2p/GHSA-q39c-5vh5-vw2p.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-q39c-5vh5-vw2p

Aliases

CVE-2020-27178

Published

2021-08-02T16:47:10Z

Modified

2024-02-17T05:35:20.937396Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Improper Authentication in Apereo CAS

Details

Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication.

Database specific

{
    "cwe_ids": [
        "CWE-287"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2020-10-16T16:15:00Z",
    "github_reviewed_at": "2021-07-26T18:43:04Z",
    "severity": "HIGH"
}

References

Affected packages

Maven

org.apereo.cas:cas-server-webapp

Package

Name: org.apereo.cas:cas-server-webapp; View open source insights on deps.dev
Purl: pkg:maven/org.apereo.cas/cas-server-webapp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.3.0

Fixed

5.3.16

Affected versions

5.*

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.3.10

5.3.11

5.3.12

5.3.12.1

5.3.13

5.3.14

5.3.15

5.3.15.1

org.apereo.cas:cas-server-webapp

Package

Name: org.apereo.cas:cas-server-webapp; View open source insights on deps.dev
Purl: pkg:maven/org.apereo.cas/cas-server-webapp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.1.7.2

Affected versions

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.5.1

6.0.6

6.0.7

6.0.8

6.0.8.1

6.1.0-RC1

6.1.0-RC2

6.1.0-RC3

6.1.0-RC4

6.1.0-RC5

6.1.0-RC6

6.1.0

6.1.1

6.1.2

6.1.3

6.1.4

6.1.5

6.1.6

6.1.7

6.1.7.1

Database specific

last_known_affected_version_range

"<= 6.1.7.1"

org.apereo.cas:cas-server-webapp

Package

Name: org.apereo.cas:cas-server-webapp; View open source insights on deps.dev
Purl: pkg:maven/org.apereo.cas/cas-server-webapp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.2.4

Affected versions

6.*

6.2.0

6.2.1

6.2.2

6.2.3

org.apereo.cas:cas-server-support-otp-mfa-core

Package

Name: org.apereo.cas:cas-server-support-otp-mfa-core; View open source insights on deps.dev
Purl: pkg:maven/org.apereo.cas/cas-server-support-otp-mfa-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.3.0

Fixed

5.3.16

org.apereo.cas:cas-server-support-otp-mfa-core

Package

Name: org.apereo.cas:cas-server-support-otp-mfa-core; View open source insights on deps.dev
Purl: pkg:maven/org.apereo.cas/cas-server-support-otp-mfa-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.1.7.2

Affected versions

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.5.1

6.0.6

6.0.7

6.0.8

6.0.8.1

6.1.0-RC1

6.1.0-RC2

6.1.0-RC3

6.1.0-RC4

6.1.0-RC5

6.1.0-RC6

6.1.0

6.1.1

6.1.2

6.1.3

6.1.4

6.1.5

6.1.6

6.1.7

6.1.7.1

Database specific

last_known_affected_version_range

"<= 6.1.7.1"

org.apereo.cas:cas-server-support-otp-mfa-core

Package

Name: org.apereo.cas:cas-server-support-otp-mfa-core; View open source insights on deps.dev
Purl: pkg:maven/org.apereo.cas/cas-server-support-otp-mfa-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.2.4

Affected versions

6.*

6.2.0

6.2.1

6.2.2

6.2.3