Vulnerability Description
XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apereo | Cas Server | < 3.4.12.1 |
Related Weaknesses (CWE)
References
- http://jasig.275507.n4.nabble.com/CAS-3-5-2-1-and-3-4-12-1-Security-Releases-td4Release NotesVendor Advisory
- https://vigilance.fr/vulnerability/Jasig-CAS-Server-bypassing-authentication-viaThird Party Advisory
- http://jasig.275507.n4.nabble.com/CAS-3-5-2-1-and-3-4-12-1-Security-Releases-td4Release NotesVendor Advisory
- https://vigilance.fr/vulnerability/Jasig-CAS-Server-bypassing-authentication-viaThird Party Advisory
FAQ
What is CVE-2014-2296?
CVE-2014-2296 is a vulnerability with a CVSS score of 8.8 (HIGH). XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remo...
How severe is CVE-2014-2296?
CVE-2014-2296 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-2296?
Check the references section above for vendor advisories and patch information. Affected products include: Apereo Cas Server.